Skip to content

02 - Intune

1. Enable Automatic Enrollment for Cloud PC Users

  1. Within Intune (intune.microsoft.us) head to Devices > (Device onboarding dropdown) > Enrollment

  2. Select "Automatic Enrollment"

  3. Under the 'MDM User Scope' section select "Some" and then pick the "Users - Cloud PC Licensing - Static" Entra group

  4. Change all three of the MDM URLs listed to have .us as the TLD rather than the .com that they default to

  5. Save changes

2. Enable Enrollment Restrictions to Block Personal Enrollment

  1. Back on the Devices > Enrollment page and select "Device platform restrictions"

  2. There will be a default one already under the Device type restrictions section, select this one to edit by clicking on "All Users"

  3. Go to Properties and edit the Platform Settings section

  4. Change ALL of the Personally Owned column options to Block

  5. Also change all of the Platform column ones to Block EXCEPT for Windows (MDM)

  6. Put 10.0.22631 as the minimum version for Windows Enrollment (This is Win 11 23H2)

  7. Save - this will help limit any personal enrollments that can happen with the way Intune works

3. Create Intune Compliance Policy

  1. Go into Devices > Windows > Compliance

  2. Make a new compliance policy for Windows 10/11 with the following settings:

Intune Compliance Policy Settings

4. Create Intune Policies + Scripts for Usage with Cloud PCs

Configuration Profiles

  1. Go into Devices > Windows > (manage devices dropdown) > Configuration

  2. Within the Stratus Cyber CMMC GitHub Repository, go to the following path: CMMC Level 2/Intune/Intune Policies

  3. Download the .json Configuration Profiles and import them one by one into Intune. Reference the GitHub README.md within the above path for the Names and Descriptions to give each policy that you import

    NOTE: There are variables you MUST CHANGE on three of the policies. Again, reference the README.md within the GitHub Repository to ensure these variables are addressed post-import

  4. Assign each of the newly imported Configuration Profiles to the 'Devices - Cloud PCs - Dynamic' Entra ID group

  5. The Adobe Acrobat DC STIG policy is a custom OMA-URI policy, you will need to create this as a new policy in Intune 'Custom' type and enter the values contained in the AdobeAcrobatDCSTIG-OMA-URI.xlsx file in the GitHub Repository (there is no .json for this one)

    NOTE: within the AdobeAcrobatDCSTIG-OMA-URI.xlsx file in cell D25 it states to use the contents of the .admx file. You can find the AcrobatDCContinuous.admx file in the GitHub Repository in the same path. Download this and open it in Notepad++ or VSC and copy the contents into the Value field for that OMA-URI on line 25.

Platform Scripts

  1. Go into Devices > Windows > Scripts and Remediations > Platform Scripts

  2. Within the Stratus Cyber CMMC GitHub Repository, go to the following path: CMMC Level 2/Intune/Intune Scripts

  3. Read the README.md for context on which of the scripts are Platform Scripts and download each one of them

  4. Create new Platform Scripts using the Names, Descriptions and .ps1 files stated in the GitHub Repository README.md and assign them to the 'Devices - Cloud PCs - Dynamic' Entra ID group

Proactive Remediations

  1. Go into Devices > Windows > Scripts and Remediations > Remediations

  2. These types of scripts require Data Diagnostics and Windows License Validation, so head into the tenant administration area as shown below and enable it:

Data Diagnostics Enablement

  1. Then head back to the previous Remediations page to be able to create Remediations

  2. Download the two Proactive Remediation .ps1 files within the Stratus Cyber CMMC GitHub Repository under the following path: CMMC Level 2/Intune/Intune Scripts

  3. Create a new Remediation with the name and description contained with the GitHub README.md in the path above

  4. Use the following settings; while uploading the Detection and Remediation script you downloaded from the GitHub Repository:

Proactive Remediation Script Settings

  1. On the Assignments page, assign it to the 'Devices - Cloud PCs - Dynamic' group and edit the Schedule to 'Hourly' and make it every 6 hours:

Proactive Remediation Schedule

  1. Save the Proactive Remediation script

5. Create Endpoint Security Policies

Antivirus Policy

  1. Go into Endpoint Security > Antivirus > Create new policy

  2. Give the policy the following settings contained in this screenshot:

Antivirus Policy Settings

Firewall Policy

  1. Go into Endpoint Security > Firewall > Create new policy

  2. Give the policy the following settings contained in this screenshot:

Firewall Policy Settings

Attack Surface Reduction Policy

  1. Go into Endpoint Security > Attack surface reduction > Create new ASR Rules Policy

  2. Give the policy the following settings contained in this screenshot:

Attack Surface Reduction Policy Settings

App Control for Business Policy

  1. Go to Endpoint Security > App Control for Business > Create new App Control Policy

  2. Use an XML to configure it and use the XML file within The Stratus Cyber CMMC GitHub Repository, Path: CMMC Level 2/Intune/Intune Policies

    • File name: AppControlBusinessXML.xml

  3. Switch to the 'Managed Installer' tab at the top of the page:

Managed Installer Tab

  1. Add a new Managed Installer Policy:

Managed Installer Policy - Part 1

Managed Installer Policy - Part 2

  1. Assign it to the 'Devices - Cloud PCs - Dynamic' group and save

6. Create Windows Update Ring Policy

  1. Go into Devices > Windows > Windows Updates > Update Rings

  2. Create an update ring policy with the following settings:

    • Name: Windows Update Ring - Production
    • Description: Manages Windows Updates for production Cloud PCs
    • Servicing channel: Semi-Annual Channel
    • Feature update deferral period: 30 days
    • Quality update deferral period: 7 days
    • Automatic update behavior: Auto install and restart at maintenance time
    • Automatic behavior frequency: Every week
    • Maintenance window start time: 2:00 AM
    • Maintenance window end time: 6:00 AM
    • Restart checks: Only restart outside of active hours
    • Active hours start: 8:00 AM
    • Active hours end: 6:00 PM

  3. Assignments: Devices - Cloud PCs - Dynamic

  4. Save the policy

7. Add Intune Applications

Adobe Acrobat Reader DC

  1. Add Win32 App

  2. Upload the latest .intunewin package from the GitHub Repository

    • Path: CMMC Level 2/Intune/Intune Applications
    • The GitHub Repository README.md within this path will display the CURRENT version to use

  3. Assign to the 'Devices - Cloud PCs - Dynamic' group

Huntress Agent

  1. Add Custom Win32 Application

  2. Upload the latest .intunewin package from the GitHub Repository in the previously mentioned path and follow the guide here provided by Huntress:

  3. Assign it to the 'Devices - Cloud PCs - Dynamic' group