I
L
T
A
W
H
I
T
E
P
A
P
E
R
|
T
E
C
H
S
O
L
U
T
I
O
N
S
5
managed corporate image. With the introduction
of Windows Autopilot, imaging is replaced with
provisioning where a clean Windows 10 image is
onboarded to the management environment and
configured on demand to meet the needs of the
end user. In many cases this can be a user-driven
process similar to that of provisioning a corporate
smartphone, and for special cases
a "White Glove" process can be
employed by IT to handle the bulk
of the provisioning prior to end user
delivery. Onboarding with Autopilot
does not preclude continuing to use
ConfigMgr for not only ongoing
management but completion of
the provisioning process. Intune
can deliver the ConfigMgr client to
bring the system to a state of Co-
Management and can even be configured to run a
specified Task Sequence as part of the onboarding
process.
Configuring Windows
Once a machine has been onboarded, it can be
configured to bring it in line with corporate
"A Windows desktop is only
modestly useful without the
applications end users need to
do their jobs."
standards. In building the Windows 10 platform,
Microsoft integrated the Mobile Device Management
(MDM) client directly into the operating system.
This enables management of common system
settings directly from an MDM platform without
the need for an additional agent. Group Policy
has been around since Windows 2000, and in
building out the MDM side Microsoft did not seek
full parity but rather focused on the most common
and necessary settings. From a management
perspective, the result is a set of policy options
in Intune that allow for configuration of most
required settings in an enterprise environment via
an open interface called a Configuration Service
Provider (CSP). Device Restriction policies
allow for configuration of everything from custom
Start Menu layouts and Edge browser settings to
disabling device hardware like cameras. Endpoint
Protection policies allow for managing the various
Windows Defender security features (such as
Credential Guard or the Windows Firewall) as well
as configuring and enforcing BitLocker
encryption. Microsoft also included
an Administrative Templates policy
type which provides scores of Group
Policy-style settings for Windows as
well as Office, and for any settings not
directly available in a pre-packaged
policy a Custom Policy can be created
with the CSP setting information. For
example, on machines that are Hybrid
Azure AD Joined a simple custom
policy option can be created to toggle between
Group Policy and MDM policy when a conflict is
present.
A Windows desktop is only modestly useful
without the applications end users need to do their
jobs. ConfigMgr has provided robust and dynamic
application deployment capabilities for many years,
