Edit: So far I have completed work to get things running if we take the Azure AD + Intune route, but I also will be spinning up my own local Active Directory Server and attempting to create my own cost effective solution to this issue.
- Certain aspects of Automated Azure Entra ID + Intune Remote Deployment
- Management-
- Remote creation of Admin account – potentially can also reduce deployed user to standard (wip)
- Created custom PowerShell scripts to change various settings via registry keys for things ranging from Company Branding to Security settings
- Created compliance guidelines so we can see when a computer has fallen out of compliance, and for what reasons
- Security-
- Forced Bitlocker Encryption
- Created custom policy for Windows Updates to focus on drivers and security instead of features. Can also rollback feature updates, supposedly
- Created a schedule to scan systems for malware, and set up an aggressive quarantine policy
- General Use-
- Standard Apps will download automatically – Slack \ Gchat | Google Chrome | OpenVPN
- (Plant Desktop Only) Reduced access to programs that aren’t relevant to work
- Management-
- A ‘Battle Plan’ regarding:
- Laptop and Desktop models (Which are available to purchase, price vs value, etc)
- Per-Stage Pricing – I have broken down cost of hardware purchased to per round values, to help clarify costs
- A comparison between the IDPs available to complete the project
- A comparison between the MDMs available to complete the project
- Some of what I have done so far is:
- Create a Domain Controller, and enable DNS and DHCP on it
- Create Users, OUs, and Groups
- Create Shared Drives with conditional access
Downsides: Cost. Azure AD is fairly expensive, though it can pay to have such a robust environment for some.