2. Use Azure AD Dynamic Groups and Tags to Target Devices
Groups are used to target devices, so they receive a specific Autopilot deployment profile. IT can manually assign devices to a group or use dynamic groups, where an advanced rule is used to automatically define group membership.
Azure AD objects should be tagged with three properties before devices join the tenant domain. Tags can be used in the rules that populate dynamic groups. All Autopilot-registered devices are tagged with ZTDId, and PurchaseOrderID and OrderID values can be set when devices are uploaded to Microsoft Intune.
For example, (device.devicePhysicalIDs -any _ -contains “[ZTDId]”) adds all Autopilot-registered devices to a dynamic group.
3. Configure a Preferred Azure AD Tenant Domain
Microsoft recently added a new feature to Intune for Education that allows IT to set a preferred Azure AD tenant domain. If a preferred tenant domain is not set, when users sign in to Windows, they must provide their full username, which includes an alias and the domain name assigned to the Azure AD tenant. Setting a preferred tenant domain simplifies device sign-in for users.
If IT sets a preferred tenant domain in Intune, students and teachers need only provide their alias.
4. Employ ADMX Templates to Configure Device Settings
Configure as many device settings as possible by enrolling them with Microsoft Intune. Windows 10 is missing many settings in mobile device management policies that schools previously managed using Group Policy. But some Group Policy ADMX templates are supported for configuring settings in Intune.
Schools can use Intune’s Group Policy analytics to determine which Group Policy settings are supported on mobile devices. Some settings are supported natively in MDM policy; others by using ADMX template support. Most current ADMX settings are for Microsoft Edge and Office apps, but many more are planned for 2021.