With the most recent version of Microsoft Intune, Microsoft has expanded the definition of
mobile devices to include Windows 10 desktop and laptop platforms.

Mobile device management capabilities are built into the operating system, allowing administrators or end users to enroll in Windows 10 without requiring additional software. Once a Windows 10 device is enrolled, Intune can enforce various policies, including:

Conditional Access
Intune supports conditional access for Windows 10 and all supported mobile platforms. This allows you to restrict access to various workloads including Exchange Online/Exchange On-Premises, SharePoint Online and Skype for Business Online. You can enforce compliance policies along with conditional access to ensure the device enrolling in Intune is compliant and in a healthy state.

Multifactor Authentication (MFA)
Azure Active Directory Premium enables administrators to enforce MFA on individual users. The second form of authentication is customizable by users during the enrollment process. Users can download a free authenticator app and are prompted to verify access or enter a code that changes every 30 seconds within the app. Users can also report compromised credentials if they receive a notification they did not initiate.

Mobile Application Management (MAM)
Microsoft Intune allows you to create compliance policies for mobile applications that are policy-aware. Examples include Outlook Mobile, the Office Mobile suite of applications and the Mail app in Windows 10. When a MAM policy is assigned to a supported application, you can enforce data protection policies that limit what can be done with the corporate data residing within the application. Administrators can restrict copying of data to non-managed applications or backups of managed application data, and they can require increased security measures like a PIN or fingerprint sensor to access the application.

Enrolling a Windows 10 device with Intune also enables a set of Hybrid Identity features and provides single sign-on to various Microsoft cloud resources. The device is registered with Azure AD and, once marked as compliant, is seamlessly allowed access to corporate resources.

Hybrid Identities
Corporate users can log into on-premises and cloud workloads using a single Hybrid Identity. Microsoft AD Connect syncs on-premises Active Directory accounts and attributes to Azure AD. Azure AD is the backend directory for all Microsoft Online services. Users can log into their Windows 10 devices and all hybrid workloads using their email addresses and Active Directory passwords.

Single Sign-On to Cloud Applications
Azure Active Directory Premium enables administrators to give users access to other non- Microsoft cloud resources using the same Hybrid Identity username and password. The apps are presented within a single portal and accessed with a user’s Hybrid identity.

Enrolling a Windows 10 device also allows you to enforce various operating system configuration policies, similar to Group Policy for Active Directory Domain
PCs. Examples of these configurations are:
» Enforce password complexity
» Require encryption
» Disable Cortana
» Disable Edge browser
» Perform Health attestation for endpoint
» Configure Windows updates
» Push VPN and Wi-Fi profiles
» Push certificates
» Push custom settings (OMA-URI), similar to
Windows Registry edits
» Upgrade any version of Windows 10 to Enterprise
via automated process

Microsoft is embracing the transition to a cloudfirst, mobile world by viewing all Windows 10 operating systems as mobile devices, and companies need an effective way to secure and manage these devices. Some of the features in Windows 10 and Intune are great while others need improvement, this new feature set will be continuously improved, with hopes we will have feature parity with SCCM or Group Policy one day. The single sign-on aspect for cloud workloads provides immediate value to your end users, especially if you are already using Microsoft Office 365 or the various workloads in Microsoft Enterprise Mobility Suite. P2P