We’re in a time where MSP capabilities are becoming crucial to make Microsoft Intune a complete solution. Nerdio is starting to create some special features that integrate directly with a customer’s Intune environment to do magical things. Some of the things we can do and will discuss today are:

• Intune-Managed Device Management in Nerdio
• Intune Recovery Services in Nerdio
• Intune Policy Management in Nerdio
• Intune Drift Tracking in Nerdio
• Intune Tenant Monitoring in Nerdio
• Windows Update Reports on Nerdio

Intune-Device Management in Nerdio

Within Nerdio, we can see ALL devices at the MSP level, which is “somewhat” useful by showing a high-level overview of devices across tenants and their health. You can’t do much with these devices, but you can click a hyperlink to take you directly to the device record in their tenant.

You will see areas for compliance, error states for configuration profile, updates, apps, exposure level and risk level of a device:

Once you go into a customer tenant, things start getting more powerful. It looks similar, but that properties drop-down will get exciting:

You can do all of these commands on a devices, which are pretty neat:

• Sync
• Restart
• Scan (Quick or Full)
• Run Script (scripted actions hosted in Nerdio)
• Delete
• Change Primary User
• Rename
• Rotate BitLocker or LAPS
• Retire, Wipe, Fresh Start, and Autopilot Reset
• Locate Device
• Install Console Connect
• MDE Actions (Device classification, manage tags, action center, hunting, update Defender, Run AV scans, Collecting investigation packages

We can even bulk run sync, restart, scan, delete, rename, or run Nerdio scripted actions.

The other aspect of the Intune device management in Nerdio covers the deep insights into properties of a device.

A few of the awesome properties they extend are the LAPS and BitLocker keys along with rotation:

Defender risk level in properties is also very cool:

The last part I wanted to show is the Windows update pane of a device:

Intune Recovery Services in Nerdio

Before we discuss policies, it’s good to under the MSP recovery services that are available. We can create restore points/schedules for all of your customers.

We use policies to ensure that we have daily backups of your policies inside of Intune, which will empower full restores when people make significant mistakes and cause issues within their environment. Currently this is “all or nothing” with “drift tracking” as the targeted approach alternatively.

Intune Policy Management in Nerdio

At the MSP-level, we have your typical items:

• Conditional Access Policies
• Security Baselines
• Compliance Policies
• Configuration Profiles
• Update Rings
• MAM Policies
• Autopilot Profiles
• ESP
• Endpoint Security Policies
• Defender O365 Policies

The point of Intune Policy Management at the MSP-level is to have baseline policies that you can push down to your customers, which you can do drift tracking with (the idea that you can track when a policy changes and then revert those changes or allow the drift potentially).

The policies themselves are in JSON form, which does makes modifying policies a bit challenging, but is still possible. Like other things in Nerdio, you clone and create your best practice baseline:

You can assign policies to customers and publish them at scale nicely:

If you want to leverage existing policies in a customer’s tenant to monitor drift it’s not recommended, but it is possible via the “import” function:

If you decide to use it, make sure you take a backup via recovery services, which we will cover shortly.

They also have a very nice integration with CIS1 baselines, allowing you to deliver a suite of CIS level policies, which is exciting:

You can view policies by drilling into the baseline:

The best part is once you’ve imported the policies, you can easily track the drift:

One other amazing feature is the ability to bulk assign policies easily from inside of the customer’s tenant:

Microsoft Intune Drift Tracking in Nerdio

The drift tracking is one of the most appealing aspects of the Nerdio MSP integration with Intune.

You start by creating a container called a “Policy Baseline” and then bring policies into it:

Now, we add the policies into the baseline super easily:

Once, we’ve done that we click “Status”

Once you drill in, you can see the drift status of your policy baseline in a fairly nice interface:

The drift also has some flexibility, where you can set expirations and decide whether it should be reprocessed or not. It’s overall very easy:

You can also go into “Accepted Drifts” and delete any drifts you have already accepted:

Intune Tenant Monitoring

Intune Tenant Monitoring is an interesting capability as well. With Intune Tenant Monitoring, you can create these solution baselines and see if you are using best practice settings similar to Secure Scores.

They have Solution baselines for:

• MDE
• Defender for O365
• Entra ID
• Exchange Online
• Intune
• SharePoint & OneDrive
• Teams

They also have “Policy baselines” for:

• MDE
• Windows 11

You can even build global policies against existing configuration policies e.g. Defender best practice settings:

Overall, it’s a very exciting aspect of the platform which lets MSP’s deliver really strong value:

Windows Update Reporting

One of the largest complaints commonly are Windows Updates reports. We can drill into a customer and check out what their landscape is for Windows Updates:

They even have sme nice graphics about End-of-Support aspects for updates: