Tell me about Configuring Microsoft Intune

Microsoft Intune is a cloud-based endpoint management solution that manages mobile devices and applications.

 

 

How do I know the device is enrolled with MS Intune?

Once you enroll the device with Intune, and when the remote device is connected to the Qualys platform, Qualys Scanner/Agent checks the status of the enrollment status and type from the register keys to verify if the device is enrolled with MS Intune. Refer to the Enrollment guide to enroll Windows devices in Microsoft Intune.

How do I know which control can be configured in multiple ways?

In Microsoft Intune, settings are applied to devices via device profiles, which are then added to configuration profiles. 

Tell me about the decision of precedence between GPO and Intune Setting

We check MDMWinsOverGP value, and based on that, the decision is made on precedence between the Group Policy Objects (GPO) and Intune settings. For policy CSPs, MDMWinsOverGP is checked for precedence, and for other CSPs, GPO takes precedence by default if the setting is set via GPO, Intune, or both. For more information, refer to Microsoft Docs.

Tell me about the use of MDMWinsOverGP

Group Policy Objects (GPO) have the highest priority in conflicts over policies from other sources. However, starting with Windows 10 and subsequent builds, Microsoft have introduced a custom policy in Intune. This policy enables us to designate that Mobile Device Management (MDM) policies take precedence over GPO in conflict scenarios. The impact of MDMWinsOverGP is specific to policies within the Policy CSP, ensuring that MDM policies are prioritized over Group Policies where relevant.

As we provide Intune's functionality within the current Windows controls, we assess the priority by examining MDMWinsOverGP. Subsequently, we report the configured setting (whether Intune or GPO) as the actual value and provide comprehensive details of both Intune and GPO settings in the Extended evidence.

How do I know the setting is configured from Intune or GPO?

The Control Evidence in the PC report displays the Source, which indicates whether the current setting is from Intune or GPO. If you have configured the setting via Intune, it is labelled as MDM - Policy CSP or MDM - Policy CSP (As ProviderSet is found). For settings configured through GPO, it is shown as "Group Policy."