This is an updated post, here you will find information about:

  • Endpoint Management design (legacy vs. modern)
  • Reasons for Hybrid or Cloud-only
  • Configuration challenges and approaches
  • Security aspects

This post is intended to give an engineering overview on the journey to Modern Endpoint Management with Microsoft Intune. I want to share my technical experience when we talk about these topics.

Depending on your experience or role, it might be useful to check out one of my other posts about endpoint management:

Hybrid or Cloud-only?

These are common questions that come up in a discussion about hybrid or cloud-only. The italic sentences are a common modern/cloud-only attempt.

  • Deployment/Imaging
    • Does the image need to be customized or can we use the pre-installed of the IHV? Mostly, the pre-installed OS can be used during the Autopilot process, as critical updates wil be installed directly..
    • How are the clients deployed? For corporate owned devices, register the device hashes in your tenant and deploy the devices through Intune/Autopilot.
  • Management and network dependency
    • Where and how can the clients be managed?
    • How much effort can you put into operations? (especially updating)
    • How dependent are you on the network for line-of-sight to domain hosting workloads? Workloads move to the cloud, although line of business (LOB) apps may still exist and need to be available externally. Consider Azure AD Application Proxy
    • Is the network your main security perimeter? In the modern world, identity is the main security perimeter.
  • Greenfield approach, how fast can you go?
    • What is your OS and apps updating strategy?
    • Where are the bottlenecks of a fast deployment of updates in your environment?
    • Do the end-users and the IT cope with the "new" schedule?
  • Security
    • What are your security approaches, which standards do you want to stay compliant to? Use the Microsoft Security baselines (described below). Consider advanced Defender Security products.
    • How much security systems are implemented and how do they actually communicate to benefit the security posture? In my opinion: go for Microsoft security products only, the correlation and foundation on productivity products is on a very high level.

Workloads and reasons for hybrid

  • Active Directory computer object
  • Group Policy Objects (GPOs)
  • Application management
  • "Legacy" Device management like SCCM/Configuration Manager
  • Network dependency


  • The modern way
  • Mobile Device Management (MDM) with Intune
  • Autopilot deployment
  • Bring your own device (BYOD) and Mobile Application Management (MAM)
  • The backbone to all other Microsoft cloud services

Configuration management in Intune

Overview of profiles

Topic Profiles Use
Enrollment Deployment profile Define the join type (Hybrid or Azure AD only) and enrollment settings
Enrollment status pages OOBE - configure the device setup configuration progress
Configuration Configuration profiles Described below
Scripts PowerShell scripts to run on endpoints
Proactive remediation scripts PowerShell script package that detects something on and endpoint and, if necessary, runs a remediation script
Security Endpoint Security + Baselines Described below
Compliance Compliance policies Define a set of rules and settings that endpoints must meet
Updates Update rings Define Windows Update for Business rings
Targeted feature/quality updates Target a specific update

Configuration profiles

This is an excerpt of the templates offered by configuration profiles. Though, the modern attempt is to prefer settings catalog.

How to configure settings

This is your Prio 1: Build your base set of profiles that represent an absolute standard client (deployment + security baselines + default compliance + few configuration profiles + a fast updating ring) I would give you this tips:

  • Settings catalog is the recommended way for configuration profiles
  • Keep it simple! You don't need to configure anything - there is no benefit.
  • Security Baselines from Microsoft (more about it in the Security chapter)
  • Update rings usually come in the following rings:
    • First / Insider - for the IT department or DEV only
    • Fast / Pilot - use a subset of business owners to test new features
    • Broad / Company - deployment to the whole company

Configuration types

When we talk about configuration capabilities in Intune, under the hood it is mostly:

  • CSP - Configuration Service Providers are an interface to read, set, modify, or delete configuration settings on the device. All the configurations settings will dock to these CSPs.
  • OMA-URI - path to a CSP. This is especially useful, when a setting is not depicted in the settings catalog in Intune.

In the end, the most configurations are registry settings that could also be manipulated through PowerShell scripts, particularly proactive remediation.

Common technical challenges

Security aspects

Design topics

Authentication with Windows Hello for Business
Leverage WHfB to get rid of passwords on devices and rise security. View my blog post on: Windows Hello for Business - summary and a focus to the modern way

Certificate deployment with SCEP/NDES
Identity verification through certificates can be achieved with NDES and SCEP. (Read more in this dedicated blog post). Learn more from the Microsoft docs. You need to decide if you stick with your current on-premises PKI or utilize a cloud CA such as SCEPman.

Endpoint Security

Security Baselines: endpoint hardening

In Intune there are predefined Security baselines for: Windows 10 and later, Defender for Endpoint, Edge and Windows 365. These are based from the Microsoft Security Compliance toolkit where you can find more information. Best practices:

  • Implement Security baselines on all devices, which includes:
    • Antivirus - Defender AV
    • Disk encryption - Bitlocker
    • Firewall - securing network connections
    • Endpoint detection and response (EDR) - advanced security features
    • Attack surface reduction - system hardening
    • Account protection - account settings
    • Device compliance - check device state if they meet security requirements
  • Use the supplied excel spreadsheet, which lists all security settings for the corresponding OS version
  • Every adaption to a baseline must be approved by the security responsible (CISO) and must be documented and justified


Microsoft Defender Antivirus + Defender for Endpoint (EDR/XDR)

Defender Antivirus is your included base protection on any Windows system. Although the monitoring and reporting capabilities are limited in Endpoint Manager.

Endpoint and Extended detection and response is covered by Defender for Endpoint. For advanced enterprise security, this is a must. This requires E5 Security step-up licenses.

Microsoft Defender full protection stack

If you are considering Defender for Endpoint, it is imperative that you consider the entire Defender security stack to take the full holistic approach of Microsoft. This includes protecting: endpoints, apps, data and identities and correlation between this spheres. Learn about Microsoft 365 Cloud Security correlation.

Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.