Set up new company computers on intune to be restricted to work purposes only

Hicham Zaid 20 Reputation points
2024-07-05T17:28:15.4633333+00:00

Hello,

I purchased new laptops running windows 11 pro for the company. I'd like to set up these computers to be restricted to work purposes only. Restrictions such as software or app installations, personal emails, usb and external storage devices, certain websites including social media, entertainment, and other non-work-related sites, etc. I'd like to also safeguard data on the computer, have automatic updates to be enforced, monitoring and logging, etc. Currently I have microsoft 365 business standard licenses for everyone including me. I know intune requires premium licenses, I'm wondering if only I should upgrade to premium or should I also upgrade the other users. I only have 4 computers for the moment that have to be set up and later on will be scaled up to a maximum of 12 computers. It is just a small business. The computers are owned by the business, so there will be no setup on the users' personal devices. I was reading about windows autopilot and also some security baselines which make it easier to set up the computer with preconfigured security settings. Please guide me to set up the computers properly, I appreciate the help! Thank you so much!

Best regards,

Hicham Zaid

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
371 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,787 questions
Microsoft Intune Application management
Microsoft Intune Application management
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Application management: The process of creating, configuring, managing, and monitoring applications.
909 questions
Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,307 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,671 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karelpelck 75 Reputation points
    2024-07-05T20:14:11.32+00:00

    If you want to cover all the checkboxes of what you described here, you will need more than just business premium. I suggest you start with M365 BP and cover the basics and continue from there.

    1. Identity with conditional access: Make sure your users use Multi factor authentications
    2. Manage your devices with Microsoft Intune.
    3. Cover unmanaged devices:
      1. Implement MAM for Android and iOS or block altogether and use MDM instead.
      2. Block what you already can on unmanaged windows devices with Conditional Access.
    4. Implement Defender for Office 365 to help protect your users against malware and phishing.
    5. Implement DLP to prevent unwanted sharing outside your organisation.

    If you want to do more you will need to upgrade to Microsoft 365 E5.

    0 comments
  2. ZhoumingDuan-MSFT 10,730 Reputation points Microsoft Vendor
    2024-07-08T02:53:42.9533333+00:00

    @Hicham Zaid,Thanks for posting in Q&A.

    1.To restrict app installation, we can deploy device using Windows Autopilot as a standard user, so that users cannot install apps.

    https://video2.skills-academy.com/en-us/autopilot/add-devices

    2.As for restricting USB and external storage devices, we can Restrict USB devices using Administrative Templates in Microsoft Intune.

    https://video2.skills-academy.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb

    3.For the licenses, it is suggested that you upgrade to premium for yourself, because a licensed user can manage 15 devices, but if other users also want to manage devices with Intune, you should also upgrade to premium for them.

    https://video2.skills-academy.com/en-us/mem/intune/fundamentals/licenses#microsoft-intune

    4.For protecting data, you can use WIP to protect your data.

    https://video2.skills-academy.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure

    5.For automatically updates windows, you can create an update rings policy and deploy it to devices.

    https://video2.skills-academy.com/en-us/mem/intune/protect/windows-10-update-rings

    6.For blocking certain websites via Intune, you can onboard device on Defender for Endpoint which provide web content filtering, or we can create a Microsoft Edge policy to restrict some certain websites using settings catalog under Device configuration.

    https://video2.skills-academy.com/en-us/defender-endpoint/web-content-filtering#errors-and-issues

    https://video2.skills-academy.com/en-us/deployedge/microsoft-edge-policies#urlallowlist

    Hope above information can be helpful.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments