M365 upgrade and Intune questions

Posted by electric_medicine@reddit | sysadmin | View on Reddit | 5 comments

Hi everyone, I'm pushing for an upgrade from "Microsoft 365 Business Standard" to "Microsoft 365 Business Premium" which includes Intune and AzureAD Premium. I've checked the MS docs and looked at the info for the included packages, but I just want to confirm that the selected package really includes what I'm gonna need to do. I want: * Upgrade some existing Windows OEM licenses to the Win 10/11 Business licenses included with M365 Premium * Restrict USB device access to Keyboards, Mice and webcams only * Force login with Microsoft account (being able to lock out the whole PC by locking the MS account) - can I transfer local accounts to MS accounts? * Force BitLocker * Forcibly push Windows and Office updates * Push GPOs (AzureAD/Intune can do that, I'm like 99% sure) What's the timeframe I should plan for implementing this for a company of 20? Sorry for the stupid noob questions, I'm a little overworked at the moment and we're trying to get a grip on things with central management. A simple yes/no (with explanation why not) would suffice. Thanks everyone and I hope you have a great day

5 Comments

[-]

Avas_Accumulator@reddit

>Push GPOs (AzureAD/Intune can do that, I'm like 99% sure) They push policies yes. As if they were the old GPOs.

Prophage7@reddit

> Upgrade some existing Windows OEM licenses to the Win 10/11 Business licenses included with M365 Premium Just so you're aware on this one, Win 10/11 Business is basically a superficial upgrade to Win 10/11 Pro that means it's been connected to M365 cloud services, it won't upgrade Windows 10/11 Home if you have any of those kicking around.

anxiousinfotech@reddit

It will also not upgrade to Win 10/11 Business if the underlying Pro OS is not activated. I've had a few orgs automatically think they could get away with installing Pro on a machine that came with Home, then log in with an M365 Business account to activate Pro.

progenyofeniac@reddit

First of all, you should be able to do all of that already, assuming your machines are domain-joined. USB blocking is going to be a trial and error project. Not saying it's a bad goal, but I see it taking quite a bit of adjusting policies, etc., not to mention the negative feedback from users. Push GPOs? Like...settings? Policies? You can do that, sure. Most of the stuff you're hoping to do would be done with a GPO or an Intune CSP. Timeframe? How familiar are you with Intune, and how much testing do you plan to do? Also, are you already syncing user accounts from an on-prem domain to AAD? If everybody's using local accounts, that'll be a bit of a pain point, moving them to AAD accounts. There may be a way to transfer them, but I'd probably just have people log in with the new account and help them set things up again. With 20 users, assuming local accounts, I'd just move them one at a time.

electric_medicine@reddit (OP)

There's currently no central management in place. People log on with local accounts and are signed in to MS Accounts for OneDrive and Office. I'm currently not familiar with Intune and will need to learn to manage it. I'm going to do I'd say an average amount of testing, moving the more savvy users first and going one by one. We also don't have a local domain in place, which is the main reason I'm pushing for the upgrade. Thanks for your insights!

Reply to Post

5 Comments