Complete Guide: How to Configure Microsoft Intune (2025) — UEM, Security, and Operations at Scale

Executive summary — Intune in 7 ideas

• Cloud UEM for Windows, Android, iOS/iPadOS, macOS, and Linux, with integrated compliance and reporting.
• Modular licensing: Plan 1 (core), Plan 2 (advanced capabilities), and the Intune Suite (Remote Help, EPM, Advanced Analytics, Enterprise App Management, Cloud PKI).
• Flexible enrollment: Autopilot/ESP on Windows; Android Enterprise (Managed Google Play); ADE/ABM on iOS/iPadOS; macOS with profiles and FileVault.
• Endpoint security: BitLocker/FileVault, Defender, LAPS, baselines, and Settings Catalog with granular assignments via filters.
• Apps: Win32 (.intunewin), Microsoft Store (new, with WinGet), and the Enterprise App Management catalog for third-party apps.
• Updates: Windows Update for Business + Windows Autopatch for continuous orchestration.
• Risk signals from Microsoft Defender for Endpoint to drive compliance and blocking via Conditional Access.

What Microsoft Intune is and where it fits

Microsoft Intune is Microsoft’s Unified Endpoint Management (UEM) platform. It centralizes device and app management, applies configuration and compliance policies, and powers a Zero Trust model with integrated signals and reporting. It’s administered from the Intune admin center and integrates with Microsoft Entra ID (identity), Microsoft 365, and Microsoft Defender.

Intune coexists with tools like Configuration Manager (co-management) and complementary services (Purview, Defender, Entra). In 2025, the scope includes advanced Intune Suite capabilities for remote support, privileges, a third-party app catalog, and cloud PKI.

Who should use it and recommended roles

Splitting duties reduces errors and speeds up operations. Use groups and scope tags to constrain responsibilities by region/business unit.

• Intune Administrator / Helpdesk: daily tasks, remote support, app/policy operations.
• Endpoint Security Admin: baselines, Defender, BitLocker/FileVault, LAPS.
• Update Administrator: WUfB, feature updates, quality, and Windows Autopatch.
• App Lifecycle Owner: Win32, Microsoft Store (new), Enterprise App Management.
• RBAC/Platform: role design, scope tags, filters, and policy sets.

Requirements and licensing (Plan 1/Plan 2/Intune Suite)

Plan 1 covers core administration (UEM) and is included in several Microsoft 365 and EMS subscriptions. Plan 2 adds advanced features and is included in the Intune Suite, which brings Remote Help, Endpoint Privilege Management (EPM), Advanced Analytics, Enterprise App Management, and Cloud PKI.

Always review official plans and pricing and the What’s new in Intune article for changes that affect compatibility or support (e.g., minimum Company Portal versions on Android).

Architecture: platforms, governance, and limits

Intune manages Windows 10/11, Android Enterprise, iOS/iPadOS, macOS, and Linux (select scenarios). It relies on Entra ID for groups/identities, on Defender for risk signals, and on update services (WUfB/Autopatch) for lifecycle. For access control and delegation, use RBAC, scope tags, filters, and policy sets.

• Security signals: integration with Microsoft Defender for Endpoint for device risk and security tasks.
• Updates: Update rings, Feature updates, and Windows Autopatch as a managed orchestrator.
• Apps: Win32 (.intunewin), Microsoft Store (new, WinGet-backed), and the EAM catalog.
• Certificates: Cloud PKI as a managed PKI (no on-prem servers).

Five-phase deployment plan

1. Foundations: licensing, domains, RBAC roles, scope tags, groups, and naming.
2. Enrollment: Windows Autopilot/ESP, Android Enterprise (Managed Google Play), ADE/ABM, macOS.
3. Configuration: Settings Catalog and baselines; email/Wi-Fi/VPN/browser profiles and restrictions.
4. Security: BitLocker/FileVault, Defender, LAPS, compliance, and Conditional Access.
5. Operations: apps (Win32/Microsoft Store/EAM), updates (WUfB/Autopatch), reporting/support (Remote Help, Advanced Analytics).

First steps in the Intune admin center

Before creating policies, define who can do what, and over which objects. Enforce least privilege, delegate by region/BU, and keep scope tags consistent.

Initial checklist

Device enrollment — methods and best practices

Enrollment establishes device identity, the MDM channel, and the base to apply apps, configuration, and security. Choose a path by ownership (corporate vs BYOD), platform, and desired end-user experience. Standardize prerequisites (certificates, stores, and connectors) and measure results with KPIs.

KPIs that matter

• Time to productive (T2P): from first boot to a usable desktop (<45 min desired on Windows with essential apps).
• Autopilot/ADE success rate: >98% per wave, with <2% retries.
• Day-0 critical apps: VPN/EDR/Office installed by the end of ESP/DPP.

Windows 10/11 — Autopilot + ESP

For corporate devices, Windows Autopilot offers zero-touch: assign a profile (User-Driven/Pre-Provisioning) and use the Enrollment Status Page (ESP) to block the desktop until critical policies and apps are applied. The “Device Preparation” (DPP) experience reduces friction in large deployments.

• Prerequisites: active licenses, devices with UEFI/TPM 2.0, connectivity to Microsoft services, and valid drivers.
• ESP/DPP: mark only essential apps as blocking (VPN, EDR, Office); set the rest to required in the background.
• Zero touch: ask OEMs to upload the hardware hash to your tenant to avoid manual captures.
• Co-management: if you have Configuration Manager, enable co-management or migrate in phases with specific workloads.

Android — Android Enterprise

Link Managed Google Play and choose the mode: Work Profile (BYOD), Corporate-Owned Work Profile (COPE), Fully Managed, or Dedicated (kiosk). Use tokens/QR, Zero-Touch (OEM/carrier), or NFC for mass onboarding.

• Apps: approve from managed Google Play and assign by groups.
• Restrictions: camera, clipboard between profiles, USB, unknown sources.
• BYOD: if you don’t manage the device, use MAM (App Protection) and, for on-prem access, consider Tunnel for MAM.

iOS/iPadOS — ADE and BYOD

Generate the APNs certificate, integrate Apple Business Manager, and assign devices to Intune for ADE with supervision. For BYOD, use User/Device Enrollment with data separation.

• App licenses: integrate VPP for purchases and assignments without a personal Apple ID.
• Wizard: hide steps in Setup Assistant (Apple ID, Siri, etc.) and apply initial restrictions.

macOS

Prioritize ADE + supervision to enable FileVault during Setup Assistant, configure System Extensions, and PPPC (privacy permissions). Prepare Rosetta if you have Intel apps on Apple Silicon Macs.

Linux (selective)

Intune covers desktop Linux scenarios (e.g., Ubuntu LTS/RHEL) with enrollment, basic requirements, and custom compliance via script. Ensure a corporate browser and minimum policy (encryption/password).

Anti-patterns that break rollouts

• Conditional Access requiring a “compliant device” before OOBE completes → start with Report-only and exclude break-glass accounts.
• Not having connectors (APNs/VPP/Managed Google Play) ready in pilot.
• ESP with too many blocking apps (more than 5 usually hurts T2P).

Application management — Win32, Microsoft Store (new), EAM, and MAM

The goal is to provide the “minimum viable catalog” per role and keep it current with the least effort. Combine app types, dependencies, and supersedence, and avoid duplicates (same app as Store and Win32).

Windows app (Win32) — packaging and deployment

Package installers with the Win32 Content Prep Tool to .intunewin; define install/uninstall commands, detection rules (File/Registry), requirements (OS, architecture), and return codes.

# Package an installer into .intunewin (example) # Requires Microsoft-Win32-Content-Prep-Tool .\IntuneWinAppUtil.exe -c "C:\source\MyApp" -s "setup.exe" -o "C:\packages"

• Supersedence: specify which version replaces which, and whether to uninstall the previous one.
• Dependencies: enforce order (e.g., Visual C++ before the app).
• Delivery: use Delivery Optimization and local cache policies where possible.

Microsoft Store (new)

Publish Store apps with a WinGet-backed backend (no legacy Business Store). Benefits: managed install/update, less packaging, better inventory. Ideal for common apps (Edge, 7-Zip, etc.).

Enterprise App Management (EAM)

In the Intune Suite, EAM offers a curated catalog of third-party (Win32) apps with pre-configured detections and deployments. It reduces packaging effort, speeds up ESP/Autopilot, and standardizes updates.

MAM — App Protection Policies

Protect data at the app level (PIN/biometrics, block copy/paste, corporate storage, selective wipe), with or without MDM enrollment. Recommended for BYOD. Complement with App Configuration (per-app) and CA conditions to require MAM.

Microsoft Tunnel for MAM

Provides per-app VPN on non-enrolled devices (Android/iOS) to access intranet/APIs without MDM. Requires configuring the Tunnel server and assigning the mobile client app.

Role-based catalog policy (pattern)

• Core (ESP/DPP blocking): EDR, VPN, Office, corporate browser.
• Recommended (required in background): printers, internal tools.
• Optional (Company Portal): utilities and on-demand apps.

Configuration and hardening — Settings Catalog, baselines, and OMA-URI

The key is clarity (what changes and why), idempotence (repeatable), and a documented rollback. Prioritize the Settings Catalog and Endpoint security; use baselines as accelerators and OMA-URI only to fill gaps.

Settings Catalog

• Search by keyword (ASR, BitLocker, Bluetooth, Credential Guard) and group settings by area.
• Target groups + filters (manufacturer, model, ownership, OS build) to minimize conflicts.
• Separate Device targeting and User targeting into different profiles.

Security Baselines

• Use the Windows/Edge/Defender baseline as a base and document your deviations.
• Avoid overlapping the same area (e.g., Firewall in a baseline and another profile at the same time).

OMA-URI (CSP) when needed

If a setting isn’t exposed, apply OMA-URI. Example use cases: granular ASR, Windows Hello timeouts, etc. Keep a small “custom” profile per functional domain and version it in Git.

Operational best practices

• Consistent naming: WIN-SEC-BitLocker-Prod, MAC-SEC-FileVault-Prod.
• One profile per area (encryption, firewall, browser, USB) instead of “mega profiles”.
• Dev → Pilot → Prod with filters to isolate conflicting models/builds.

Endpoint Security — encryption, EDR, local passwords

The Endpoint security area concentrates critical policies (encryption, AV/EDR, ASR, firewall, local accounts). This is where your Zero Trust posture materializes on the endpoint.

BitLocker (Windows) and FileVault (macOS)

• BitLocker: Disk Encryption profile, silent encryption with TPM, recovery escrowing in Intune, startup PIN if your threat model requires it, and key rotation after recovery.
• FileVault: enable during Setup Assistant (ADE) to avoid gaps; escrow and rotate recovery keys in Intune.

Microsoft Defender for Endpoint (AV/EDR) + ASR + Firewall

• Antivirus/EDR: Antivirus policies, Tamper Protection enabled, minimal and reviewed exclusions.
• ASR: block malicious macros, credential stealing, and living-off-the-land (start in audit → enforce).
• Firewall: per-profile rules and blocking unsolicited inbound; log traffic for analysis.

Windows LAPS (Local Administrator Password Solution)

Eliminate static local passwords: LAPS rotates automatically and stores in Entra/AD. Define expiry, complexity, and who can read it. Apply it from Account protection.

Suggested sequence

1. Enable Defender (AV/EDR) and Tamper Protection.
2. Apply ASR and Firewall in audit → block.
3. Enforce encryption (BitLocker/FileVault).
4. Enable LAPS and review access to the password.

Compliance, risk signals, and Conditional Access

Compliance policies emit a verdict (compliant/non-compliant) that Entra ID consumes in Conditional Access. With Defender integrated, add device risk as an automatic blocking condition.

Compliance policies — platform baseline

• Windows: encryption required, Secure Boot, minimum version, Defender enabled and up to date.
• Android/iOS: no root/jailbreak, PIN/biometrics lock, minimum OS version, recent Company Portal app.
• macOS: FileVault enabled, minimum version, XProtect enabled.
• Linux: password/encryption requirements and custom compliance via script if applicable.

Device risk (MDE) → Compliance → Conditional Access

Mark devices with risk >= Medium/High as non-compliant and use a CA policy “Require device to be marked as compliant” (start in Report-only). Exclude break-glass accounts, validate with sign-in logs, and enable in production by waves.

Patterns that work

• CA + MAM on BYOD: if not compliant, allow access only from managed apps or the corporate browser.
• Block without policy: prevent devices from being “compliant by default” by creating a baseline policy for All users.

Updates — WUfB and Windows Autopatch

Standardize your strategy with Update rings (quality), Feature updates (target version), and monitoring. If you want Microsoft to orchestrate Windows/M365 Apps/Edge/Teams updates, add Windows Autopatch.

Windows Update for Business (WUfB)

• Update rings: deferrals, restarts, and pauses by ring (Pilot → First → Broad).
• Expedite: accelerate the installation of out-of-band critical patches.
• Feature updates: pin the version (e.g., Windows 11 24H2) and stabilize the fleet.

Windows Autopatch

• Managed service: creates rings, coordinates Microsoft components, and reports health.
• Ideal if you prioritize lower operational load with consolidated telemetry.

Recommended pattern

1. Define rings with adoption targets (e.g., Pilot 5%, First 20%, Broad 75%).
2. Lock the desired feature version and review safeguard holds before advancing.
3. Use expedite for critical vulnerabilities and review post-patch impact.

Reporting, diagnostics, and troubleshooting

Day-to-day operations require visibility and support tools. Intune integrates compliance, configuration, and update reports, and adds remote diagnostics and assisted help capabilities.

Built-in reports

• Compliance: status by policy, platform, and group; export CSV for audits.
• Configuration: success/failure by profile, conflicts, and per-device metrics.
• Windows Update reports: patch/version adoption and installation errors.
• Endpoint analytics: boot times, app health, and proactive remediations.

Support and diagnostics

• Device diagnostics: collect remote log packages for analysis.
• Remote Help: secure sessions with RBAC and logging, including certain non-enrolled devices.
• Remote actions: sync, restart, selective/full wipe, protected reset.

Anti-patterns

• Not recording changes (who/when/why): use a Git repository and versioning.
• Analyzing only failures: watch trends (ESP time, % retries, slow apps).

Intune Suite — capabilities that make a difference

Remote Help

Secure remote support (Windows/Android) with authenticated sessions, RBAC, logs, and an option for certain non-enrolled devices. Enable the connector and permissions under Tenant administration.

Endpoint Privilege Management (EPM)

Replace “making users local admin” with controlled elevations for approved actions/apps, with auditing and expiry.

Advanced Analytics

Advanced visibility, anomalies, device timeline, and queries for proactive diagnosis.

Cloud PKI

Managed PKI by Microsoft to issue/renew certificates (Wi-Fi/VPN, SCEP/PKCS) without on-prem servers. Models include cloud root CA or BYOCA.

Enterprise App Management (EAM)

Ready-to-use third-party app catalog, with updates and compatibility with Autopilot/ESP.

Governance in Intune — RBAC, scope tags, filters, and policy sets

Define RBAC (built-in or custom roles), apply scope tags to segregate objects by region/BU, and use filters to target precisely (by manufacturer, version, ownership). Package deliverables with policy sets (apps + policies) for repeatable “landing zones”.

Automation — Microsoft Graph and PowerShell

Gold standard: one repository per environment (dev/pre/prod), pipelines with approval, and state artifacts (JSON/CSV). Use Microsoft Graph PowerShell to export/create policies, apps, and assignments.

Connect to Graph and list devices

# Requires Microsoft.Graph Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "DeviceManagementApps.ReadWrite.All","DeviceManagementConfiguration.ReadWrite.All","DeviceManagementManagedDevices.Read.All" # Managed devices Get-MgDeviceManagementManagedDevice -Top 50 | Select-Object deviceName, operatingSystem, complianceState

Win32 packaging in CI/CD (skeleton)

# .azure-pipelines.yml (excerpt) steps: - task: PowerShell@2 displayName: 'Package Win32' inputs: targetType: 'inline' script: | .\IntuneWinAppUtil.exe -c "$(Build.SourcesDirectory)\MyApp" -s "setup.exe" -o "$(Build.ArtifactStagingDirectory)\out"

Best practices — the 80/20 that works

• Dev → Pilot → Prod: publish to pilot groups first, with filters by model/version.
• Less is more: 1 baseline per OS + 1 hardening profile. Avoid duplicating settings.
• Tuned ESP: only truly critical blocking apps; the rest as required in the background.
• MDE risk in compliance + Conditional Access to cut real risk.
• Updates: separate quality from feature; use Autopatch if you want less ops.
• Cloud PKI for Wi-Fi/VPN without servers and with automatic renewal.

Common mistakes and how to avoid them

• Everything at once: deploying massive policies without a pilot causes conflicts. Iterate in waves.
• Bloated ESP: blocking with 20 apps hinders first boot; limit to 3–5 critical ones.
• No Managed Google Play/ADE: without these integrations, Android/iOS won’t scale.
• No encryption or LAPS: leaves doors open. Enable BitLocker/FileVault and LAPS from day one.

Frequently asked questions — configuring Intune

Official links — documentation and portals

• What is Microsoft Intune?
• Official Intune plans and pricing
• Available Intune licenses
• Apple MDM Push certificate (APNs)
• Android Enterprise and Managed Google Play
• Package Win32 apps (.intunewin)
• Microsoft Store (new) in Intune
• Manage Windows Update in Intune
• Windows Autopatch documentation
• Intune + Microsoft Defender for Endpoint
• Windows LAPS in Intune
• Microsoft Cloud PKI (Intune)
• RBAC in Intune
• Assignment filters

Business-oriented conclusion — Intune as a lever for control and user experience

Rolling out Microsoft Intune with a phased and automated approach dramatically reduces operational risk, accelerates device and application time-to-value, and improves user experience (less friction, proactive support). With Intune + Defender + Entra, the endpoint plugs into your Zero Trust strategy and business metrics: fewer incidents, measurable provisioning times, and verifiable compliance.