Guided scenario - Cloud-managed Modern Desktop
The modern desktop is the state-of-the-art productivity platform for the Information Worker. Microsoft 365 Apps and Windows 10 are the core components of the modern desktop along with the latest security baselines for Windows 10 and Microsoft Defender Advanced Threat Protection.
Managing the modern desktop from the cloud brings the added benefit of internet-wide remote actions. Cloud-management utilizes the in-built Windows Mobile Device Management policies and removes dependencies on local Active Directory group policy.
If you want to evaluate a cloud-managed modern desktop in your own organization, this guided scenario predefines all the necessary configurations for a basic deployment. In this guided scenario, you will create a secure environment where you can try out Intune device management capabilities.
- Set the MDM authority to Intune - The mobile device management (MDM) authority setting determines how you manage your devices. As an IT admin, you must set an MDM authority before users can enroll devices for management.
- M365 E3 minimum (or M365 E5 for best security)
- Windows 10 1903 device (registered with Windows Autopilot for best end-user experience)
- Intune administrator permissions required to complete this guided scenario:
- Device configuration Read, Create, Delete, Assign and Update
- Enrollment Programs Read device, Read profile, Create profile, Assign profile, Delete profile
- Mobile apps Read, Create, Delete, Assign and Update
- Organization Read and Update
- Security Baselines Read, Create, Delete, Assign and Update
- Policy Sets Read, Create, Delete, Assign and Update
Step 1 - Introduction
Using this guided scenario, you'll set up a test user, enroll a device in Intune, and deploy the device with Intune-recommended settings, as well as Windows 10 and Microsoft 365 Apps. Your device will also be configured for Microsoft Defender Advanced Threat Protection, if you choose to enable this protection in Intune. The user you set up and the device that you enroll will be added to a new security groups and will be configured with the recommended settings for security and productivity.
What you will need to continue
You must supply your test device and test user in this guided scenario. Make sure you complete the following tasks:
- Set up a test user account in Azure Active Directory.
- Create a test device running Windows 10, version 1903 or later.
- (Optional) Register the test device with Windows Autopilot.
- (Optional) Enable branding to your organization's Azure Active Directory sign-in page.
Step 2 - User
Choose a user to set up on the device. This person will be the primary user of the device.
If you want to add more users or devices to this configuration, simply add the users and devices to the AAD security groups generated by the wizard. Unlike other Guided Scenarios, you don't need to run the wizard more than once since the configuration is not customizable. Just add more users and devices to the AAD groups created. After completing the wizard you will be able to view the group generated with the recommended polices deployed.
Step 3 - Device
Make sure your device is running Windows 10, version 1903 or later. The primary user will need to set up the device when they receive it. There are two setup options available to the user.
Option A – Windows Autopilot
Windows Autopilot automates the configuration of new devices so that users can set up them up out of box, without IT assistance. If your device is already registered with Windows Autopilot, select it by its serial number. For more information about using Windows Autopilot, see Register device with Windows Auto pilot (Optional).
Option B – Manual device enrollment
Users will manually set up and enroll their new devices in mobile device management. After you complete this scenario, reset the device and give the primary user the enrollment instructions for Windows devices. For more information, see Join a Windows 10 device to Azure AD during the first-run experience.
Step 4 - Review + create
The final step allows you to review a summary of the settings you configured. Once you have reviewed your choices click Deploy to complete the guided scenario. Once the guided scenario is complete, a table of resources is displayed. You can edit these resources later, however once you leave the summary view, the table will not be saved.
Once the guided scenario is complete it will display a summary. You can modify the resources listed in the summary later, however the table displaying these resources will not be saved.
- Verify that the selected is assigned MDM user scope
- Ensure MDM User scope is:
- Set to All for the Microsoft Intune app or,
- Set to Some. Also, add the user group created by this guided scenario.
- Ensure MDM User scope is:
- Verify that the selected user is able to join devices to Azure Active Directory.
- Ensure AAD join is:
- Set to All or,
- Set to Some. Also add the user group created by this guided scenario.
- Ensure AAD join is:
- Follow the appropriate steps on the device to join it to Azure AD based on the following:
- With Autopilot. For more information, see Windows Autopilot user-driven mode.
- Without Autopilot: For more information, see Join a Windows 10 device to Azure AD during the first-run experience.
What happens when I click Deploy?
The user and device will be added to new security groups. They'll also be configured with Intune-recommended settings for security and productivity at work or school. After the user joins the device to Azure AD, additional apps and settings will be added to the device. To learn more about these additional configurations, see Quickstart: Enroll your Windows 10 device.
Register device with Windows Autopilot (Optional)
You can optionally choose to use a registered Autopilot device. For Autopilot, this guided scenario will assign an Autopilot deployment profile and enrollment status page profile. The Autopilot deployment profile will be configured as follows:
- User-driven mode – i.e. require the end user to enter username and password during Windows setup.
- Azure AD join.
- Customize Windows setup:
- Hide the Microsoft Software licensing terms screen
- Hide Privacy settings
- Create the user's local profile without local admin privileges
- Hide the Change Account options on the corporate sign-in page
The Enrollment status page will be configured to be enabled only for Autopilot devices and will not block waiting for all apps to be installed.
The guided scenario will also assign the user to the selected Autopilot device for a personalized setup experience.
Once the user joins the device to Azure Active Directory, the following configurations will be applied to the device:
- Microsoft 365 Apps will be automatically installed on the Cloud-managed PC. It includes the applications that you're familiar with, including Access, Excel, OneNote, Outlook, PowerPoint, Publisher, Skype for Business, and Word. You can use these applications to connect with Office 365 services such as SharePoint Online, Exchange Online, and Skype for Business Online. Microsoft 365 Apps is updated regularly with new features, unlike non-subscription versions of Office. For a list of new features, see What's new in Office 365.
- Windows security baselines will be installed on the Cloud-managed PC. If you have setup Microsoft Defender Advanced Threat Protection, the guided scenario will also configure baseline settings for Defender. Defender Advanced Threat Protection provides a new post-breach layer of protection to the Windows 10 security stack. With a combination of client technology built into Windows 10 and a robust cloud service, it will help detect threats that have made it past other defenses.