Intune Intro
What is Intune
- Microsoft Intune is a cloud-based endpoint management service that helps organizations manage and secure devices and applications.
- Intune is Saas (software as a service), Microsoft manage all its infrastructure.
- On-prem we used SCCM to manage devices but in cloud we manage with Intune.
- Microsoft Intune Certification is MD-102
What is MDM, MAM, What Intune does?
-
1. Mobile Device Management (MDM): Intune lets IT teams manage:
Windows PCs
macOS computers
iPhones and iPads
Android devicesThey can:
Enforce password policies
Require encryption
Push Wi-Fi/VPN settings
Remotely lock or wipe devices -
2. Mobile Application Management (MAM):
Deploy apps to devices
Restrict copy/paste between work and personal apps
Protect company data inside apps (even on personal devices)
This is useful for BYOD (Bring Your Own Device) environments. -
3. Security & Compliance
Intune works with:
Microsoft Entra ID (formerly Azure AD)
Microsoft Defender for EndpointIt can:
Block non-compliant devices from accessing company resources
Enforce security baselines
Monitor device health - Code
-
Intune Use case
- If a company gives employees laptops:
Intune automatically sets security policies
Installs required apps (like Outlook and Teams)
Ensures the device is encrypted
Allows IT to wipe it if it’s lost - code
- If a company gives employees laptops:
Licenses
- https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/licenses
- To confirm your Microsoft Intune license or trial, use the following steps:
- Sign in to Microsoft Intune admin center.
- Select Tenant administration > Tenant status.
- Under the Tenant details tab, you will see the MDM authority, the Total licenses users, and the Total Intune licenses.
- Select Tenant administration > Roles > My permissions.
- Confirm you are an administrator with full permissions to all Intune resources.
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
Intune Portal
Dashboard
- New Dashboard
- Edit:
- Export:
- Clone:
- Delete:
- Devie enrollment:
- Device compliance:
- Device configuration:
- Client apps:
All Services
- General:
- Agents:
- Apps:
- Devices:
- Endpoint security:
- Explorer:
- Groups:
- Reports:
- Surgace management portal:
- Tnant administration:
- Users:
- Troubleshooting+sipport
- Other Consoles:
- Microsoft Entra
- code
Explorer
- code
- code
- code
Devices
- Overview:
- All devices: List of all devices
- Device query:
- Run query
- Monitor:
- This list includes all devices monitoring reports, including those in the overview.
- Device Encryption report:
- Devices/Monitor/type Encryption and select encryption status
- Code
- By Platform:
Windows Devices
- Monitor:
- Device onboarding:
- Windows 365:
- Enrollment:
- Windows: Enrollment options:
- Automatic Enrollment:
- MDM user scope: None, Some, All (Use MDM auto-enrollment to manage enterprise data on your employees' Windows devices. MDM auto-enrollment will be configured for Microsoft Entra joined devices and bring your own device scenarios.)
-
1️⃣ Registers the device with the organization
When a user signs in with their work account (Azure AD / Entra ID), the device is automatically enrolled into Intune.2️⃣ Applies security policies automatically
Examples:
Enforce PIN/password
Enable disk encryption (BitLocker)
Configure firewall settings
Block rooted/jailbroken devices3️⃣ Installs required apps
Microsoft 365 apps
Company apps
VPN profiles
Wi-Fi configurations -
4️⃣ Enables compliance monitoring
Ensures the device:
Has antivirus enabled
Is up to date
Meets company security requirements5️⃣ Allows remote management
IT can:
Wipe lost/stolen devices
Lock devices remotely
Reset passwords
Remove company data🔹 When Is It Used?
MDM auto-enrollment is commonly used when:
Joining a device to Azure AD (Entra ID)
During Windows Autopilot setup
When a user logs into a corporate PC for the first time
Enrolling mobile devices into company management🔹 Why It’s Important
Without auto-enrollment:
Users must manually enroll devices.
Devices might miss security policies.
IT has less control and visibility.
With auto-enrollment:
Zero-touch provisioning
Strong security from day one
Reduced IT workload
Better compliance and auditing🔹 Simple Example
An employee buys a new laptop.
They sign in with their company email.
The device automatically enrolls into Intune.
Company apps install automatically.
Security settings are applied.
The device becomes compliant.
No IT intervention required.
-
- MDM terms of use URL:
- MDM discovery URK:
- Disable MDM enrollment when adding work or school account on windows:
- MDM compliance URL:
- Windows informaiton protection (WIP) user scope: None, Some, All
- WIP terms of use URL:
- WIP discovery URL:
- WIP compliance URL:
- CNAME Validation:
- Co-management settings:
- Device platform restriction:
- Device limit restriction:
- Enrollment notifications:
- Windows Hello for Business:
- Windows Backup and Restore:
- Corporate device identifiers:
- Add:
- Device enrollment managers:
- Add:
- Enrolling Windows PC:
- Step 1:
- Intune Portal: https://intune.microsofst.com
- Pre requisite in Intune:
- User: Create a user (abdul aziz) from entra admin https://entra.microsoft.com
- Group: Create a group (IT) and attach users (abdulaziz, aftab, junaid). from entra admin (security group) https://entra.microsoft.com
- Assing Intune License to group (IT): Assign license from https://admin.cloud.microsoft.com, Microsoft has changed assigning licenses and now all licenses should be assigned from admin center.
- Step 2: Enrolling windows PC
- Physical windows machine, Windows 11 (hostname = IT-Training)
- Right click on start/settings/accounts/Enrol only in device management/enter email (a.mohammed@stardistributors2026.onmicrosoft.com) in windows 11
- Right click on start/settings/accounts/access work or school/Enrol only in device management/enter email (a.mohammed@stardistributors2026.onmicrosoft.com) in windows 10
- Connecting to a service: a.mohammed@stardistributors2026.onmicrosoft.com and password (will take some to register), connected to Star Distributors MDM.
- MDM server url paste it (Go to intune/enrollment/Automatic Enrollment/copy MDM discovery url) in windows 10
- It will take some time to enroll:
- Check: go to intune portal/devices/By platform/Windows
- Manage enrolled devices.
- click on enrolled device.
- Overview:
- Retire:
- Wipe:
- Delete:
- Remote lock:
- Sync:
- Reset passcode:
- Restart:
- Fresh Start:
- Autopilot Reset:
- Quick Scan:
- Full Scan:
- Updae Windows Defender security intelligence:
- Manage devices:
- Bitlocker key rotation:
- Rename device:
- New remote assistance session
- locate device:
- pause config refresh:
- Run remediation:
- Manage:
- Properties:
- Monitor:
- Device inventory:
- Hardware:
- Discovered apps:
- Device compliance:
- Device configuration:
- App configuration:
- Recovery keys:
- User experience:
- Group membership:
- Managed Apps:
- Filter evaluation:
- Enrollment:
- Remediations:
- Configuration:
- Compliance:
- Scripts and remediations:
- Group Policy analytics:
- Configuriing GPO using Intune:
- windows_devices2.jpg
- currently IT-training (Windows 11 pc) is enrolled in Intune MDM devices.
- This device is in workgroup: win+r and type sysdm.cpl
- Configuring a policy to block access of control panel with Intune.
- Go to intune portal/Manage devices/Configuration/
- eSIM cellular profiles:
- Manage Updates:
- Windows updates:
- Organize devices:
- Device clean-up rules
- Assignment filters:
iOS.iPadOS
- code
- code
- code
macOS
- code
- code
- code
Android
- code
- code
- code
Linux Devices
- code
- code
- code
Device onboarding
- code
- code
- code
Manage devices
- Configuration:
- Policies: Show list of policies
- Import ADMX
- Monitor:
- Create:
- Create new policy/import policy:
- Create a profile:
- Platform: select from drop down: windows 10 & later (Android device administrator, Android (AOSP), Android entrprise, iOS/iPadOS, Linux, macOS, Windows 8.1 and later)
- Profile type: select from drop down:Settigns catalog, Properties catalog, Templates(select administrative template), create
- Basics:
- Name:star_ctrl_pnl_block
- Description: control panel block policy
- Configuration settings:
- Computer configuration:
- user configuration:control panel/prohibit access to control panel and pc/Enable
- Note: if it stuck at loading, just finish the policy and edit configuration settings.
- Scope tags:
- Default
- Assignments:
- Add groups (IT), Add all users, Add all devices
- Review+Create:
- Go to particular device and click sync so that policy takes affect.
- Go to that device, open cmd prompt and run gpupdate /force
- Try to access control panel from the machine: will get error:
- Export:
- Compliance:
- Conditional access:
- Scripts and remediations:
- Group policy analytics:
- eSIM cellular profiles
- policy sets
- Device categories
- Partner portals:
- Configuration:
Manage updates
- code
- code
- code
Organize devices
- code
- code
- code
Help and support
- code
- code
- code
Apps
- apps_overview.jpg
All Apps
- code
- code
- code
Monitor
- code
- code
- code
Platform
- Windows
- IOS/IPadOS
- macOS
- Android
Manage apps
- code
- code
- code
organize apps
- code
- code
- code
Help and support
- code
- code
Endpoint Security
Overview
- code
- code
- code
All Devices
- code
- code
- code
Security baseline
- code
- code
- code
Security tasks
- code
- code
- code
Antivirus
- code
- code
- code
Disk encryption
- BitLocker provides additional data protection layer by using the encryption/decryption technology.
- Its a data protection feature that integrates with the O/S and addresses the threats of data theft or exposure from lost, stolen or inappropriately decomissioned computers.
- BitLocker provides the most protection when used a Trusted Platform Module TPM version 1.2 or later.
- Create Endpoint Security Disk Enctyption Policy for BitLocker:
- Go to Intune admin center -->Endpoint Security -->Disk encryption --> Create Policy
- Platform = Windows 10 and later
- Profile = Bitlocker
- Click create
- Basics
- Name = Star_bitlocker
- Description = Bitlocker policy for Endpoints
- Configuration settings
- BitLocker:
- Require Device Enctyption: Not Configured , Disabled (Default), Enabled
- Allow Warning For Other Disk Encryption: Not Configured , Disabled (Default), Enabled
- Configure Recovery Password Rotation: Not Configured , Refresh off (Default), Refresh on for Entra Id-joined devices, Refresh on for both Entra ID-joined and hybrid-joined devices
- BitLocker Drive Encryption:
- Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later): Not Configured , Disabled (Default), Enabled
- Provide the unique identifiers for your organization: Not Configured , Disabled (Default), Enabled
- Operating System Drives:
- Enforce drive encryption type on operating system drives: Not Configured , Disabled (Default), Enabled
- Require additional authentication at startup: Not Configured , Disabled (Default), Enabled
- Configure minimum PIN length for startup: Not Configured , Disabled (Default), Enabled
- Allow enhanced PINs for startup: Not Configured , Disabled (Default), Enabled
- Disallow standard users from changing the PIN or password: Not Configured , Disabled (Default), Enabled
- Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN: Not Configured , Disabled (Default), Enabled
- Enable use of BitLocker authentication requiring preboot keyboard input on slates: Not Configured , Disabled (Default), Enabled
- Choose how BitLocker-protected operating system drives can be recovered: Not Configured , Disabled (Default), Enabled
- Configure pre-boot recovery message and URL: Not Configured , Disabled (Default), Enabled
- Fixed Data Drives:
- Enforce drive encryption type on fixed data drives: Not Configured , Disabled (Default), Enabled
- Choose how BitLocker-protected fixed drives can be recovered: Not Configured , Disabled (Default), Enabled
- Deny write access to fixed drives not protected by BitLocker: Not Configured , Disabled (Default), Enabled
- Scope tags:
- Assignments:
- select group to which this applies.
- Save
- Go to Endpoint machine --> settings-->Accounts-->work or school--> info --> sync.
- popup message: Encryption needed.
- check box: I don't have any other disk encrption software installed, encrypt all my disks.
- Disk encryption will start.
- Enter the password
- Save to: your Azure AD account, Save to USB flash drive, Save to a file, print the recovery key: choose required.
- Click Activate Bitlocker.
- Device encrypt will start, once it is done, an icon will appear.
- Go to Intune admin center/Devices/All Device/click device/Recovery keys:
- click show recovery key:
- Report: Devices/Monitor/type Encryption and select encryption status
- Create Device Configuration Profile for BitLocker:
- Go to Intune admin center --> Devices --> Configuration Profiles --> Create New Policy
- Code
Firewall
- code
- code
- code
Endpoint Privilege Management
- code
- code
- code
Endpoint detection and response (EDR)
- code
- code
- code
App Control for Business
- code
- code
- code
Attach Surface reduction
- code
- code
- code
Account Protection
- code
- code
- code
Device Compliance
- code
- code
- code
Conditional Access
- code
- code
- code
Monitor/Assignment Failures
- code
- code
- code
Setup/Microsoft Defender for Endpoint
- code
- code
- code
Help and Support
- code
- code
- code
Agents
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
Reports
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
Users
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
Groups
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
code
- code
- code
- code
Tenant administration:
- Tenant status:
- Tenand details:
- Tenant name=StarDistributors2026.onmicrosoft.com
- Tenant location: Europe 0601
- MDM authority Intune Account status = Active
- Service release = 2601
- Total enrolled devices = 1
- Total licenses users = 3
- Total lntune license = 25
- Connector status:Not Enabled
- Service health and message center: check status
- Admin tasks:
- Remote Help;
- Monitor:
- Settings:
- Remote Help sessions:
- Microsoft Tunnel Gateway:
- Cloud PKI:
- Connectors and tokens:
- Assignment filters:
- Roles:
- Microsoft Entra Privileged identity management:
- Diagnostics settings:
- Audit logs: user login details
- Device diagnostics:
- Multi Admin Approval:
- Intune add-ons:
- Copilot:
- End user experience:
- Customization:
- Custom notifications:
- Terms and conditions:
- Help and support