Veri-Tech
Support/Products/Veri-Tune

Veri-Tune

Enterprise

Veri-Tune assesses your Microsoft Intune endpoint management configuration against 375 security controls covering Windows, macOS, iOS, and Android. It provides assignment-aware dual scoring, Policy Insights for cross-policy overlap and conflict detection, modify-in-place remediation, AI-generated remediation plans, a dedicated per-platform policy assignment page, and automated remediation with scoped JIT write permissions.

375Intune controls
Win / macOS / iOS / AndroidPlatforms
IncludedPolicy Insights
EnterpriseMin tier

How Veri-Tune Works

Step-by-step walkthrough from start to finish

1

Run Baseline Assessment

Navigate to the Tune section and click "Run Assessment." Veri-Tune reads your Intune configuration — device compliance policies, configuration profiles, security baselines, and app protection policies — via the Graph API. The assessment evaluates 375 controls across Windows, macOS, iOS, and Android and produces a dashboard with Score Breakdown + Control Status charts, Remediation Impact Estimator, Quick Wins, Severity Risk Matrix, and a Framework Radar.

2

Review Dual Scores and Policy Insights

Veri-Tune provides assignment-aware dual scoring — a "deployed" score (counts only controls assigned to device groups) and a "configured" score (counts all policies). Policy Insights scans your full policy graph for settings that appear in multiple policies, flagging value conflicts, redundant duplicates, and unassigned overrides. Downloadable Detailed and Executive reports in HTML, Markdown, or PDF.

3

Plan Remediation

The Remediation Planner uses AI to set a per-control disposition (remediate, runbook, skip) and defaults automatable controls to remediate. A Remediation Dashboard shows Selection Summary, Projected Impact, Severity Breakdown, and Disruption Risk Heatmap. Controls are grouped by action type: Patch / Create / Assign / Fix.

4

Dispatch via Change Advisory

The 3-tier dispatch workflow (green / amber / red) generates Change Advisory and runbook artifacts before you deploy. Amber controls are pre-selected for review — dispatch is a confirmation step, not re-selection.

5

Assign Policies to Device Groups

Configured-but-not-assigned policies get their own dedicated page with per-platform group selectors (Windows, macOS, iOS, Android) so you can target the right group for the right platform in one pass. JIT write permissions are granted for the assignment and auto-revoked after.

6

Remediate — Modify-in-Place or Override

Veri-Tune edits existing misconfigured policies in place rather than creating override policies that stack on top, with previous-value tracking for rollback and a per-control toggle to switch to Override if you need a fresh policy. Windows device configuration, compliance policies, and macOS device configuration / compliance are all auto-remediated. Scoped JIT write permissions use only 3 Graph API scopes (vs 14 for M365 remediation).

7

Track Results and Audit Trail

A full results page shows Deployed / Runbooks / Failed / Accepted / Passing groupings. Every JIT consent grant, policy assignment, modification, and write revocation is logged in the audit trail with timestamps and before/after values.

Data Handling

What data is collected, processed, stored, and what is never accessed

Data collected during Intune assessment

  • Intune device compliance policies and their assignments
  • Device configuration profiles (Settings Catalog, templates, custom OMA-URI)
  • Security baselines and their current configuration values
  • App protection policies for iOS, Android, and Windows
  • Enrollment restrictions and Autopilot deployment profiles
  • Device group memberships for assignment-aware scoring

How data is processed

  • Configuration values are evaluated against 375 control definitions in the Veri-Tune registry
  • Assignment-aware scoring calculates both "deployed" (assigned to groups) and "configured" (all policies) scores
  • Cross-source detection aggregates settings from Settings Catalog, Security Baselines, and Compliance Policies
  • Framework mappings are applied (CIS, NIST, SOC 2, ISO 27001, HIPAA, CISA)
  • Remediation actions use the Graph API with scoped JIT write permissions

What is stored after assessment

  • Compliance scores (deployed and configured) in Azure Table Storage
  • Per-control pass/fail results with setting values and expected values
  • Remediation audit trail (JIT grants, assignments, revocations) in Azure Table Storage
  • Generated reports in Azure Blob Storage (encrypted at rest)

Data Veri-Tune never accesses

  • Device hardware details, serial numbers, or IMEI numbers
  • Installed applications or app usage data on managed devices
  • User personal data, email, files, or browsing history
  • BitLocker recovery keys or FileVault keys
  • Device location data or GPS coordinates
  • Managed app content or app configuration data

Permissions

Every Graph API permission used, when it's requested, and why

Permission Model

Veri-Tune uses a scoped JIT permission model with only 3 write permissions (vs 14 for M365 remediation). Read permissions are granted during initial consent. Write permissions are requested via a separate delegated consent flow immediately before remediation or policy assignment and auto-revoked after the operation. A Global Administrator must complete the delegated consent prompt — this is separate from the initial read-only consent.

DeviceManagementConfiguration.Read.All
Read
Always

Read device configuration profiles, security baselines, and settings

DeviceManagementManagedDevices.Read.All
Read
Always

Read managed device inventory and compliance status

DeviceManagementServiceConfig.Read.All
Read
Always

Read Intune service configuration and enrollment settings

DeviceManagementConfiguration.ReadWrite.All
Write
JIT only

Create or update device configuration profiles and security baselines

DeviceManagementManagedDevices.ReadWrite.All
Write
JIT only

Assign policies to device groups

DeviceManagementServiceConfig.ReadWrite.All
Write
JIT only

Update enrollment and service configuration settings

Safety Controls

  • Scoped JIT write permissions — only 3 Graph scopes vs 14 for M365
  • Delegated auth for write operations — a real admin must consent, not just app permissions
  • Auto-revocation of write permissions after every operation
  • JIT status badges show Active/Revoked/Assigned state at all times
  • Full audit trail of every consent grant, assignment, and revocation
  • Assignment-aware scoring prevents false positives from unassigned policies

Capabilities

375 Intune-specific controls across device compliance, configuration, baselines, and app protection
Cross-platform coverage: Windows, macOS, iOS, and Android — with macOS auto-remediation alongside Windows
Assignment-aware dual scoring (deployed vs. configured compliance)
Policy Insights — overlap & conflict detection across every Intune policy, with setting-centric and policy-centric views
Downloadable Detailed and Executive Policy Insights reports (HTML / Markdown / PDF)
Cross-source detection: Settings Catalog, Security Baselines, Compliance Policies
Modify-in-place remediation — edits existing policies instead of creating overrides, with previous-value tracking
Per-control strategy toggle (Modify vs. Override) for granular control
AI-generated remediation plans with per-control dispositions
3-tier dispatch workflow (green / amber / red) with Change Advisory and runbook generation
Dedicated policy assignment page with per-platform group selectors
Assessment dashboard with Score Breakdown, Control Status charts, Quick Wins, Severity Risk Matrix, and Framework Radar
Remediation dashboard with Selection Summary, Projected Impact, and Disruption Risk Heatmap
Runbook generation for controls requiring manual administrator steps
Cross-product detection surfaces related Veri-Guard and Veri-Patch controls from the same tenant
CIS, NIST, SOC 2, ISO 27001, HIPAA, and CISA framework mapping
Remediation audit trail with timestamps and before/after values
Included with Enterprise and MSP plans

Frequently Asked Questions

What is the difference between "deployed" and "configured" scores?
The "deployed" score only counts controls assigned to device groups — reflecting what's actually protecting your devices. The "configured" score counts all policies regardless of assignment. A large gap means you have security policies that aren't assigned to any devices.
What is Policy Insights?
Policy Insights scans every Intune policy in your tenant and surfaces settings that appear in 2+ policies — flagging three conditions: value conflicts (policies fighting each other with contradictory values), redundant duplicates (same setting with the same value in multiple policies), and unassigned overrides (overriding policies that aren't actually assigned). Setting-centric and policy-centric views, filters, and downloadable Detailed + Executive reports in HTML, Markdown, or PDF.
How is Veri-Tune remediation different from just creating override policies?
Veri-Tune edits existing misconfigured policies in place rather than stacking override policies on top. This reduces policy sprawl, preserves assignment targeting, and captures previous-value metadata so you can roll back. You still get a per-control toggle to switch to Override if you genuinely want a fresh policy instead.
Does Veri-Tune support macOS?
Yes. Veri-Tune auto-remediates macOS device configuration profiles (via macOSGeneralDeviceConfiguration) alongside Windows, plus compliance-policy auto-fixes for missing non-compliance actions and unassigned compliance policies. iOS and Android are covered in scoring and assessment.
What does AI do in the remediation planner?
The AI sets a per-control disposition (remediate, runbook, or skip) based on your tenant context, respecting the registry's automatable flags. Automatable controls default to remediate so you don't have to check them one by one. You can override any AI decision before dispatch.
What is the dispatch workflow?
Dispatch is a 3-tier change-advisory step (green / amber / red) between planning and deployment. Amber controls are pre-selected so dispatch is a confirmation — not a re-selection. It generates Change Advisory and runbook artifacts before any write operation happens.
Why does Veri-Tune use delegated auth instead of app-only permissions?
Certain Intune endpoints (like Autopilot and Enrollment Status Page profiles) require delegated authentication — they reject app-only tokens. Veri-Tune stores a delegated token during JIT consent to ensure all write operations succeed. This also provides stronger security assurance since a real administrator must actively consent.
How does bulk policy assignment work?
Configured-but-not-assigned policies get their own dedicated assignment page with per-platform group selectors (Windows, macOS, iOS, Android). Pick policies, select the right group for each platform, and assign. Veri-Tune requests scoped JIT write permissions, assigns the selected policies to the groups, and auto-revokes write access. The entire operation is logged in the audit trail.
Does Veri-Tune access my users' devices?
No. Veri-Tune reads Intune policy configurations and device group memberships — it never accesses individual device hardware, installed apps, user data, recovery keys, or location information.

All Products · Full Permission Reference · AI Features & Privacy · Control Frameworks

Questions? Submit a ticket · Email support