Managed SOE in the Cloud: Microsoft Intune and Autopilot

One of the difficulties of modern technology management is trying to converge on a standard view across a kaleidoscope of different devices – particularly if you have a Bring Your Own Device (BYOD) policy in place.  Setting up the same environment on each new device (or repurposed device) takes time – your IT admins time, and your employees’ time – not only in configuration but just in waiting around! That’s why Microsoft’s come up with a new solution that radically streamlines the process.  In this article, we look at Microsofts Intune and AutoPilot.

Managed SOE in the cloud offers a robust framework for standardising and simplifying IT operations. With Microsoft’s suite of products tailored for this purpose, organisations can look forward to enhanced security, reduced operational costs, and streamlined compliance procedures. Whether you’re rolling out new devices or repurposing old ones, a cloud-managed SOE is an asset that no modern organisation should overlook

What is Managed SOE

One of the ways to streamline device management across an organisation is by rolling out a Standard Operating Environment (SOE) on system enrolment. An SOE allows those in charge of user management to create a standard install of an operating system, configuration, and application set that can be deployed across all new devices.

Cloud-managed SOE refers to the centralised management of these uniform environments, facilitated by cloud services. It allows for streamlined deployment, management, and security controls for enterprises spread across geographies or those embracing remote work.

Of course, there will be different SOEs for Windows/Mac/Android/iOS and desktop/mobile, however having a collection of SOEs with one for each of these significantly lowers the amount of time taken to build a new environment from scratch. It also allows organisations to create base standards of reference, in terms of environments. Organisations may also create different SOEs for different roles within the company: admin, temps, developers, and power users may have different standard installs.

SOEs must be well managed: kept up to date, allow for user group requests to add/change components (with an approval process), configurations available to view at a glance, and rolled out devices linked to each SOE.

The Benefits of SOEs

Uniformity

A standardised environment ensures that each device in the network runs on the same operating system, has the same set of applications, and adheres to the same set of policies. This uniformity simplifies management and cuts down on operational complexities.

Ease of Troubleshooting

With a consistent environment, IT support teams find it easier to diagnose and resolve issues. They can generate one solution that fixes the same issue across all similar systems, thereby improving efficiency.

Security

Having a SOE enables uniform security policies, making it easier to manage vulnerabilities and deploy patches. Centralised security protocols can be rolled out in real-time, enhancing the organisation’s overall security posture.

Reduced Costs

With streamlined operations and less time spent on troubleshooting, organisations witness a noticeable reduction in operational costs.

Compliance

Adhering to compliance standards becomes far less complicated when every system is consistent. Whether it’s GDPR, HIPAA, or any other regulation, a SOE helps maintain the required standards across the board.

Microsoft products that help you create and manage SOEs

Microsoft is well aware of these organisational requirements, which is why they’ve developed solutions that remove the pain of custom in-house SOE systems and management.

The combination of Windows Autopilot + Intune (plus the backing of Azure Active Directory, now called Entra ID) allows organisations to provision, image, and deploy SOEs instantly across devices simply on startup – all from the cloud.

Autopilot allows organisations to develop zero-touch solutions for all Windows 10 devices that come onto your systems. Once IT develops the SOE and configuration, a user can get any devices with a clean (or reset for reploy) Windows install, connect to a network, enter the organisation’s credentials, and the customised SOE is set up on the device.

Through Azure AD or Entra ID, IT admins can create an Autopilot device group, which allows all Autopilot devices to automatically enroll and receive the SOE once credentials are entered. It’s easy for both end users and for IT admins. Here’s a summary including use cases:

Azure Active Directory (now Entra ID)

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It’s essential for setting up single sign-on and multi-factor authentication, providing robust security measures for your SOE.

Features:

> Centralised identity and access management

> Single Sign-On (SSO)

> Multi-Factor Authentication (MFA)

Use Case: In a medium-sized ecommerce company, Azure AD can be used to centralise the identity management of both office staff and remote teams. The SSO feature would allow employees to log in once and gain access to all the applications they are authorized to use, from CRM software to email.

Azure AD integrates seamlessly with Microsoft Intune for identity-driven security measures, providing conditional access based on user roles or device compliance status.

Microsoft Intune

Microsoft Intune is a cloud-based service that focuses on Mobile Device Management (MDM) and Mobile Application Management (MAM). It allows you to control how your organisation’s devices are used.

Features:

> Mobile Device Management (MDM)

> Mobile Application Management (MAM)

> Device compliance policies

Use case: In a logistics company with a fleet of delivery trucks, Intune could manage the tablets used by drivers for route optimisation and package tracking. Specific apps required for work could be pushed to these devices, and others could be restricted to ensure focus and productivity.

Intune can be used in conjunction with Windows Autopilot to automate the configuration of new devices, ensuring they are immediately compliant with organisational policies as managed by Intune.

Windows Autopilot

Windows Autopilot simplifies the process of setting up and configuring new devices. Devices can be automatically enrolled into your organisation’s SOE right out of the box.

Features:

> Zero-touch deployment for Windows 10/11 devices

> Automatic device enrollment

> Pre-configured device profiles

Use case: An educational institution that provides laptops to students can use Windows Autopilot to ensure that all devices are pre-loaded with necessary educational software and adhere to network and security policies before they reach the students.

Windows Autopilot settings can be stored and managed within Azure AD, enabling streamlined device provisioning that respects organisational access policies.

Azure Policy & Blueprints

Azure Policy and Blueprints allow organisations to define and manage organisation-specific requirements, facilitating large-scale compliance. For example, a financial institution can use Azure Blueprints to ensure all its Azure resources comply with the necessary financial regulations and internal policies.

Features:

> Policy definition and enforcement

> Governance and compliance monitoring

> Template-based resource orchestration

Use case: For a healthcare provider that must adhere to stringent HIPAA regulations, Azure Policy could be set up to regularly audit the Azure resources for compliance, automatically remediate non-compliance, and generate compliance reports.

Azure Blueprints can include Azure Policy elements, combining role assignments, policy assignments, and resource templates into a single, cohesive package.

Microsoft Endpoint Manager

This product combines the capabilities of Intune and Configuration Manager, providing a comprehensive endpoint management solution for your SOE.

Features:

> Unified endpoint management

> Co-management capabilities

> Detailed analytics and reporting

Use case: A global consultancy firm with multiple branches can use Microsoft Endpoint Manager to manage a range of devices from PCs to smartphones, ensuring that all endpoints meet security standards and are kept up to date.

Microsoft Endpoint Manager is essentially a hub that unifies the functionalities of Intune and Configuration Manager, thereby creating a common platform for endpoint management. It can be integrated with Azure AD for role-based access control, adding an extra layer of security.

It’s designed to make new or repurposed device rollout as simple as possible

Now, your IT admin staff won’t have to waste their time in setting up new systems whenever a new device is enrolled. In fact, they won’t have to be involved at all – unless your SOE changes or you have the need to create a new user group. For new device users, there is zero confusion in the setup process – log into a network, enter credentials, wait for setup and it’s done.

The cloud-based solution means that you can do this rollout anywhere in the world – which makes it perfect for those with flexible work environments, execs on the go, or companies with multiple sites.

Reduce wasted time across your organisation. Give it a go and try it out. You can trial Intune for free for 30 days (prereq: Azure Active Directory Premium subscription) then use this guide from Microsoft to get started.

Need help with IT support, setup, config, or moving to the cloud? We also offer Azure consulting services. We’re Microsoft partners and know all the ins and outs of their product space and how it can make your business run that much more efficiently – staying in step with everything current technology has to offer.

Julia Sinclair-Jones

Tech writer and ex-software developer with a penchant for travel, techno, and data. Spreading the word of secure, manageable, optimised IT solutions for everyone.