Overview
What is Intune?
Microsoft Intune is a mobile device management (MDM) solution which you can use to manage Windows and Apple devices, including Windows 11 SE, wherever they are through the cloud. You can set restriction and configuration profiles, deploy applications, set compliance policies, manage device security, and much more.
Using Intune through Hwb provides seamless integration with the Hwb services on these devices, using single sign-on to automatically log into services such as OneDrive, Teams, and Microsoft 365 applications.
This provides a much better experience for the end user - not needing to remember multiple usernames and passwords, consistent device behaviour and protection, and being able to access what they need from any network, whether it be at school or at home.
For local authority and school technicians, the process of onboarding devices, configuring policies, and deploying apps, is quick and simple. Using Hwb’s cloud offerings removes the need to host and maintain expensive on-site servers and infrastructures. This saves money and time normally spent on purchasing and maintaining these servers, and associated licensing costs, which can be better allocated to teaching and learning within the schools. Being cloud based, Intune also provides resilience and the convenience of being able to manage devices from anywhere with an Internet connection.
There are two portals for accessing Intune:
Intune - https://intune.microsoft.com/
The Intune portal offers the complete set of Mobile Device Management tools, including access to Autopilot and Apple Deployment Program management. The Intune portal is recommended for use by administrators with technical knowledge and training.
Intune for Education - https://intuneeducation.portal.azure.com/
Intune for Education provides a less technical interface for school users to be able to manage their devices and deploy applications in a more friendly way. Intune for Education is recommended for use by School Hwb Administrators who only need limited functionality.
Both portals access the same Intune service, but the Intune for Education interface is simplified for ease of use. This means that advanced policies or settings configured in the Intune portal, such as enterprise Wi-Fi policies, will not be shown in Intune for Education. For this reason, we recommend only creating ‘starter’ policies in Intune for Education, or basic policies that do not require any further tweaking in Intune.
Pre-requisites
To begin using Hwb Intune, local authorities must ensure the following on behalf of their schools:
- tools and services used by learners and teaching staff can be accessed via their Hwb accounts in the cloud
This includes ensuring all user data is hosted via the Hwb Office 365 tenancy (OneDrive, SharePoint etc.). Limited migration support is available via a request to the Hwb Service Desk. - devices are running a supported operating system
Currently, only Windows, iPad, and Mac devices can be managed in Intune with Hwb.
Supported operating systems and browsers in Intune | Microsoft Learn - users must have an A3 license – this is given to all learners and eligible staff automatically
Intune admin delegation
A role-based access control (RBAC) model is used to provide delegated admin access to Intune. This is achieved using a combination of roles and scope tags.
Roles
Intune roles govern what an admin can do in the Intune portals. A user must be given an Intune admin role to access the Intune portals and the Intune group controls in the User Management Portal.
There are 3 Intune admin roles available:
- Local Authority Intune Administrators
These users have almost full access to all Intune settings and options but can only see and act on those scoped to their local authority, including schools. This role assignment can be requested via the Hwb Service Desk. - School Intune Administrators
These users have the same access as Local Authority Administrators but can only see and act on those within their school. This role assignment can be given to individual school staff by their Local Authority Administrators via the User Management Portal if they wish to delegate these controls. - School Device and App Managers
These users have limited access with abilities for managing devices and deploying apps within their school. They cannot configure any configuration profiles. This role assignment can be given to individual school staff by their Local Authority Administrators via the User Management Portal if they wish to delegate these controls.
Giving a user an Intune admin role adds them to a role assignment in Intune. These enable the admin to perform administrative functions, governed by the permissions set in the associated role, and specify the groups containing the user or device objects that the admin can perform administrative actions on.
To assign an Intune admin role to a user:
- Log into the User Management Portal with an account that already has the Intune Admin role
- Browse to the appropriate local authority or school dashboard
- Click Manage Intune Administrator in the Administration menu
- Click Promote next to the desired account
- Select the appropriate role
Only an existing Intune Admin user can promote another - Local authority Intune admins can promote other local authority admins and school admins, whereas school Intune admins can only promote other school admins for the same school. If no Intune admin exist for the local authority, please raise a request with the Hwb Service Desk.
Scope tags
Each role assignment is also given one or more scope tags. These are unique to each local authority or school and are named with the local authority or school number. Scope tags control what admins can see in the Intune, which includes objects such as devices, policies, and apps.
Scope tags are associated with the corresponding groups containing the user or device objects for that school or local authority. Any devices added to the device group (or sub-group) will have that scope tag applied to it, making it visible to any admin with that scope tag as part of their role assignment. Similarly, whenever a configuration item is created in Intune (configuration policies, apps, enrolment profiles, etc.) it is also given the scope tag(s) of the admin who created them.
For local authorities, their scope tag is applied to the top-level local authority group, which is the parent for all school groups, and included in the Local Authority Intune Admin role assignment. This allows local authority Intune admins to see all devices within their authority. The role assignment also includes all their schools’ scope tags, which allows the admins to see any configuration items created by those school admins.
For schools, their scope tag is applied to the parent group for that school and is the only one included on their role assignments. This allows admins with a school role assignment to only see devices and configuration items belonging to their school.
An administrator can only see an object if their role assignment includes the matching scope tag. Scope tags can be added to an object to make it visible to other administrators or removed to hide it.
When a local authority admin creates a configuration item in Intune, all their scope tags are automatically applied, including the school ones. This makes the item visible to school admins as well, who may be able to edit it depending on their role.
Consider removing any scope tags not needed from configuration items to prevent unauthorised editing. A scope tag is only needed to make that configuration item accessible to administrators. You can assign a configuration item to a group without a scope tag and it will still apply.
There is a limit of 100 scope tags allowed on a configuration item. If a local authority has more than 100 schools, and hence more than 100 scope tags on the role assignment, configuration items created by a local authority admin will fail unless some scope tags are removed.
This also prevents the use of the Intune for Education portal to create configuration items since scope tags cannot be removed during their creation.
Company Portal
The Company Portal is a special app for use with Intune that provides self-servicing options.
By making apps ‘available’ in Intune, users can open the Company Portal app and use it as an app ‘catalogue’. This is most suitable for larger non-essential apps which can then be installed at the user’s convenience.
If Company Portal is used to install an app to a device, that app becomes available to all users of that device, not just the person installing it.
Windows 11 SE
Windows 11 SE Overview | Microsoft Learn
Windows 11 SE is an operating system designed by Microsoft, purely for the education sector. Essentially, it is a cut down version of Windows 11, with a cloud-first approach, and uses educational policies for management, and prevents unapproved apps from being installed. It has a low performance overhead for devices, with a strong emphasis on security, the education sector, and affordability, which make it ideal for use in a school environment.
Windows 11 SE can only be obtained from resellers. There is no installation media available for it, so if a device is converted to Windows 11 it cannot be converted back.
Enrolling Windows 11 SE devices
A Windows 11 SE device can be enrolled using Autopilot or a provisioning package, the same other Windows devices. However, there are some caveats to consider:
- Autopilot – You cannot collect the hardware hash and import manually into Intune, as it does not allow access to PowerShell. You must ask the OEM/reseller to register the devices for you. Once in Autopilot, the deployment process is the same.
- Provisioning Package – Only the Set Up School PCs app can be used to create a provisioning package, and Windows 11 SE must be chosen to configure the package to this OS.
Configuration policies on Windows 11 SE
Windows 11 SE can be fully managed in Intune. It comes preconfigured with some settings that can be further tailored through Intune policies.
Some settings, however, cannot be changed. These mostly affect device admin functionality, such as access to administrative tools like the command prompt or PowerShell (PowerShell scripts must be deployed through Intune to run on Windows 11 SE devices).
Supported apps on Windows 11 SE
Windows 11 SE devices use Windows Defender Application Control (WDAC) to control which apps are allowed to be installed. These apps must be pre-approved by Microsoft to install or it will fail with error code 0x87D300D9.
To add an app to the approved list, it must be requested via Microsoft Education Support by the app developer.
Starting with Windows 11 SE version 22H2, devices enrolled into Intune will receive a WDAC policy that sets the Intune Management Engine (IME) as a trusted installer. This means that apps deployed through Intune will automatically be allowed, by-passing the need to be on the approved list.