This is a yearly re-post and re-edit, originally written in 2009 and updated (irregularly) on an annual basis. What started as advice for close friends has become one of my most popular blog entries. Here’s the fully updated guide for the end of 2024 into 2025.

Tip: Search for "Final Thoughts" to just jump to the END for the TL;DR version / summary / exactly what to do if you're "in a hurry."

Quick Updates for 2024-2025:

• The rise of ARM machines.

• What’s the deal with CoPilot, NPUs, and AI chips?

• My "about face" on Chromebooks—who’s using them in my life?

• iPads... with a mouse?

• Jeremy's laptop update: What I’m using in 2024 and where I'm going in 2025.

If you’re an IT geek like me, chances are you’ve been asked, “What kind of laptop should I buy?” more times than you can count.

And if you’re not an IT geek, you’re probably asking this very question to someone who is.

This guide is for both groups.

For the IT Pros:

This question might not seem directly relevant to you, since your organization likely provides you with a laptop. But because you carry one around or have that unmistakable geeky vibe, you’ve likely been cornered with the question, “What kind of laptop should I buy?” more than once.

You might be tempted to say, “Buy a MacBook,” partly to dodge any future support requests since you don’t use one yourself. (Here’s a great example of that problem, courtesy of The Oatmeal.) That said, MacBooks are undeniably fantastic machines. If you want to do serious work on one, you absolutely can. But this guide isn’t about Macs; it’s about how to buy a Windows PC laptop. Macs are great, and if you’re inclined to go that route, more power to you.

For Everyone Else:

Your challenges are significant, too. Ask three IT geeks, and you’ll probably get three different answers.

This guide, “Jeremy’s Guide to Buying a New PC Laptop in 2024-2025,” is what I share with friends, family, and anyone else who asks me for advice. It’s written for the everyday person who wants clear, actionable guidance without the noise.

Seriously, when someone asks me about laptops, I send them a link to this post—and I’m done.

These recommendations should work for about 90% of the people who come to you for advice. Sure, there will be exceptions, but this guide is designed to get most people pointed in the right direction.

Jeremy’s Guide to Buying a new PC-based Laptop in 2025

We’re going to answer some questions here like:

• Laptop or Ultrabook ?
• What "Chip" should I get in my laptop?
• Should I opt for a Chromebook instead of a Windows Laptop?
• Laptop or iPad or Surface (Windows Tablet)?
• Should I get a $200 Windows laptop?
• What is / should I get a Microsoft Surface?
• iPad Pro? Will that work for me?
• Where can I get good deals?
• What kind of hardware (and warranty) should I get?
• Should I get Windows 11 or hunt down a laptop with Windows 10?

Laptop or Ultrabook?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

• Laptops: You know what a laptop is.
• Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter. Sometimes less ports and you have to drag around a dongle to increase your ports.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Non-Windows tablets (iPad, Android, Chromebooks)

Before diving into laptops, let’s take a quick detour to discuss your potential “second” device.

You might be wondering, “Do I even need a laptop? Maybe an iPad, iPad Pro, or Chromebook would work just as well?” Or perhaps you’ve heard of the Microsoft Surface and want to know where it fits in.

Here’s the bottom line: nothing beats a laptop for ACTUAL WORK.

iPads: Almost There, but Not Quite

The iPad can be pushed into doing actual work, but it’s not designed for it. Apple offers a range of iPads—the standard iPad, the iPad Mini, and the jumbo iPad Pro, which is essentially just a really big iPad with a pen. These devices have specialized apps that can mimic work functionality, but ultimately, they’re not a replacement for a laptop.

That said, I’ve found some surprising utility in using my iPad Mini for light tasks. On a recent trip, I paired it with a $15 Bluetooth travel mouse, and it was a game-changer. Websites that previously felt clunky on an iPad suddenly worked beautifully. Now, when I travel, I often bring only my iPad Mini, a Bluetooth keyboard, and that mouse—it’s “good enough” for about 90% of what I need.

But let’s be real: I’m not writing this guide on an iPad. Creating documents, delivering presentations, or building spreadsheets is technically possible on an iPad, but the experience pales compared to a laptop or desktop. Even with a Bluetooth keyboard, the software and overall workflow aren’t as smooth.

Verdict:

• If you need a device for real work and want a travel machine that will last for years, go with a laptop.
• If you’re lounging on a beach, bus, or couch and want to read, game, surf, or stream Netflix—occasionally handling business websites—a Bluetooth-equipped iPad might suffice.

Android Tablets and Chromebooks: Where Do They Fit?

Some people can and do use a Google Chromebook is their “daily driver” for all things. And in 2024, I got on board. In 2024, Chromebooks became part of my family. One was provided by a school for educational use, and the other I gave to my parents. Here’s why:

Chromebooks in Schools:
Chromebooks are perfect for K-12 environments. They run Google apps, store almost everything in the cloud, and are virtually disposable in terms of hardware—if one breaks, there’s no local data to lose. Schools love them for their simplicity, cost-effectiveness, and “it just works” factor.

Chromebooks for My Parents:

For my parents, it took a few hours and I put all their stuff in Google land, and gave them a laptop. With much kicking and screaming where "This can't possibly work" and "I don't know how printing or scanning will work" and "I can't live without Microsoft Word" ... 8 months into this experiment, I've had zero tech support calls and it "just totally works" for their (modest) situation.

The Chromebook has proven itself as ideal: Documents are stored and shared in Google Workspace, and I can step in remotely if necessary.

While my parents don’t use Android apps, it’s good to know the capability exists to install them if needed. Chromebooks may not work for my daily needs, but for them, it was exactly the right solution.

My Take on Chromebooks Summary:
If you can manage your tasks on a Chromebook for six months, give it a shot. You might find you don’t need a Windows laptop at all, avoiding the constant upgrade treadmill. This path isn’t for me, but for the right person, it’s an excellent option.

I know: Shocker. Again, this route ISN'T for me, but for my parents, it was EXACTLY what the doctor ordered.

Okay, now that we’ve covered tablets and Chromebooks, let’s get back to Windows laptops.

Back to laptops.. Windows Laptops.

Which laptop brand should I get?

Before diving into whether you should try hard to get Windows 10 on your laptop (we’ll get to that soon), let’s address the broader question: Which laptop brand should you buy?

Here’s the reality: All laptops are basically the same.

I know, it’s a bold statement, but hear me out. Much like cars, 99% of the “guts” in laptops are nearly identical. The differences between them mostly come down to features like:

• The number or type of ports (USB 3.0, USB-C, etc.).
• Whether it has one or two video chips (let’s not even go there).
• Keyboard styles: does it twist or snap off to become a tablet, or is it just a plain laptop?
• Speed differences: some are a little faster, some a little slower.
• Weight: some are heavier, others lighter.
• Screen sizes: from 14" to 16", there’s a range.
• 10-key pad: some laptops have it, some don’t.
• Power supplies: large, heavy ones versus compact travel-friendly options.
• Touchscreens: available on some models, not on others.

But again, 99% of laptops running Windows are fundamentally the same in terms of what they can do. That’s great news for most users because it means you can’t really go wrong with a new laptop.

My #1 Buying Tip: Understand the Warranty

Since laptops are so similar, the real difference comes down to support. A good warranty can make or break your ownership experience. (We’ll dive deeper into warranties in the next section.)

Where to Find the Best Deals

Here are my top recommendations for buying a new laptop:

1. New Dell Inspiron Laptops

   • They’re affordable, reliable, and fast, and Dell offers excellent warranties (more on this shortly).
   • Inspiron laptops are "perfectly reasonable" for the average person. Like Goldilocks, not too much, not too little. Basically "just right."
   • Make sure you select a model with a Solid-State Drive (SSD)—I can’t emphasize this enough. Avoid drives with moving parts; they’re outdated. Good news, its hard to find a laptop anymore without SSDs anyway in 2024 / 2025.

2. Dell Factory Outlet: https://www.dell.com/en-us/dfh/lp/outlet

   • Think of this as Dell’s “island of lost toys.” Most items here are lightly used returns, often from customers who decided they couldn’t afford the purchase.
   • Everything comes with Dell’s original warranty, so you’re protected. I’ve personally purchased four laptops from the Outlet, and it’s been a win every time.

3. Online Retailers: NewEgg, Backmarket, and others

   • These sites offer great deals, including new, off-lease, or market closeouts.
   • While the prices are tempting, warranties can be hit or miss. Many items are covered by the manufacturer’s warranty only, so you’ll need to research each deal carefully. Don’t expect much after-sales support from the retailer.

4. Retail Stores: Best Buy, Office Depot, Staples, etc.

   • Even with an enticing warranty or a killer deal, I can’t recommend these stores for laptops.
   • Why? These places are often staffed by undertrained employees, and turnover is high. Can you trust them to help with a problem 1.5 years down the line?

5. Other Online Deal Sites: Woot, Buy.com, etc.

   • Like NewEgg, these sites often offer manufacturers’ warranties only, which can range from 30 to 90 days. That’s not ideal for most buyers.

Understanding the warranty (the most important part of your laptop)

Let’s take a moment to talk about Dell laptops and why I’ve historically been a big fan. (Stick with me to the end, though—I’ll explain why I personally use Lenovo now. Trust me, it’ll make sense.)

The simple reason I’ve recommended Dell laptops for years is that Dell’s warranty structure is easy to understand—even for my “pea-brain.”

Here’s how it works:

1. Default Warranty (1 Year):
   If something fails (e.g., power supply, screen goes blank, USB port dies), you call Dell, and they’ll attempt to fix the issue over the phone.

   • For user-replaceable parts (e.g., battery, mouse, removable DVD drive), they’ll ship the part to you with a pre-paid box for the return. You handle the swap yourself.
   • For non-user-replaceable parts (e.g., screen, motherboard), they’ll ship the part overnight to a regional repair center. Once it arrives, the center will call you to schedule a repair.

2. Upgraded Warranty (3 Years On-Site):
   For an additional cost, Dell offers a three-year on-site repair option—they’ll send a technician to you.

3. Accidental Damage Coverage:
   For an extra fee, Dell offers insurance for mishaps like spilling coffee on your laptop, dropping it on a marble floor, or even submerging it in water.

The Reality of Warranty Timelines

Dell’s warranty is excellent, but it doesn’t mean your laptop will be fixed within 24 hours. Here’s how it typically works:

• If you call after 2:00 PM, they might miss the day’s shipping cutoff. In that case, your replacement part will ship the next business day.
• Once the part arrives at the repair center, they’ll call you to schedule a repair, which could take another 24 hours.

So, the process begins immediately, but repairs usually take 24 hours after the part reaches the repair center.

Because I understand and can explain this process, I’ve confidently recommended Dell to many “Joe and Jane users” over the years. Dell’s straightforward warranty is the “devil I know,” and I trust it to deliver reliable service.

Why Warranty Matters

I cannot stress this enough: Understanding your laptop’s warranty is the single most important factor when choosing a laptop.

While I’ve outlined Dell’s warranty structure here, feel free to investigate other manufacturers’ warranties. Just make sure you understand the terms before you buy. For me, Dell’s warranty is reliable, transparent, and easy to explain, which is why I usually recommend their laptops to everyday users.

“How much laptop do I, a regular person, need?”

If your daily tasks include things like surfing the web, using Facebook, Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, Netflix, Skype, or similar, you have what I call “modest needs.”

Again: If this is "all you do" again, maybe a laptop is "too much" and you should instead consider a Chromebook which does all that stuff and doesn't have all the "Windows burden" associated with it.

For these needs, a Chromebook might be worth considering. It can handle all of that without the added complexity of a full Windows machine.

But if you’re running high-powered software—like Quark, World of Warcraft, Final Cut, Movie Maker, VMware Workstation, Hyper-V, AutoCAD, Camtasia Studio, or Mathematica—you’ll need something more robust.

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s an older Wall Street Journal Entry on them. And here’s a LaptopMag.com article from 2017 on sub-$200 laptops) And here's an article for 2018 from Best Laptops World for computers under $200. But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

CPU Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Here’s a secret the laptop manufacturers don’t want you to know: For most users, the CPU type almost doesn’t matter. That said, here are my recommendations:

Intel Core Chips (i3, i5, i7, i9):

• Best Bang for Your Buck: The Intel i5 is usually the sweet spot for performance and cost.
• Upgrade Option: If your budget allows, go for an i7. Even at its lowest speed, it offers solid performance and is often worth the extra cost.
• Overkill: The i9 is powerful but unnecessary for most users unless you’re a heavy-duty power user or gamer. Power supplies you have to lug around for i9 are also typically much heavier.

Avoid These Chips:

• Intel Celeron: Avoid at all costs. These processors are underpowered and often found in $200 budget laptops that fail to deliver a good user experience.
• Intel Atom: While these offer excellent battery life, they’re significantly slower than the Core series. Just totally avoid.

Snapdragon / ARM Laptops

There's a a new choice on the block ... in a chip called ARM Snapdragon X. If this word maybe sounds familiar to you, it's because many phones utilize Snapdragon processors. They are very low power, which means you get pretty insane battery life. Snapdragon laptops are closer to ATOM processors than they are to Intel i3/i5/i7s. This is because all the software you're running has to convert everything from "Intel speak to Snapdragon speak."

They are considered "Always on, always connected." So even if you close the lid, they don't really go to sleep... they jusst "sip" power and will just be ready to rock when you re-open the lid. (Like an iPad works.)

The good news is that, by all accounts, Snapdragon PCs are pretty nifty and if you use your PC like I use my iPad... for checking web stuff, surfing, skyping, etc etc. If you use a PC like this, then a Snapdragon PC is a pretty good choice. There is a tradeoff: you have to sacrifice a bit of a speed drop, but you get a really big advantage of outrageous near all-day battery life. Sometimes up to like 21 hours.

Depending on what you do with your PC this could be an excellent "daily driver" See this Forbes review of a Lenovo Snapdragon PC from 2024.

The problem with Snapdragon machines is: there's always going to be some level of IN-compatibility with SOME software. Mostly games. Here's the gist in this article. But there could also be some other application that YOU NEED that JUST WONT FRICKIN' WORK on ARM machines. Here's an unofficial list.

Typically low-level software, like security software, VPN software, and/or other things that require drivers require special ARM versions. Most apps will work just fine, but, you never know until you needed "Applicatoin ABC" and it just falls over and dies on ARM, when it would have worked fine on a normal x64 laptop. 

I do think for MOST PEOPLE an ARM laptop might be just the right thing though and you should consider it in your searches. Here's a single page which links to all vendors with Snapdragon laptops. If I had to pick one in a hurry, I'd likely go with this beauty. I'm pretty sure this will be my next "traveling PC" I get. But, if you like Dell and their warranty, here's a list of those.

What's the deal with CoPilot (and NPU chips)

Additionally, just to make this more complicated, there's a whole new category or machines which contain NPU chips .. Neural Processing Unit chips. Sounds like what the Terminator had in his head, and maybe it's not too far off, honestly. NPUs are chips which accelerate AI processing on your computer. So when you make a ChatGPT request, like "Draw two ferrets at the county fair" all that stuff happens on the ChatGPT website... and out pops a picture that you download.

But with an NPU chip ON your computer, your computer is able to take on some of this workload locally. This makes sense if your application supports it. Right now, this is in early, early days. There's a few things in Windows 11 that takes advantage of this, including Windows 11's new Recall feature. Recall lets you look backward at your work and locate stuff you did on-screen yesterday or last week. Demo example here.

As we head into 2025, there's like a small handful of apps which use the NPU chip, and here they are. If you don't get a machine with an NPU chip, you will be just fine as a "normal person." You wont miss it.

Gamer Laptops

Avoid “gamer” laptops unless gaming is your main priority. They’re expensive, have poor battery life, and often come with bulky power supplies. For everyday tasks, they don’t offer noticeable speed improvements.

RAM:

• Minimum: Get at least 16GB of RAM. This is the new baseline for modern laptops.
• Recommended: If your budget allows, consider 32GB for better multitasking and future-proofing.

Video card / chip:

Unless you’re playing graphically intensive games, the video card doesn’t matter much. Apps like Netflix, Hulu, and Minecraft run just fine on integrated graphics. Avoid laptops with multiple video chips—they add complexity without meaningful benefits for most users.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop. 

In a total surprise, I find Microsoft Surface laptops to have "too much" resolution and too insane on my eyes. I'm over 40, and.. well, that means my eyes are just so-so. I would test-drive any laptop and make sure the resolution works for you. Of course this is adjustable in software / Windows.. but sometimes Windows looks lousy when not at the uppermost maximum resolution.

Some laptops don’t have touch screens. I still don't personally own any touch-screen laptops. I dont like to touch my monitor, but you might. 

Wireless Networking support:

All laptops have built-in Wireless cards. You don’t have to get all worried if you don’t have the fastest wireless card.

No matter what new laptop you get you'll be fine. The fastest is a thing called "Wifi7" but I think only a handful of laptop manufacturers put Wifi 7 chips built into their notebooks (Asus being one of them). Its not needed for most regular humans. And you likely don't have a Wifi7 router so... "who cares." Whatever you get here is fine.

Picking the OS. Windows 11 or 10. 

Let’s cut to the chase: It’s nearly impossible to buy a new laptop without Windows 11.

And honestly, that’s fine—there’s no compelling reason to stick with Windows 10. It’s approaching End of Life status, meaning support and updates will soon dwindle.

Even if you’re not a fan of Windows 11’s new look and feel, my advice is simple: get used to it. I did, and it’s not as bad as you might think. There's even software you can get to make it look and quack like Windows 10 or even Windows 7 if you wanted like Stardock. 

Windows Pro vs. Home: Does It Matter?

Not really. Both versions now support full disk encryption, which is the one feature I care about the most. So, whether you choose Pro or Home, you’re covered. There’s no need to stress about this decision. And since you're buying this laptop for yourself, you don't need Pro which is more suited for domain-joined corporate environments.

Example Buys for 2024 / 2025:

For the best price-to-performance ratio, your top choice is likely the Dell Factory Outlet: Dell Outlet

I found plenty of excellent options under $600. Here’s one example available at the time of writing:

• Processor: Intel i7 Gen 12
• Operating System: Windows 11 Pro
• Storage: 512GB Solid-State Drive (SSD)
• Memory: 16GB DDR4 RAM
• Display: 15.6" FHD (1920 x 1080), non-touch
• Graphics: Intel HD Graphics
• Model: Dell Outlet Inspiron 15 - 3520
• Total Price: $510 (as of Nov 27, 2024)

Are these the lightest, fastest, or fanciest laptops on the market? Absolutely not. But for most users, these laptops—combined with the warranty options explained earlier—are more than sufficient for everyday tasks.

Looking at ARM Machines

If the ARM architecture interests you (see above for its pros and cons), here’s my top pick the Lenovo Yoga slim 7x.:

• Model: Lenovo Yoga Slim 7x
• Processor: Snapdragon® X Elite X1E-78-100 (3.40 GHz)
• Operating System: Windows 11 Home 64 (ARM)
• Graphics: Integrated Qualcomm® Adreno™ GPU (again ... this doesn't matter at all.)
• Memory: 16GB LPDDR5X-8448MHz (Soldered)
• Storage: 1TB SSD M.2 2242 PCIe Gen4 TLC
• Display: 14.5" 3K (2944 x 1840)
• Total Price: $999.00 (as of Nov 27, 2024)

This machine offers incredible battery life and solid performance for typical day-to-day use. However, remember the potential compatibility issues outlined earlier when considering ARM machines.

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops. 

You could argue that touch is becoming more and more important. So, if you wanted touch, then… get one with touch.  :-) Again: I have two "daily driver" Windows PC laptops, neither has touch, and I don't miss it, not even a litle bit.

What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you might be wondering: What kind of laptop does Jeremy use? Well, here’s the answer—and fair warning, this gets a little geeky.

My Main machine driver is a Lenovo P1 Core i9 (10th generation) from 2020. It’s equipped with:

• i9 Processor
• 4TB of storage spread across two SSDs.
• 32GB of RAM.
• Windows 11
• A hefty build with a beefy power supply.
• Its typically docked, like 90% of its life and travels with me like 10% of its life.

It’s big, heavy, and built for power. Why? Because I’m not a regular user.

I do live demos in front of thousands of people, and my laptop has to perform flawlessly. For me, speed and reliability trump portability.

My "Everyday" Laptop: Lenovo X1 Carbon (9th genreation) also from 2020. It's got::

• i7 processor
• 16GB of RAM.
• 1TB SSD.

This laptop is light, portable, (as is the power supply) and has pretty good battery life (though I did just change the battery out myself this year.) It’s perfect for:

• Carrying around the house.
• Quick trips where I’m not presenting complex demos (just PowerPoints, for example).

It handles 98% of my needs and represents what I’d recommend for a “mere mortal” machine.

Looking Ahead: Lenovo Yoga ARM

I’m considering upgrading my secondary laptop to the Lenovo Yoga ARM machine I mentioned earlier. It has incredible battery life and should be a great fit for my lighter use cases—but I haven’t pulled the trigger just yet.

Why Not Dell?

Good question! I know I’ve mentioned Dell about 80 times in this article, and I absolutely recommend it for most people.

However, I personally prefer Lenovo for its build quality. Over the years, I’ve owned several Lenovo laptops, and here’s the kicker:

• I’ve never needed the warranty.
• I’ve never had a dead pixel, fried USB port, or malfunctioning keyboard. Not once.

My Needs vs. Yours

To be clear, my setup is not recommended for regular users. My work involves hardcore demos, so I need:

• 32GB of RAM.
• Extremely fast storage.
• Extremely fast processing.
• A laptop that can handle demanding workloads.
• A laptop that runs specialized applications (VMware Workstation and Camtasia 2024 mostly.)

But if you’re intrigued by Lenovo and willing to check out their warranty options, go for it. Just remember, your needs may differ significantly from mine!

Final Thoughts (and if you read nothing else…)

If you’re overwhelmed by the details, here’s the TL;DR version:

1. For Most People:

   • Stick with a Dell laptop from the Dell Factory Outlet for the best price-to-performance ratio. Look for a machine with 16GB of RAM, an i5 or i7 processor, and an SSD.
   • For lighter needs, consider a Chromebook, especially if most of your work is web-based.

2. Avoid These Pitfalls:

   • Don’t buy laptops with Intel Celeron or Atom processors—they’re too slow.
   • Skip gamer laptops unless you’re gaming; they’re heavy, overpriced for everyday use, and have poor battery life.

3. Windows 11:

   • Don’t fight it—Windows 10 is nearing End of Life.
   • Windows Home vs. Pro? It doesn’t matter for most users anymore.

4. If You Want ARM:

   • ARM laptops, like the Lenovo Yoga Slim 7x, offer insane battery life but may face app compatibility issues. They’re great for light, portable use.

5. Key Features to Focus On:

   • 16GB RAM is the new standard.
   • Stick with integrated graphics unless you’re gaming. (Don't buy laptops with multiple grahpic chips.)
   • Choose a screen resolution that’s comfortable for your eyes—test it out in person if possible or make sure you can return it easily.

6. Touchscreens:

   • Nice to have, but not essential. If you like them, get one. If not, don’t worry about it.

7. The Warranty is Key:

   • The warranty can make or break your experience. Understand what you’re getting and consider extended or accidental damage coverage.

8. What Jeremy Uses:

   • I recommend Dell for most people, but I personally use Lenovo for its build quality and reliability.

At the end of the day, buy what suits your needs. Whether it’s a laptop, a Chromebook, or even an ARM machine, make an informed choice—and don’t stress too much. Most modern laptops are good enough for the average user.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

There are a few key items you'll likely want to tune in OneDrive settings before setting it loose in your environment. As such. Microsoft gives you the ability to manage Intune settings in both Group Policy and Intune. Those settings are: Prompt users when they delete multiple OneDrive files on their local computer, Warn users who are low on disk space, Silently sign in users to the OneDrive sync app with their Windows credentials, Use OneDrive Files On-Demand and Coauthor and share in Office desktop apps (User).

To configure OneDrive settings using the Microsoft Intune Admin Center., navigate to Devices > Configuration > Create New Policy in the Microsoft Intune Admin Center. When creating the policy, select "Windows 10 and later" as the Platform and "Settings catalog" as the Profile type. After naming the policy, type "OneDrive" into the Settings picker and select the OneDrive options. You can then choose which of the settings you want to include in the policy as shown in the screenshot below. In this example, I have chosen six settings that serve important functions in OneDrive.

1. Prompt users when they delete multiple OneDrive files on their local computer

This is a data protection feature designed to prevent unintended bulk file deletions in OneDrive. When enabled, this setting triggers a warning prompt if a user attempts to delete multiple OneDrive files simultaneously. If a user tries to delete a large number of files larger at once that is larger than the configured threshold, they will see a pop-up message asking them to confirm the deletion action. The setting includes a configurable threshold that you can set to trigger the prompt as shown in the screenshot below.

        2. Warn users who are low on disk space

This setting monitors the local disk space on a user's device to prevent them from unexpectedly running out of storage, which could impact their ability to sync OneDrive files. It includes a configurable threshold, specified in GB, that triggers a warning notification to users when their available disk space falls below this set level as shown here below:

3. Silently sign in users to the OneDrive sync app with their Windows credentials

When enabled, this setting automatically authenticates users with their existing Windows login information to ensure a seamless Single Sign-On (SSO) experience, thus eliminating the need for manual credential entry.

4. Silently move Windows known folders to OneDrive

When enabled, this setting automatically redirects a user’s Windows known folders (such as Documents, Pictures, and Desktop) to OneDrive without user intervention. This aids in ensuring that important files are automatically backed up to the cloud by moving the contents of these folders to OneDrive. Once enabled, you must provide your tenant ID as shown below.

       5. Use OneDrive Files On-Demand

When enabled, this setting allows users to see and interact with all their OneDrive files in File Explorer without downloading them all to their device. Files are downloaded only when opened, which saves local disk space. Users can choose to make specific files or folders always available offline.

       6. Coauthor and share in Office desktop apps (User)

When enabled, this setting allows users to simultaneously work on the same document with colleagues, allowing users to edit them and see each other’s changes in real-time.

Using Group Policy

You can also manage these settings using Group Policy.  Five of the above settings are from the computer side. Navigate to Computer Configuration > Administrative Templates > OneDrive and enable any of the five settings shown in the screenshot below. Here, I have highlighted the “Prompt users when they delete multiple OneDrive files on their local computer” setting.

The remaining setting, “Coauthor and share in Office desktop apps (User)” is a user side setting. Navigate to User Configuration > Administrative Templates >OneDrive and enable the setting as shown in the screenshot below.

The remaining setting, “Coauthor and share in Office desktop apps (User)” is a user side setting. Navigate to User Configuration > Administrative Templates >OneDrive and enable the setting as shown in the screenshot below.

Windows shortcut keys are pre-defined keyboard combinations that allow users to perform various tasks and functions quickly and efficiently within the Windows operating system. Shortcut keys enable users to execute commands and navigate the system faster than using a mouse or touchpad. Windows shortcut keys may provide an alternative way to execute commands or access system functions that are normally restricted or blocked through traditional menus and interfaces. That’s why in some cases, it may be worthwhile to disable Windows keystrokes all together. You can do this using either Group Policy or Intune.

Disabling Windows Shortcut Keys using Group Policy

To disable Windows shortcut keystrokes in Group Policy you can create a GPO using the Group Policy Management Console. Then use Group Policy Editor and navigate to User Configuration > Administrative Templates > Windows Components > File Explorer and enable the policy setting titled “Turn off Windows key hotkeys” as shown in the screenshot below.

Then assign the GPO to the applicable users or groups.

Disabling Windows Shortcut Keys using Intune

You can also achieve the same result using the Microsoft Intune Admin Center. Navigate to Devices > Configuration profiles and click on create profile. Select Windows 10 and later as the platform and choose the Custom template. Enter a name for the profile and then add the following OMA-URI settings:

• Name: Enter a name for the setting.
• Description: Provide a description (optional).
• OMA-URI: ./Device/Vendor/MSFT/Policy/Config/KeyboardFilter/Enable
• Data type: Select Integer.
• Value: Enter 1 to enable Keyboard Filter.

Then assign the policy towards the designated users or groups and save it.

You can create a "Settings Page Visibility List" policy that allows administrators to show only specific pages in the Settings app. The secret here is the "showonly:" string that appears in the custom OMA-URI settings. In this example I will choose the only the following settings to remain visible.

• bluetooth: Bluetooth settings
• camera: Camera settings
• about: System information
• sound: Sound settings
• easeofaccess-audio: Ease of Access audio settings
• windowsupdate-action: Windows Update actions
• sound-devices: Sound devices settings
• apps-volume: App volume and device preferences
• easeofaccess-visualeffects: Ease of Access visual effects
• appsfeatures-app: Apps & features
• installed-apps: Installed apps list
• privacy-webcam: Privacy settings for webcam

Using the Microsoft Intune Admin Center, navigate to Devices > Configuration > Create > New Policy. Select Windows 10 and later as the Platform and Custom as the Profile type. Name the policy and click Add to configure the OMA-URI settings as shown below.

The OMA-URI path is OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Settings/PageVisibilityList

Choose String as the Data Type. The string will include the following:

Value: showonly:bluetooth;camera;about;sound;easeofaccess-audio;windowsupdate-action;sound-devices;apps-volume;easeofaccess-visualeffects;appsfeatures-app;installed-apps;privacy-webcam

When completed the OMA-URI settings will look something like this:

Then assign the designated groups to the policy and save.

If you use Azure AD to host your user accounts, you may want to create conditional access policies for when employees attempt to access certain cloud applications. An example might be an enterprise resource planning solution, an employee benefits site or a password manager. A couple of conditions you can assign might be:

• Require MFA as an extra layer of authentication beyond passwords to reduce the risk of unauthorized access even if credentials are compromised.
• Require that access be only granted from Azure joined devices.

Conditional access policies allow you to safeguard sensitive information and apply stricter controls only where they're most needed. They may also aid in complying with various regulatory requirements and helps mitigate risks associated with remote work.

In this example I am going to create a conditional access policy for LastPass, a password management tool. To create a conditional access policy for a specific cloud application, sign into the Microsoft Intune Admin Center and navigate to Devices > Conditional Access. Click "New policy" to start configuring the new conditional access policy.

Give the policy a descriptive name and go to assignments. For users I chose a group comprised of all IT workers that regularly access many applications. I then selected the two LastPass cloud applications that our organization uses as shown in the screenshot below:

Then under Access Controls I will create two conditions for granted access. The first is MFA and the second is that the user must be using a compliant device as shown below.

For added security you can specify a sign in frequency under the Session category. Assigning a sign-in frequency requires users to re-authenticate periodically when accessing cloud applications or resources. As shown in the screenshot below, administrators can customize the frequency based on the sensitivity of the applications or data. In this case I am requiring users to reauthenticate each day.

Dev Drive is a new feature in Windows 11 designed to enhance performance for developers. It provides a specialized storage volume optimized for tasks like cloning repositories, building code, and copying files. Dev Drive is built on Microsoft's Resilient File System (ReFS) technology and offers improved performance and data integrity compared to NTFS. It also provides enhanced control over storage volume settings and security, including trust designation, antivirus configuration, and administrative control over attached filters.  You can learn more about Dev Drive and how to create it here in this article.

You will need to create a policy first that allows the creation of Dev Drive storage volumes on Windows 11 devices. When enabled, users with appropriate permissions can create and use Dev Drives. 

How to Enable Dev Drive using Group Policy

Create a GPO and use the Open the Local Group Policy Editor. Navigate to Computer Configuration > Administrative Templates > System > Filesystem and enable the Enable dev drive" policy as shown in the screenshot below:

Note that the optional antivirus filter setting ensures that antivirus protection remains active on Dev Drives, even if local administrators attempt to detach it. Once enabled, assign the policy to your DevOps users for policy deployment.

How to Enable Dev Drive using Intune

Using the Microsoft Intune Admin Center, you will navigate to Devices > Configuration > Create > New Policy. Select Windows 10 and later as the Platform and Administrative Templates as the Profile type. Now go to Computer Configuration > Administrative Templates > System > Filesystem just like the Group Policy example. The screenshot below shows the configured settings:

Given the increasing ease with which passwords can be compromised, relying solely on password authentication is no longer a secure method for controlling access. In response to this vulnerability, many companies are now widely implementing Multi-Factor Authentication (MFA) to strengthen their cybersecurity defenses. MFA adds an essential layer of security by requiring multiple forms of verification, such as passwords, security tokens, or biometric scans. This added layer of protection makes it significantly harder for unauthorized individuals to access sensitive data.

Intune provides multiple secure authentication alternatives. Some built in options include Passwordless MFA that includes phishing resistant methods that use Microsoft Authenticator. It also includes the use of FIDO2 security keys and Windows Hello for Business. Intune. In the case of FIDO2 keys, you can restrict authentication to specific manufacturers.

Custom Authentication Strengths

 Microsoft Intune provides administrators with the flexibility to create tailored authentication requirements that can precisely match their organization's security needs. Administrators can create up to 15 custom authentication strength using the following authentication methods:

• Password
• SMS
• Voice call
• Microsoft Authenticator app (push notification)
• OATH hardware token
• OATH software token
• Windows Hello for Business
• FIDO2 security key
• Certificate-based authentication

You can use different combinations to enforce specific authentication methods for different scenarios. For instance, different authentication strengths can be required based on whether users are accessing resources from inside or outside the corporate network. Stronger authentication methods can also be required for users or sign-ins deemed high-risk.

To create new authentication strengths using Microsoft Intune Admin Center and navigate to Conditional Access > Authentication strengths and click "New authentication strength". Then select the desired authentication method. In the example below I made a authentication strength for Passkeys FIDO2.

I then clicked the advanced options and chose checked Microsoft Authenticator (Preview).

Then click create and you are one.

Creating a Conditional Access Policy

Now let’s use the new authentication strength in a conditional access policy. Return back to Conditional Access and click “Create New Policy.” Then do the following:

• Give the policy a descriptive name such as "Require FIDO2 for Passwordless Access".
• Under "Users and groups", select the users or groups you want this policy to apply to.
• Under "Cloud apps or actions", select the applications you want to protect as shown in the screenshot below

You can then choose the conditions that will trigger the policy such as User risk level, device platform or location.

To configure the Access controls, go to Grant and select Require authentication strength" and select an existing custom strength. You can also create a new authentication strength here as well.

The Grant section will now show 1 control selected as shown below.

Now Set "Enable policy" to "On" and create the policy. You have now created a conditional access policy with your custom authentication strength.

Admins can tag devices using Microsoft Intune to enhance device management, organization, and security across their enterprise environment. Tags can be used to efficiently group and categorize devices based on various attributes such as department, location or function. This logical grouping enables IT teams to apply policies, updates and security measures more effectively. Tags can be automatically assigned and updated through dynamic rules, ensuring that device classification remains accurate and up-to-date. Some of the applications of tagging includes the following:

• Tags can be used to filter and search for specific devices in large environments to improve management efficiency.
• Tags can be used to apply specific policies, configurations, or software to groups of devices that share common characteristics.
• Tags can help in tracking and managing hardware assets across an organization.
• Tags can be used to identify devices that require specific security measures or compliance checks.
• Tags can provide additional context about devices, which can be helpful during troubleshooting or decision-making processes.

In other words, tagging provides numerous management options and can prove a way to simplify your MDM efforts.

Create a Configuration Policy

To implement tagging using the Microsoft Intune Admin Center, navigate to Devices > Configuration > Policies > and create a new policy. Choose Windows 10 and later as the Platform and select Custom Templates as the Profile type.

You will then apply a name for the policy and configure the OMA-URI Settings. The OMA-URI path is the most critical here so use the following path:

./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group

In the example below I selected String as the data type and made a tag called IT Employee.

You could also use a PowerShell script to create tags and deploy the script through Intune. I can then create a dynamic group in Azure AD that includes all devices with the “IT Laptop” tag. Security policies and configuration policies could then be applied to devices belonging to the IT role group.

The Microsoft Intune Admin Center enables you to create Conditional Access policies based on locations for additional granular control over access to organizational resources. This feature is particularly valuable for entities with geographically limited operations, such as school districts, government institutions, or regional businesses.

For instance, if your organization's users are primarily located within a single country, you can implement a policy that restricts logins from all other countries. This approach significantly enhances your security posture by mitigating risks associated with global cyber threats.

By leveraging Named Locations in Conditional Access policies, you can effectively:

1. Block access attempts from unexpected geographical areas

2. Reduce the attack surface for brute force and credential stuffing attacks

3. Minimize the risk of unauthorized access from foreign IP addresses

By restricting access from unfamiliar or high-risk locations, organizations can reduce the risk of unauthorized access and potential security breaches.

Create Country Locations

To create these location areas, you need to navigate to Devices > Conditional Access > Named Locations. Here you can create locations according to Countries, IP addresses and Multifactor Authentication Trusted IPs as shown below.

Let’s say you want to create a conditional access policy that stops all login attempts from other countries. Click Countries location and select all countries outside of your own as shown here.

Once you've defined the Named Location, you can proceed to create a corresponding Conditional Access policy. Configure the policy to use the location condition, selecting the Named Location you've previously defined. You may want to initially enable the policy in "Report-only" mode. This allows you to monitor its potential impact without affecting user access. You also need to be mindful of employees who travel internationally as this may require you to:

a) Create exceptions for specific users or groups

b) Implement a process to temporarily modify the policy for traveling employees

c) Create a traveling policy that allows access from all countries and assign it to anyone traveling temporarily.

The screenshot below shows how anyone attempting access from all other countries of the world will be blocked.

Other Location Scenarios

You can also create locations based on IP addresses or ranges. You can use these locations for a variety of instances. For instance, you can create policies that differentiate between office locations and remote work environments that apply security measures differently for set locations. You also may be receiving failed login attempts from a certain IP address and make a conditional access policy to block it.

You can also create trusted IP locations to coincide with your MFA conditional access policies. In this scenario, all logins except those originating from your trusted IP ranges. Users connecting from trusted locations will not be prompted for MFA, while those connecting from outside these ranges will need to complete MFA.

One of the first objectives of a hacker upon infiltrating a network is to gain access to a privileged identity within your organization. One of the more powerful privileged accounts in your network is probably an Intune admin as these accounts weld a lot of power. Should one of those accounts get compromised, they can do significant list of things to your MDM environment such as deploy a malicious application to your corporate devices such as ransomware or backdoor apps. They could also deploy a harmful PowerShell script or other executable script.

MAA is like MFA

With the rapidly expanding threat landscape of today, relying on a single password to secure user accounts is no longer viable. This is why multifactor authentication (MFA) is now considered best practice, as it provides an additional security layer to protect digital identities. Now let’s apply that same logic to your Intune environment.

You cannot risk the compromise of a single Intune admin account that can then execute malicious tasks at will. Like MFA, Multi Admin Approval (MAA) adds an extra layer of security by requiring multiple administrators to approve certain critical actions before they can be executed. This means that if you create a new policy to deploy an application, that policy will not be enabled until a member of the assigned approval group authorizes the action.

When a Tenant account attempts to modify a resource protected by an access policy, Intune implements withholds applying the change until a member of the designated approval group reviews and authorizes it. This process ensures that critical changes undergo additional scrutiny before implementation. The approver has the authority to either approve the change and allow it to proceed or reject it which will block it entirely.

How to Configure MAA in Intune

Note there are some prerequisites that must be met prior to enabling MAA:

• Multi admin approval requires a minimum of two administrator accounts within your tenant
• Creating an access policy requires that your account be assigned either the Intune Service Administrator role or Azure Global Administrator role.
• To qualify as an approver, an account must belong to the group assigned to the access policy for a specific type of resource.

To enable MAA for Intune go to the Microsoft Endpoint Manager admin center and navigate to Tenant Administration > Multi Admin Approval > select Access policies and click Create as shown in the screenshot below.

Create a name for the MAA policy and select either Scripts or Apps for the Profile type as shown below.

Next is the Approvers page where you will click “Add groups” and select the group of users that will act as approvers for this policy.

Then review and click Create to finalize and save the policy.

Approving Requests

So now let’s say you create an Intune policy to deploy a new application. A new step will be required for you to include the business justification for your request. Rather than an active policy, it is submitted as a request and awaits approval. You can monitor the status of your requests on the MAA page. There you will see a list of all your submitted requests, along with their current status.

The status of your requests can be one of the following:

• Pending: The request is waiting for approval from another administrator.
• Approved: The request has been approved and the changes have been applied.
• Rejected: The request was rejected by an approver.
• Canceled: The request was canceled by you or another administrator.

To approve the request of another admin, simply navigate to Pending requests and select the specific request you want to approve. Make sure that all administrators involved in the approval process are notified of pending actions.