Set up Microsoft Intune

Without the proper tools and resources, managing hundreds or thousands of devices in a school environment can be a complex and time-consuming task. Microsoft Intune is a collection of services that simplifies the management of devices at scale.

The Microsoft Intune service can be managed in different ways, and one of them is Intune for Education, a web portal designed for education environments.

Intune for Education supports the entire device lifecycle, from the enrollment phase through retirement. IT administrators can start managing classroom devices with bulk enrollment options and a streamlined deployment. At the end of the school year, IT admins can reset devices, ensuring they're ready for the next year.

For more information, see Intune for Education documentation.

In this section you will:

• Review Intune's licensing prerequisites
• Configure the Intune service for education devices

Prerequisites

Before configuring settings with Intune for Education, consider the following prerequisites:

• Intune subscription. Microsoft Intune is licensed in three ways:
  • As a standalone service
  • As part of Enterprise Mobility + Security
  • As part of a Microsoft 365 Education subscription
• Device platform. Intune for Education can manage devices running a supported version of Windows 10, Windows 11, Windows 11 SE, iOS, and iPad OS

For more information, see Intune licensing and this comparison sheet, which includes a table detailing the Microsoft Modern Work Plan for Education.

Configure the Intune service for education devices

The Intune service can be configured in different ways, depending on the needs of your school. In this section, you'll configure the Intune service using settings commonly implemented by K-12 school districts.

Configure enrollment restrictions

With enrollment restrictions, you can prevent certain types of devices from being enrolled and therefore managed by Intune. For example, you can prevent the enrollment of devices that are not owned by the school.

To block personally owned Windows devices from enrolling:

1. Sign in to the Microsoft Intune admin center.
2. Select Devices > Enroll devices > Enrollment device platform restrictions
3. Select the Windows restrictions tab
4. Select Create restriction
5. On the Basics page, provide a name for the restriction and, optionally, a description > Next
6. On the Platform settings page, in the Personally owned devices field, select Block > Next
7. Optionally, on the Scope tags page, add scope tags > Next
8. On the Assignments page, select Add groups, and then use the search box to find and choose groups to which you want to apply the restriction > Next
9. On the Review + create page, select Create to save the restriction

For more information, see Create a device platform restriction.

Disable Windows Hello for Business

Windows Hello for Business is a biometric authentication feature that allows users to sign in to their devices using a PIN, password, or fingerprint. Windows Hello for Business is enabled by default on Windows devices, and to set it up, users must perform for multi-factor authentication (MFA). As a result, this feature may not be ideal for students, who may not have MFA enabled. It's suggested to disable Windows Hello for Business on Windows devices at the tenant level, and enabling it only for devices that need it, for example for teachers and staff devices. To disable Windows Hello for Business at the tenant level:

1. Sign in to the Microsoft Intune admin center.
2. Select Devices > Windows > Windows Enrollment
3. Select Windows Hello for Business
4. Ensure that Configure Windows Hello for Business is set to disabled
5. Select Save

For more information how to enable Windows Hello for Business on specific devices, see Create a Windows Hello for Business policy.

---

Next steps

With the Intune service configured, you can configure policies and applications in preparation to the deployment of students' and teachers' devices.

Next: Configure devices >