Manage Windows Devices with Microsoft Endpoint Manager (Intune)

Manage Windows Devices with Microsoft Endpoint Manager (Intune)

Microsoft Endpoint Manager (Intune) is a free cloud service that connects your devices to the cloud and lets you manage the devices using the cloud console. Learn how to set up Microsoft Endpoint Manager to manage your Windows endpoints.

What is Microsoft Endpoint Manager (Intune)?

Microsoft Endpoint Manager is an Enterprise Mobility Management platform that is formed of two core components; Intune & Configuration Manager.

Configuration Manager is an on-premise solution that allows the management of Windows clients and Windows Server, as well as macOS. It’s based on an agent being installed on these devices and used to be known as System Center Configuration Manager. Now, it’s known as Microsoft Endpoint Configuration Manager, often shortened to “ConfigMgr”. You can check out our detailed guide on how to install the latest version of Configuration Manager.

Intune, on the other hand, is the Cloud version of ConfigMgr. It doesn’t have exactly the same feature set as ConfigMgr, and it doesn’t do some things in the same way, either. Intune was initially developed by a completely different team at Microsoft, for a completely different purpose to what ConfigMgr was designed for.

Intune used to be called Windows Intune, and then Microsoft Intune. Now it’s a sub-product of Microsoft Endpoint Manager. A couple of years ago, Microsoft brought together the teams responsible for ConfigMgr and Intune to allow them to work more closely. Following that change in structure, the products are now more closely aligned too.

Whilst Intune can be leveraged to manage Windows, Android, iOS, iPadOS, MacOS, and Linux, this article focuses on using Intune to manage Windows 10 and Windows 11 laptops, desktops, and cloud PCs.

How to set up Intune

Intune is a cloud service that sits within Microsoft Azure. Every Intune instance requires an Azure Active Directory tenant for it to exist within.
An Azure AD tenant is a dedicated instance for your organization and it’s where all of the configurations you create will reside. Microsoft offers a free 30-day trial that will allow you to get access to 25 user licenses to help you evaluate the product. If you’re interested in learning more about how to configure Intune in a lab or for your organization, I’ve created a full beginners course, which should help you get started.

What you need to get started using Intune

When you begin working with Intune for Windows 10 and Windows 11 devices, you’ll typically need to complete the following core tasks:

  • Create and configure your Azure AD / Intune tenant
    • Create a Custom Domain to assist user sign-in (optional, but recommended)
    • Assign Intune and Azure AD Premium licenses to users
  • Configure Enrolment
    • Create and apply Device Type Enrollment Restrictions
    • Create and apply Device Limit Enrollment Restrictions
    • Configure User Driven Enrolment and test
    • Review existing devices
  • Configure Device Configuration Profiles
  • Configure Device Compliance Policies
  • Deploy and Manage Apps
  • Manage Software Updates

Get started managing devices with Intune

Intune is a subscription-based service that relies on having a valid license in the environment to enable configuration.

Create and configure your Azure AD / Intune tenant

Every user who needs to enroll a device must be granted an Intune license, which permits them to enroll up to 15 devices (5 of each type – iOS, Android, Windows)

To get started, sign up for the 30-day trial and follow the documentation.

Create a Custom Domain to assist user sign-in

When you sign up to Intune, you are provided with an initial domain that resembles *exampledomain*.onmicrosoft.com. This can’t be changed, but it is possible to add a custom domain that is easier to type, and better fits your organization’s brand.

It is recommended to add any custom domains and properly configure them before synchronizing your on-premise Active Directory or creating users.

Once a custom domain has been configured, users can sign in with their User Principle Name (UPN), which is often made to match their email address for simplicity, for example, [email protected]

Assign Intune and Azure AD Premium licenses to users

Each user requires an Intune user license to enroll their device. To enable auto-enrollment of devices that join Azure Active Directory, an additional license – Azure AD Premium – is required. Auto-enrollment is crucial for the Windows Autopilot feature, which is incredibly popular among IT admins who need to deploy devices at scale.

Azure AD Premium is available in P1 and P2 flavors, although only the cheaper P1 variant is required to enable the auto-enrollment capability, required by Autopilot.

Whilst it is possible to buy Intune and Azure AD Premium P1 licenses standalone, this is usually at a higher cost per user than the Enterprise Mobility and Security (EMS) E3 product, which includes Intune and AADP1, along with a handful of other important security-related features. EMS (often referred to as “Enterprise Mobility Suite”) is a better return on investment when compared to building your own equivalent using standalone licensing.

The simplest way to assign the required licenses to a user is via the Microsoft Endpoint Manager admin center.

Choose Users > All Users > choose a user > Licenses > Assignments, and then choose the appropriate license option from the license list.

Microsoft Endpoint Manager admin center

Configure Enrollment

Intune lets you manage your organization’s devices and control how they access your company data via a feature known as Mobile Device Management (MDM). Devices are “enrolled” into the Intune platform by users (or IT administrators in specific circumstances).

Organizations are able to create enrollment restrictions that define what devices can enroll into management with Intune. It’s possible to configure which Device Type, and the number of devices that are able to enroll.

  • Number of devices
  • Operating systems and versions

Create and apply Device Type Enrollment Restrictions

To configure a Device Type Enrollment Restriction, perform the following steps:

Microsoft Endpoint Mangager admin centerDevices > Enroll Devices > Enrollment restrictions > Create restriction > Device type restriction.

Create and apply Device Limit Enrollment Restrictions

To configure a Device Limit Enrollment Restriction, perform the following steps:

Microsoft Endpoint Mangager admin center > Devices > Enroll Devices > Enrollment restrictions > Create restriction > Device limit restriction.

Device limit restrictions

How to Add (Enroll) Devices into Intune

When adding (or enrolling) Windows devices to Intune, it’s vital that you understand the difference between a Corporate Device and Personal Device. The concept, of course, is pretty simple. A Corporate Owned Device is one owned by the organization, while a Personally Owned Device (also known as Bring Your Own Device or BYOD) is one owned by the employee or user.

Whilst the concept is simple to understand, there are some configuration requirements that need to be understood to ensure Corporate Owned Devices can enroll as such, and all others are considered Personal.

For example, any device enrolling via Hybrid Azure AD Join autoenrollment is automatically considered Corporate Owned, as is any device enrolling via Autopilot or directly via the Out of Box Experience. Where a device is enrolled via another method, for example, User-Driven Enrollment via the Company Portal, the device is considered Personal until manually switched to “Corporate” by an Administrator.

User-driven enrollment

Users can enroll their device into Intune in three ways;

  1. Via the Out of Box Experience (OOBE) screen when configuring a computer for the first time
    • Users can choose to enrol as a Work or School device, which marks the device as Corporate
  2. If users already have an existing computer that is not joined to the corporate domain, they can head to Settings > Accounts > Work or School > Add Work or School Account. This will mark the device as Personal
  3. Via the Company Portal app, available from the app store. This method will mark the device as Personal.
Choosing to Add a Work or School Account from Settings provides a prompt for email address, to locate the MDM for your organization.
Choosing to Add a Work or School Account from Settings provides a prompt for email address, to locate the MDM for your organization.

Check device enrollment status

You can check the enrollment status, or check if your device is enrolled into Intune by heading to Settings > Accounts > Work or School. From here, you’ll be able to check which domain your computer is connected to, and which MDM manages the device:

Devices managed by an MDM such as Intune will show "Managed by", and the name of the MDM platform.
Devices managed by an MDM such as Intune will show “Managed by”, and the name of the MDM platform.

As shown in the above graphic, it is not possible for Standard users to Disconnect or Remove Intune from a device. Where a user needs to remove their device from Intune management, they will need to elevate to Administrator. In some cases, such as Autopilot, the device enrollment state is locked such that even administrators cannot remove the device management profile association.

Clicking Info from the Settings page above will provide additional information around the Areas of configuration that are managed by the MDM, as shown in the graphic below.

Intune dynamic management

Configure Device Configuration Profiles

Device profiles allow organizations to configure settings that affect features, configuration, restrictions, or security on a device. When these profiles are deployed to a group of users or devices, the device applies the configuration from the policy and reports back to the MDM to highlight any issues with the application of the configuration. The following broad options are available when choosing to deploy a Configuration Profile:

  • Settings catalog
  • Templates

Device Configuration Profiles can be configured from Microsoft Endpoint Manager admin centerDevices > Configuration Profiles > Create Profile

Settings catalog provides an administrator will a full, searchable list of all settings available.
By clicking on a category of Setting in the Settings Picker, administrators can quickly understand which configuration setting options are available in the selected category.

The Settings picker allows quick and easy access to categories of settings, all in one place.
The Settings picker allows quick and easy access to categories of settings, all in one place.

Templates contain groups of settings, organized by functionality. Use a template when you don’t want to build policies manually or want to configure devices to access corporate networks, such as configuring WiFi or VPN. Whilst these are good for some use cases, the categories can be a little broad and cumbersome.

The Templates option provides a limited view of the settings within a particular category.
The Templates option provides a limited view of the settings within a particular category.

Configure Device Compliance Policies

Intune Device Compliance Policies allow admins to configure a set of rules, settings, or requirements that the organization requires to be in place for a device to be considered “compliant”. This would normally be decided in conjunction with a Security team, who may want to impose specific security requirements.
For example, an organization might require that all laptop computers are fully encrypted with Bitlocker in order to be considered compliant.

When a device is considered compliant, it is permitted to access company resources. When a device is marked as non-compliant, the outcome is dependent on the settings within the specific compliance policy.

For example, if an administrator creates a policy that requires devices to be Bitlocker encrypted to be considered compliant, they can then grant the device a grace period during which the device can be remediated – whether that be fixed by an IT admin, or the user themselves.

Device Compliance Policies can be created from Microsoft Endpoint Manager admin centerDevices > Compliance Profiles > Create Policy

Choosing to require devices to be configured with BitLocker can ensure data at rest on devices is secure
Choosing to require devices to be configured with BitLocker can ensure data at rest on devices is secure

Deploy and Manage Apps

Microsoft Intune supports a number of distinct app types when deploying to Windows 10 and Windows 11 devices. Apps that are added to Intune can be deployed to users or devices as ‘available’ (optional) or ‘required’. For more details, you can check out our guide on how to package and deploy Windows applications with Intune

App Types supported by Intune

Intune is capable of deploying the following categories of application to Windows laptops, desktops, and cloud PCs:

  • Line of Business Apps (MSI, AppX, UWP, for example)
  • Win32 Apps (custom applications using, for example .exe)
  • Script
  • Microsoft Store App
  • Microsoft Edge
  • Microsoft 365 Apps (formerly Office 365 Apps, or Office Pro Plus)
The "Select App Type" blade shows the breadth of Intune's support or native and 3rd party applications.
The “Select App Type” blade shows the breadth of Intune’s support or native and 3rd party applications.

Mobile Application Management (MAM) for Windows devices

Mobile Application Management (MAM), also known as App Protection Policies within Windows devices are not supported. Microsoft recommends reviewing Windows Information Protection to protect apps and organization data on Windows 10 and 11 devices.

Manage Software Updates

Intune’s capability to deploy Microsoft Windows Updates reflects Microsoft’s approach to updates in the Enterprise. The legacy Windows Server Update Services days are long gone, and administrators have comparatively little control over which updates are applied and when.

Administrators can control update deployment via Update Rings. Update Rings aim to allow administrators to target distinct groups of users with updates at different rates.

For example, an organization may want to require their IT department devices to receive all updates immediately, with little to no warning regarding reboots. IT administrators are typically more resilient to unexpected reboots, and more understanding of the necessity of updates in the first place. Meanwhile, the broad spread of users in the workplace may be allocated a more relaxed schedule, giving greater warning.

Update ring configuration for Windows 10 and Windows 11 devices
Update ring configuration for Windows 10 and Windows 11 devices

Update rings can be created by browsing to Microsoft Endpoint Manager admin centerDevices > Compliance Profiles > Create Update ring for Windows 10 and later

Summary

Microsoft has made a significant investment in Microsoft Endpoint Manager – with both Configuration Manager and Intune receiving weekly feature and security updates to improve the service. The platform and solution is one of the most complete and capable in the Enterprise Mobility Management (EMM) space today.

If you are interested in learning more about the basics of Intune Management for Windows devices, my beginner’s course may help you out. You may also want to check out my article on implementing access controls using Microsoft Intune.