Azure Intune: Unlocking Data Protection and Compliance

Azure Intune is a powerful tool that helps organizations protect their data and ensure compliance. It's a cloud-based solution that allows you to manage and secure all your company's devices from a single dashboard.

With Azure Intune, you can easily configure and enforce security policies across all devices, including laptops, desktops, and mobile devices. This ensures that all devices meet your company's security standards.

One of the key features of Azure Intune is its ability to remotely wipe devices that are lost or stolen, helping to prevent data breaches. This feature is especially useful for companies that have sensitive data on their devices.

Azure Intune also provides detailed reporting and analytics, allowing you to track device compliance and security posture in real-time.

Additional reading: Azure Data Studio vs Azure Data Explorer

Azure Intune's identity and access management features are designed to keep your corporate resources secure. This is achieved through seamless integration with Azure Active Directory (Azure AD).

Conditional access policies can be configured to grant or deny access to email based on device compliance and user identity. This ensures that only secure, managed devices can access sensitive company data.

The integration with Azure AD also allows for the creation of policies that restrict access to corporate resources based on device enrollment and security compliance. This adds an extra layer of protection to your company's data.

You can continue to use existing instances of the Identity protection and Account protection (Preview) profiles, but new instances of these profiles are no longer supported by Intune.

A fresh viewpoint: Azure Data Studio Connect to Azure Sql

Identity and Access is a crucial aspect of any organization's security posture. Integrating seamlessly with Azure Active Directory, Intune enhances identity and access management by enabling conditional access policies.

Conditional access policies can be configured to allow only devices that are enrolled in Intune and compliant with security policies to access email, ensuring that only secure, managed devices can access sensitive company data.

Worth a look: Azure vs Intune

Intune's identity protection features have been consolidated into a single new profile named Account protection, which includes Windows Hello for Business settings for both users and devices, and settings for Windows Credential Guard.

The new Account protection profile is found in the account protection policy node of endpoint security and is the only profile template available when creating new policy instances for identity and protection.

Here are the profile templates that are no longer supported:

RBAC (Role-Based Access Control) changes have been made to improve granular permissions for endpoint security policies. The Security baselines permission has been replaced with more specific permissions for tasks like App Control for Business, Attack surface reduction, and Endpoint detection and response.

Each new permission supports rights like Assign, Create, Delete, Read, Update, and View Reports. Custom roles with the Security baselines permission will have the same rights automatically assigned to them.

Here are some new RBAC permissions available for endpoint security workloads:

These new permissions will replace the Security baselines permission, so it's essential to review and adjust your custom roles accordingly.

Protected IDs are a crucial aspect of Identity and Access Management, and Intune has some exciting features to help you manage them. One of the key benefits is the ability to integrate with Azure Active Directory (Azure AD), which enables conditional access policies.

These policies can grant or deny access to corporate resources based on device compliance and user identity. For example, you can configure a policy to allow only devices that are enrolled in Intune and compliant with security policies to access email.

Conditional access policies can be quite specific, ensuring that only secure, managed devices can access sensitive company data.

Intune also offers a range of protected apps that can be easily accessed and managed through the platform. Some of the newly available protected apps include:

These protected apps are designed to provide an extra layer of security and management, making it easier to keep your company data safe and secure.

Data and Compliance is a top priority for any organization using Azure Intune. Intune provides comprehensive data protection features to safeguard sensitive information. This includes the ability to remotely wipe corporate data from devices.

If an employee leaves the company or a device is believed to be compromised, administrators can remotely wipe the device to remove sensitive corporate data, while leaving personal data intact. This selective wipe feature ensures data security without infringing on user privacy.

Intune's compliance reporting and analytics capabilities offer insights into the security posture and health of devices within an organization. Administrators can view reports on device compliance and detect security threats.

Additional reading: Windows Azure Security

Data is a sensitive topic, especially when it comes to protecting it from unauthorized access. Intune provides comprehensive data protection features to help organizations safeguard their sensitive information.

Encrypting data is a crucial step in data protection, and Intune makes it easy to do so. This ensures that even if a device is compromised, sensitive corporate data remains secure.

Worth a look: Laps Azure Ad Intune

Remote wiping is a feature that allows administrators to remove sensitive corporate data from a device, while leaving personal data intact. This selective wipe feature is a game-changer for organizations that need to protect their data.

Data sharing and transfer policies can be managed through Intune, giving administrators fine-grained control over how data is shared and transferred. This helps prevent data breaches and ensures compliance with regulations.

Compliance reporting is a crucial aspect of maintaining data security and integrity.

Intune offers compliance reporting and analytics capabilities that provide insights into the security posture and health of devices within an organization.

Administrators can view reports on device compliance, detect security threats, and assess the impact of compliance policies using Intune's built-in reports.

These reports enable administrators to quickly identify and address potential security vulnerabilities, such as outdated operating systems or missing security patches.

A new version of the Windows hardware attestation report is now available, showing the value of settings attested by Device Health Attestation and Microsoft Azure Attestation for Windows 10/11.

This report is built on a new reporting infrastructure and provides information on new settings added to Microsoft Azure Attestation.

The Windows health attestation report is available in the admin center under Reports > Device Compliance > Reports.

This reporting infrastructure is designed to help administrators monitor the compliance status of devices and address potential security issues before they become major problems.

Viewing the BitLocker recovery key can be a lifesaver if you're locked out of your corporate machine. End users can view the BitLocker recovery key for an enrolled Windows device and the FileVault recovery key for an enrolled Mac in the Company Portal app for iOS and Company Portal app for macOS.

This capability is available in the Company Portal app for iOS and macOS, where you can sign in and select Get recovery key to access the recovery key for an enrolled device. The experience is similar to the recovery process on the Company Portal website.

Discover more: Azure App Insights vs Azure Monitor

You can also view the BitLocker recovery key for enrolled Windows devices from the Company Portal website by signing in and selecting Show recovery key. This is a convenient option if you're not using the app.

To prevent end users from accessing BitLocker recovery keys, you can configure the Restrict non-admin users from recovering the BitLocker keys for their owned device setting in Microsoft Entra ID. Alternatively, you can use the Microsoft Entra toggle Restrict non-admin users from recovering the BitLocker key(s) for their owned device to achieve the same result.

Here are some related tasks to help you manage your devices and security:

The Managed Apps report now provides details about Enterprise App Catalog apps for a specific device. This report can be found in the Microsoft Intune admin center.

The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. This is a useful resource for IT administrators.

A new setting Set Copilot Hardware Key is now available in the Settings Catalog. This setting can be accessed by going to Devices > Manage devices > Configuration > Create > New policy > Windows 10 and later for platform > Settings catalog for profile type.

Enterprise App Management has been enhanced to allow you to update an Enterprise App Catalog app. This capability guides you through a wizard that allows you to add a new application and use supersedence to update the previous application.

Here's an interesting read: Azure Devices

The Microsoft Store for Business and Education is going away. Microsoft began ending support for the Microsoft Store for Business experience in Intune in April 2023.

By April 30, 2023, Intune will disconnect Microsoft Store for Business services. This means that Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center.

On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support.

The retirement of Microsoft Store for Business and Education was announced in 2021. If you're currently using Microsoft Store for Business and Education apps, you'll need to find a new way to manage them.

Here are the key dates to keep in mind:

To manage apps after Microsoft Store for Business and Education is retired, you can add them through the new Microsoft Store app experience in Intune.