Set up new company computers for employees to be restricted to work purposes only

Question

I purchased new laptops running windows 11 pro for the company. I'd like to set up these computers to be restricted to work purposes only. Restrictions such as software or app installations, personal emails, usb and external storage devices, certain websites including social media, entertainment, and other non-work-related sites, etc. I'd like to also safeguard data on the computer, have automatic updates to be enforced, monitoring and logging, etc. Currently I have microsoft 365 business standard licenses for everyone including me. I tried searching online for set up guides but l'm confused as l'm reading about two separate solutions, group policy or microsoft intune. I know intune requires premium licenses which is an additional cost per user and group policy is included with windows 11 pro. Also many articles mention azure and active directory, but from what I understand, azure ad recently became microsoft entra ID. I might have understood things wrong. Please guide me to set up the computers properly, I appreciate the help! Thank you so much!

Answer 1

Hello Hicham Zaid,

Thank you for posting in Q&A forum.

It sounds like you have a comprehensive set of requirements for managing these new laptops. Let's break down the main options and steps:

1.Understanding Your Tools:

• Group Policy: This is a feature of Windows Pro and Windows Server that allows you to manage settings for computers and users in a domain environment. It's powerful but requires an Active Directory (AD) environment.
• Microsoft Intune (part of Microsoft Endpoint Manager): This is a cloud-based management tool that allows you to manage devices, enforce policies, deploy apps, and more. It requires additional licensing, often part of Microsoft 365 Business Premium or Enterprise plans.
• Azure Active Directory (Entra ID): Cloud-based identity and access management service. It's essential for managing modern, cloud-oriented environments.
• Microsoft 365 Business Standard: Provides productivity tools but lacks the comprehensive device and policy management features found in Business Premium.

2.Setting Up Group Policy (GPO):

If you prefer to avoid additional costs and work within the capabilities of Windows 11 Pro and your current licensing, Group Policy might be your best option. However, you need a Windows Server environment with Active Directory to fully utilize Group Policy.

Steps:

1.Set Up Active Directory:

Install Windows Server and configure Active Directory Domain Services (AD DS).

2.Join Laptops to the Domain:

Make sure each laptop joins the domain configured in AD.

3.Create and Enforce Group Policies:

Use the Group Policy Management Console (GPMC) on your Windows Server.

Define policies to restrict app installations, block USB devices, enforce automatic updates, etc.

3.Using Microsoft Intune:

If you can opt for additional subscriptions and want a cloud-based, modern management solution, Intune offers comprehensive capabilities.

Steps:

1.Upgrade to Microsoft 365 Business Premium:

This includes Intune and Azure AD Premium.

2.Enroll Devices in Intune:

Create an enrollment profile in Intune for Windows 11 devices.

Users can enroll their devices during the initial setup or through settings on their devices.

3.Configure Policies and Profiles:

Use Intune to create Device Configuration Profiles, Compliance Policies, and App Protection Policies.

Restrict software installations, block USB devices, set up Automatic Updates, restrict browsing, and more.

4.Set Up Conditional Access and Monitor Devices:

Use Azure AD Conditional Access to enforce security policies. Intune provides monitoring and reporting capabilities.

4.Implementing Entra ID and Active Directory:

Entra ID (Azure AD): Necessary for identity management and integrating with Intune. It requires setting up Azure AD and connecting it to your on-premises AD if applicable.

Active Directory: Required for traditional Group Policy.

Some Tips:

1.Data Safeguarding: Use BitLocker for full disk encryption and Windows Information Protection (WIP) for data loss prevention.

2.Automatic Updates: Configure via Group Policy for on-premises or Compliance Policies in Intune.

3.Device Monitoring: Intune provides robust reporting and monitoring capabilities.

Decision Points:

1.Cost vs. Capabilities: Weigh the cost of upgraded licenses (Intune) versus the complexity and potential limitations of using only Group Policy with Windows 11 Pro.

2.Cloud vs. On-Premises: Consider whether a modern, cloud-based approach (Intune + Azure AD) or a traditional, on-premises approach (Group Policy + AD) fits your organization’s needs better.

For comprehensive management and ease of use, Microsoft Intune is highly recommended if budget allows. If you must stick with existing tools and avoid extra costs, setting up Group Policy with Active Directory is your path, recognizing the initial setup complexity.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.