Set up new company computers on intune to be restricted to work purposes only

Question

Hello,

I purchased new laptops running windows 11 pro for the company. I'd like to set up these computers to be restricted to work purposes only. Restrictions such as software or app installations, personal emails, usb and external storage devices, certain websites including social media, entertainment, and other non-work-related sites, etc. I'd like to also safeguard data on the computer, have automatic updates to be enforced, monitoring and logging, etc. Currently I have microsoft 365 business standard licenses for everyone including me. I know intune requires premium licenses, I'm wondering if only I should upgrade to premium or should I also upgrade the other users. I only have 4 computers for the moment that have to be set up and later on will be scaled up to a maximum of 12 computers. It is just a small business. The computers are owned by the business, so there will be no setup on the users' personal devices. I was reading about windows autopilot and also some security baselines which make it easier to set up the computer with preconfigured security settings. Please guide me to set up the computers properly, I appreciate the help! Thank you so much!

Best regards,

Hicham Zaid

Answer 1

@Hicham Zaid,Thanks for posting in Q&A.

1.To restrict app installation, we can deploy device using Windows Autopilot as a standard user, so that users cannot install apps.

https://learn.microsoft.com/en-us/autopilot/add-devices

2.As for restricting USB and external storage devices, we can Restrict USB devices using Administrative Templates in Microsoft Intune.

https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb

3.For the licenses, it is suggested that you upgrade to premium for yourself, because a licensed user can manage 15 devices, but if other users also want to manage devices with Intune, you should also upgrade to premium for them.

https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses#microsoft-intune

4.For protecting data, you can use WIP to protect your data.

https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure

5.For automatically updates windows, you can create an update rings policy and deploy it to devices.

https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings

6.For blocking certain websites via Intune, you can onboard device on Defender for Endpoint which provide web content filtering, or we can create a Microsoft Edge policy to restrict some certain websites using settings catalog under Device configuration.

https://learn.microsoft.com/en-us/defender-endpoint/web-content-filtering#errors-and-issues

https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#urlallowlist

Hope above information can be helpful.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

If you want to cover all the checkboxes of what you described here, you will need more than just business premium. I suggest you start with M365 BP and cover the basics and continue from there.

1. Identity with conditional access: Make sure your users use Multi factor authentications
2. Manage your devices with Microsoft Intune.
3. Cover unmanaged devices:
   1. Implement MAM for Android and iOS or block altogether and use MDM instead.
   2. Block what you already can on unmanaged windows devices with Conditional Access.
4. Implement Defender for Office 365 to help protect your users against malware and phishing.
5. Implement DLP to prevent unwanted sharing outside your organisation.

If you want to do more you will need to upgrade to Microsoft 365 E5.