Get started with Intune 2024
What’s Microsoft Intune?
Microsoft Intune stands at the core of modern IT strategy as a leading cloud-based endpoint management solution that supports organizations worldwide in controlling and managing user access to critical corporate resources. In an era where work flexibility is highly valued and mobile devices as well as remote workstations have become the norm, the ability to securely manage a variety of devices and applications plays a crucial role in business success. Intune provides a comprehensive platform that not only enables the management of mobile devices and desktop computers but also integrates virtual endpoints to ensure a consistent and secure user experience across all device types and operating systems.
Prerequisites
Licenses
- Microsoft 365 E5
- Microsoft 365 E3
- Enterprise Mobility + Security E5
- Enterprise Mobility + Security E3
- Microsoft 365 Business Premium
- Microsoft 365 F1
- Microsoft 365 F3
- Microsoft 365 Government G5
- Microsoft 365 Government G3
- Microsoft Intune for Education
Supported Operating Systems
OS | Version |
iOS | 15.0 and higher |
iPadOS | 15.0 and higher |
macOS | 11.0 and higher |
Android | 8.0 and higher |
Android Enterprise | Enterprise |
Ubuntu Desktop 22.04 LTS | with GNOME-Desktopview |
Ubuntu Desktop 20.04 LTS | with GNOME-Desktopview |
Windows 10/11 | (Home, S, Pro, Education, Enterprise and IoT Enterprise Editions) |
Windows 10 LTSC 2019/2021 | (Enterprise and IoT Enterprise Editionen) |
Windows 10 | Version 1709 (RS3) and later |
Windows Holographic for Business | All |
Surface Hub with Windows 10 Teams | All |
Architecture
Configuration
Let’s focus on the device part. To configure devices using MS Intune, Configuration Profiles are necessary. These profiles allow you to define settings and parameters and associate them with devices. A configuration profile always includes at least the following elements:
- Policy Title
- Configured Settings
- Assignment to a Group
Various types of profiles are available, including:
- Administrative templates
- Predefined settings for managing user and computer configurations
- Custom
- Allows the creation of tailored settings or configurations specific to organizational needs with OMA-URI
- Delivery optimization
- Manages bandwidth during updates
- Reduces the impact on network traffic when you do Windows updates
- Device firmware configuration interface
- Interface controls to manage firmware settings
- Ensures security and consistency across devices
- Device restrictions
- Policies to control device features and settings
- Can restrict camera use, screen capture, and more
- Device restrictions (Windows 10 Team)
- Specific restrictions tailored for Windows 10 Team devices
- Controls for features unique to this edition
- Domain join
- Enables devices to join a domain
- Edition upgrade and mode switch
- Upgrade to specific Windows editions
- Switching between user modes (e.g., S mode)
- Email
- Configuration settings for email accounts on devices
- Can include email sync settings and server configurations
- Endpoint protection
- Settings related to security, like antivirus and firewall configurations
- Part of the overall security management for devices
- Identity protection
- Tools and policies for protecting user identity on devices
- Imported Administrative templates (Preview)
- Ability to see and configure imported administrative templates
- Kiosk
- Configures devices to run a single app, or a specific set of apps
- Useful for public or dedicated-purpose devices
- Microsoft Defender for Endpoint (Desktop devices running Windows 10 or later)
- Advanced endpoint security features
- Provides threat prevention, detection, investigation, and response
- Network boundary
- Defines network profiles and connections
- Can restrict data transfer to secure network locations
- PKCS certificate
- For certificate deployment
- PKCS imported certificate
- To configure and deploy externally obtained PKCS certificates
- SCEP certificate
- Simple Certificate Enrollment Protocol for device authentication
- Automates the process of certificate issuance
- Secure assessment (Education)
- Special configuration mode for secure testing environments
- Limits device functionality to prevent cheating
- Shared multi-user device
- Configuration for devices used by multiple users
- Includes settings for shared use, like login restrictions
- Trusted certificate
- Deployment of certificates considered ‘trusted’ by the device
- VPN
- Virtual Private Network configurations
- Secures and manages remote access to the corporate network
- Wi-Fi
- Settings for Wi-Fi network connections
- Includes SSID configurations and security options
- Windows health monitoring
- Monitors device health and performance
- Provides insights into system stability and issues
- Wired network
- Configuration settings for wired Ethernet connections
- Includes settings for IP addressing and network security
Compliance
Every device (including users) managed through Intune must adhere to specific rules in order to access company data. These rules are defined through one or more Compliance Policies and are verified by the Intune Compliance Service on each device. Compliance policies ensure that the settings and parameters specified in configuration profiles are effectively applied to the devices.
A Compliance Policy always includes at least the following elements:
- Policy Title
- Settings to Verify
- Action in Case of Non-Compliance
- Assignment to a Group
You can evaluate settings and parameters related to Device Integrity, Device Properties, System Security, and Microsoft Defender for Endpoint.
After a device is assessed, it falls into one of two statuses: either “Compliant” or “Non-Compliant”. The latter status applies to devices that do not meet the parameters defined in the compliance policy.
Furthermore, you can influence the transition between the evaluation and the “Non-Compliant” status. You have the option to define how long a device remains classified as “Non-Compliant” after the initial negative evaluation, or whether the user receives early notifications regarding compliance issues.
Updates
Update rings allow you to configure and manage the entire Windows update process for all devices managed by Intune. With update rings, you determine which updates can be downloaded and installed, and you can also control driver updates.
To specify when an update is installed, you can set a deferral period. This period defines how long after an update’s release you wait before Intune distributes it to the organization’s devices.
In summary, update rings provide a structured way to manage Windows updates, ensuring that your devices stay up-to-date while allowing flexibility in timing and control.
Apps
Of course it’s also possible to deploy, manage, update and remove apps from devices.
More on that in a future post. So stay tuned!
Admin Center
- Sidebar
- Home: Homepage – This page
- Dashboard: Customizable statuspage
- All Services: Overview of all Services including customizable favorites
- Devices: Link to device panel, with all available functions for your devices
- Apps: All apps deployed with Intune
- Endpoint Security: Endpoint Security specific settings for your devices in Intune
- Reports: Reports of configuration status, Windows updates, failed policies and much more
- User: Direct access to all users in Entra ID
- Groups: Direct access to all groups in Entra ID
- Tenant Administration: Link to intune relevant tenant settings
- Tenantname
- Intune Status
- Notifications and account options
- Intune News and Customer Success
- Documentations and Trainings
First Steps
- Add Domain to Microsoft 365 Tenant
- Theoretically, Intune would also work without this step, but only with the fallback domain (tenantname.onmicrosoft.com)
- Assign Licences
- With dynamic or alternatively static Entra ID Groups.
- Create Company Branding in Entra ID and Intune
- This is relevant for setupscreens on Autopilot devices, and in Company Portal
The Groups
- Create groups that will later be used as assignment groups for configurations, compliance, and apps.
- AZ-D-Autopilotdevices-Standard: Dynamic group with all Windows Autopilot devices
- Only available for Entra ID P1 license and above
- AZ-S-ConfigurationProfiles-Standard: Static group for standard configurations
- AZ-S-CompliancePolicy-Standard: Static group for standard compliance policy
- AZ-S-WindowsUpdate-Standard: Static group for standard Windows Update ring
- AZ-S-WindowsApps-Standard: Static group for all standard apps (Win32 + MS Store)
- AZ-D-Autopilotdevices-Standard: Dynamic group with all Windows Autopilot devices
That’s it
Now you’re ready to get started with Intune. Next, we’ll proceed with preparations for the enrollment process, including Windows Autopilot. I’ve described these for you in the next post.