Tell me about Configuring Microsoft Intune
Microsoft Intune is a cloud-based endpoint management solution that manages mobile devices and applications.
How do I know the device is enrolled with MS Intune?
Once you enroll the device with Intune, and when the remote device is connected to the Qualys platform, Qualys Scanner/Agent checks the status of the enrollment status and type from the register keys to verify if the device is enrolled with MS Intune. Refer to the Enrollment guide to enroll Windows devices in Microsoft Intune.
How do I know which control can be configured in multiple ways?
In Microsoft Intune, settings are applied to devices via device profiles, which are then added to configuration profiles.
- You can create the profiles and policies via the device configuration profile. There are some options when creating policies,
- Administrative templates
- Baselines
- Templates
- Settings Catalog
- You can create the profiles with custom settings in Intune.
Custom settings are configured via Open Mobile Alliance Uniform Resource Identifier (OMA-URI) values.Note: We provide a single complex control that considers the different method of configuration in remediation and their respective registry keys detection logic in the control.
Example:
For example, MS-Intune has provided several methods to configure attack surface reduction capabilities through,- OMA URI
- Endpoint security policies
- Setting Catalogue (Defender)
- Setting catalog (Admin template)
- Administrative Template
Tell me about the decision of precedence between GPO and Intune Setting
We check MDMWinsOverGP value, and based on that, the decision is made on precedence between the Group Policy Objects (GPO) and Intune settings. For policy CSPs, MDMWinsOverGP is checked for precedence, and for other CSPs, GPO takes precedence by default if the setting is set via GPO, Intune, or both. For more information, refer to Microsoft Docs.
Tell me about the use of MDMWinsOverGP
Group Policy Objects (GPO) have the highest priority in conflicts over policies from other sources. However, starting with Windows 10 and subsequent builds, Microsoft have introduced a custom policy in Intune. This policy enables us to designate that Mobile Device Management (MDM) policies take precedence over GPO in conflict scenarios. The impact of MDMWinsOverGP is specific to policies within the Policy CSP, ensuring that MDM policies are prioritized over Group Policies where relevant.
As we provide Intune's functionality within the current Windows controls, we assess the priority by examining MDMWinsOverGP. Subsequently, we report the configured setting (whether Intune or GPO) as the actual value and provide comprehensive details of both Intune and GPO settings in the Extended evidence.
How do I know the setting is configured from Intune or GPO?
The Control Evidence in the PC report displays the Source, which indicates whether the current setting is from Intune or GPO. If you have configured the setting via Intune, it is labelled as MDM - Policy CSP or MDM - Policy CSP (As ProviderSet is found). For settings configured through GPO, it is shown as "Group Policy."