Manage. Secure. Empower.
A baseline for managing Linux devices with Microsoft Intune.
- Overview
- What's Included
- Supported Distributions
- Prerequisites
- Getting Started
- Basic concept
- Enrollment
- Compliance
- Configuration
- Contributing
- Disclaimer
- License
The IntuneLinuxBaseline is a collection of security and compliance configurations for Linux devices managed through Microsoft Intune. It provides policy definitions, custom compliance scripts, and configuration scripts that help organisations establish a consistent, secure Linux endpoint posture without starting from scratch.
Mainly aimed at Ubuntu but working with other supported distributions, this baseline gives you a solid, opinionated starting point that you can adapt to your environment.
| Category | Description |
|---|---|
| Enrollment | An autoinstall enrollment experience for a faster, standardized setup |
| Compliance | Policy definitions covering OS, password, encryption, firewall checks, and more |
| Configuration | Configuration scripts for common Linux hardening settings and customization |
- Ubuntu 24.04 LTS and 26.04 LTS
- Red Hat Enterprise Linux 9/10 (some adjustments might be needed)
Before you start, make sure the basics are in place:
- The user has an Intune license
- Users may join devices to Microsoft Entra is enabled for the users who will enroll
- If you use a Conditional Access policy that requires compliant devices, exclude Microsoft Intune and Microsoft Intune Enrollment so the first enrollment isn't blocked
- The device runs a supported OS (see Supported Distributions)
This baseline is modular — you can adopt all of it or just the parts you need. The sections below go into detail on each component; this is the recommended order to put them in place. Do the Intune setup first so the policies and scripts are ready before any device enrolls.
Make sure everything in the Prerequisites section is in place before you begin.
In the Intune admin center, upload the discovery scripts and their matching rules files from compliance/, then create the custom compliance policies. Tie these to Conditional Access so only compliant devices reach company resources. See the Compliance section for what each policy checks.
Upload the Bash scripts from configuration/ as platform scripts and assign them to your devices. These apply the hardening and convenience settings and re-apply them on every run, so the device stays in the desired state. See the Configuration section for what each script does.
Use the autoinstall file in enrollment/ to flash and install the device in a standardized way. This handles disk encryption, base packages, the Microsoft apps and more before the user ever reaches the desktop. See the Enrollment section for the full walkthrough.
After installation the Intune Portal app launches automatically. The user signs in and registers the device. Because the policies and scripts are already in place, the device picks them up and starts converging to the baseline right after enrollment. See the Enrollment section for the sign-in steps.
There are some basic things that need to exist when managing modern devices on any platform:
- A scalable, user-driven enrollment with minimal effort
- A set of security policies to reduce exposed weaknesses
- A compliance status for the device that only allows access through Conditional Access if the device is compliant
- Some settings that make the work experience more convenient
- Some basic device information in Intune
Intune offers no native method to prepare devices before the user signs in. There is no Autopilot as there is for Windows, no sync to an external MDM as there is for Apple Business, and no method to customize the installation. A user is expected to go through a manual installation process before reaching their desktop and enrolling into Intune.
For that we use the native Ubuntu "Automated Installation" feature and added some extra steps to it for a smooth installation process.
The feature allows using a YAML file to achieve the following requirements:
- Initializes a user account
- Uses an LVM layout with full-disk LUKS encryption and sets a temporary password
- Installs basic packages
- Installs basic Snap packages
- Runs security updates
- Disables telemetry
- Removes LibreOffice, Remmina, and Transmission
- Installs the needed Microsoft packages (Microsoft Edge and the Intune Portal app)
- Prompts the user to change the encryption password after the first sign-in
➡️ Check the YAML file in enrollment/.
The full step-by-step installation and enrollment walkthrough, with screenshots, is available here:
➡️ Installation Process walkthrough
Compliance policies in Intune are used to define the rules and settings a device must meet to be considered "compliant".
Intune evaluates each device against these rules and reports its compliance state, which can then be used with Conditional Access in Entra ID to allow or block access to company resources based on whether the device is compliant.
As Intune doesn't provide many built-in policies for Linux, we will mainly be using custom compliance policies.
Custom compliance for Linux in Intune lets you evaluate device settings that aren't covered by Intune's built-in compliance rules. It consists of two parts that work together:
-
A discovery script (Bash) – runs on the Linux device, collects the settings you want to check and returns the results as a JSON object.
-
A JSON rules file – uploaded in the Intune admin center, defining the expected values, operators and remediation messages shown to the user if a rule fails.
Intune runs the script on the device, compares the returned JSON against the rules file, and marks the device compliant or non-compliant. The result feeds into Conditional Access just like built-in compliance settings.
For Linux we check the following settings:
| Policy | Description | Discovery script | Rules file |
|---|---|---|---|
| Linux - Default - Defender Health | verifies that Microsoft Defender is installed, running, and in a healthy state | defender_health_discovery.sh | defender_health_rule.json |
| Linux - Default - Firewall | verifies that UFW is enabled and all inbound traffic is not allowed | firewall_enabled_discovery.sh | firewall_enabled_rule.json |
| Linux - Default - Secure Boot | verifies that secure boot is enabled | secure_boot_discovery.sh | secure_boot_rule.json |
| Linux - Default - Package Updates | verifies that package updates have been installed in the last 28 days | update_check_discovery.sh | update_check_rule.json |
| Linux - Default - Encryption | verifies that the device's system disk is encrypted using LUKS | built-in policy | built-in policy |
| Linux - Default - Allowed Distributions | verifies that only supported distributions are installed on the targeted devices | built-in policy | built-in policy |
| Linux - Default - Password | verifies that passwords meeting certain criteria are used for the local account on the device | built-in policy | built-in policy |
Where compliance policies only report whether a device meets the rules, configuration is what actually applies the settings to the device. This is where we harden the system and add the convenience tweaks that make the device ready to use.
Intune offers no settings catalog or configuration profiles for Linux the way it does for Windows, macOS, iOS or Android. The only mechanism Intune provides to push settings to a Linux device is custom scripts, called platform scripts (also called custom scripts/shell scripts in the admin center). For that reason every configuration in this baseline is delivered as a Bash script.
A platform script in Intune is a Bash script that:
-
runs in an execution context you choose when creating the policy, either User or Root
-
runs on a recurring schedule defined in Intune, which makes the configuration self-healing. If a setting drifts or a user reverts it, the next run puts it back
-
reports a basic success or failure state back to Intune based on the script's exit code
Because the scripts run repeatedly, they are written to be idempotent. Each one checks the current state first and only makes a change when the device isn't already in the desired state, so re-runs are safe and don't produce noise.
For Linux we apply the following configurations:
| Configuration | Description | Script |
|---|---|---|
| Disable Telemetry | opts out of ubuntu-report, disables Whoopsie crash and metrics reporting, and stops the whoopsie service | disable_telemetry.sh |
| Default Browser | sets Microsoft Edge as the default web browser and registers it as the handler for http, https and HTML files | edge_default_browser.sh |
| Managed Favorites | deploys a managed favorites list with predefined websites and enables the favorites bar in Microsoft Edge | edge_managed_favorites.sh |
| Enable Firewall | sets secure default UFW rules (deny incoming, allow outgoing) and enables the firewall | enable_firewall.sh |
| Intune Sync | creates a helper script for the Intune agent and schedules it as a cron job so the device checks in regularly | enable_intune_sync.sh |
| Package Updates | updates the package lists, installs available APT and Snap upgrades, and removes packages that are no longer needed | package_updates.sh |
| Screen Lock | enforces a 5 minute idle screen lock through dconf and locks the values so users cannot change them | screen_lock_idle.sh |
| Device Name | builds a hostname from the device serial number and applies it across the system hostname files | set_device_name.sh |
Contributions are what make this project useful for the whole community. All skill levels are welcome!
Ways to contribute:
- Report a bug: Open an issue with details and reproduction steps
- Submit a fix or new policy: Fork, branch, and open a pull request
- Improve documentation: Even small docs fixes are appreciated
These baselines are provided as-is and represent community recommendations. They are not official Microsoft guidance. Always review and test policies in a non-production environment before deploying to your organisation. The maintainers are not responsible for any unintended impacts to your environment.
This project is licensed under the MIT License.
➡️ See the LICENSE file for details.