Configuration Profiles in Microsoft Endpoint Manager

We have covered how to define the settings that need to be in place for devices to have them meet your organization’s compliance needs, but how do we configure the settings of a device? What good is a compliance policy enforcing settings to be in place, if we do not have any configuration profiles configuring those settings? Let’s cover that now. At a high level, configuration profiles in MEM allow IT admins to define device settings inside of a profile, or policy, then push those settings out to devices.
To start, in the Microsoft Endpoint Manager admin center, click on Devices, then click Configuration profiles. Similar to how we configured the compliance policy earlier, you will want to click Create profile, select your Platform¸ then select the Platform type in which you have two options: Settings catalog (preview) and Templates. A quick note on the platform types from Microsoft:

• Settings catalog: On Windows 10/11 devices, use the settings catalog to see all the available settings, and in one location. For example, you can see all the settings that apply to BitLocker and create a policy that just focuses on BitLocker
• Templates: On Android, iOS/iPadOS, macOS, and Windows devices, the templates include a logical grouping of settings that configure a feature or concept, such as VPN, email, kiosk devices, and more. If you're familiar with creating device configuration policies in Microsoft Intune, then you're already using these templates.

Since we are just starting out in building our configuration profiles, let’s select Templates. The only downside to this method is that you are given categories of settings to choose from and build out your configuration profile. Novices such as myself may not know which category the specific setting I want to configure is under. So, if you choose one category, give it a name, and the setting you are looking for is not under the category you selected, there is no breadcrumb to get back to the different Template categories. You must essentially start the process over - and the search feature does not exactly work in the way you might expect it to. Though the Settings catalog offers granular settings, there are challenges to both methods. My recommendation is to use Templates and get familiar with the categories. Let’s configure a profile to configure Bitlocker settings for our managed devices. Under Templates, I will choose Endpoint Protection and click Create. Under Basics give this configuration profile a descriptive name so other admins can understand at a quick glance what this profile is doing. Under Configuration settings, I will expand Windows Encryption and configure Bitlocker settings that meet my organization’s security requirements. I find it useful to note from my own experience that if you want Bitlocker encryption to occur silently without the user needing to do anything then the following Bitlocker settings are required per this Microsoft documentation:
Warning for other disk encryption – Required

Allow standard users to enable encryption during Azure AD join - Require

Once necessary settings are chosen, click Next to proceed with Assignments. Notice something within configuration profile assignments that were not available in compliance policy assignments: the ability to select Add All devices. We can either select this option, or the device security group we configured in the beginning, either will work. Note that “all devices” is referring to only the devices you have enrolled in MEM. Next, you have options to assign Applicability rules for your configuration profile based on OS edition/version. I typically have skipped this. Lastly, review your settings and assignments. When ready, click Create. Don’t forget that you may not see your configuration settings applied right away. The above steps can be followed for any settings you wish to create and push out to your managed devices.

The last thing I would like to touch on in this post is the device Overview page. When clicking into a managed device in MEM, IT admins gain insight into the information about a device that is enrolled in MEM. Azure AD does not offer a whole lot of info about the device’s Hardware properties quite as MEM does. Furthermore, we can initiate a few different remote actions on a given device. Let’s take a look. To view a list of managed devices’ hardware information in MEM, click Devices > All devices. Click on a device to get to its Overview page. Now click on Hardware. Here we get to see vital information about the device such as its serial number, OS version, used/free storage space, device manufacturer, network details and so much more. This is a very useful page for IT admins. IF we click out of the Hardware section and go back to the devices’ Overview page, we will see a row of different actions we can take on a device: Retire, Wipe, Delete, Sync, restart, Collect Diagnostics, and more. If you click the 3 horizontal dots you get access to a few more actions such as renaming the device and getting the device’s geographical location. I won’t cover every action in this post.

To conclude this post, Microsoft Endpoint Manager offers great insight and configuration capability for IT admins managing an Azure tenant’s devices. There are a vast number of settings configurations that can be leveraged to meet an organization’s needs