This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This guide describes how to protect and manage Windows apps and endpoints using Microsoft Intune, and includes our setup recommendations and resources from prerequisites to enrollment.
For each section in this guide, review the associated tasks. Some tasks are required and some, like setting up Microsoft Entra Conditional Access, are optional. Select the provided links in each section to go to our recommended help docs on Microsoft Learn, where you can find more detailed information and how-to instructions.
Complete the following prerequisites to enable your tenant's endpoint management capabilities:
For information about Microsoft Intune roles and permissions, see RBAC with Microsoft Intune. The Microsoft Entra Global Administrator and Intune Administrator roles have full rights within Microsoft Intune. These roles are highly privileged and have more access than needed for many device management tasks in Microsoft Intune. We recommend you use the least privileged built-in role that's available to complete tasks.
For more details and recommendations about how to prepare your organization, onboard, or adopt Intune for mobile device management, see Migration guide: Set up or move to Microsoft Intune.
Use the Microsoft Intune planning guide to define your device management goals, use-case scenarios, and requirements. Use the guide to plan for rollout, communication, support, testing, and validation. For example, in some cases you don't have to be present when employees and students are enrolling their devices. We recommend having a communication plan so that people know where to find information about installing and using Intune Company Portal.
For more information, see Microsoft Intune planning guide.
Use compliance policies to ensure that devices accessing your data are secure and meet your organization's standards. The final stage of the enrollment process is the compliance evaluation, which verifies that the settings on the device meet your policies. Device users must resolve all compliance issues to get access to protected resources. Intune marks devices that fall short of compliance requirements as noncompliant and takes additional action (such as sending the user a notification, restricting access, or wiping the device) according to your action for noncompliance configurations.
You can use Microsoft Entra Conditional Access policies in conjunction with device compliance policies to control access to Windows PCs, corporate email, and Microsoft 365 services. For example, you can create a policy that blocks employees from accessing Microsoft Teams in Edge without first enrolling or securing their device.
Tip
For an overview of device compliance policies, see Compliance overview.
| Task | Detail |
|---|---|
| Create a compliance policy | Get step-by-step guidance on how to create and assign a compliance policy to user and device groups. |
| Add actions for noncompliance | Choose what happens when devices no longer meet the conditions of your compliance policy. Examples of actions include sending alerts, remotely locking devices, or retiring devices. You can add actions for noncompliance when you configure a device compliance policy, or later by editing the policy. |
| Create a device-based or app-based Conditional Access policy | Select the apps or services you want to protect and define the conditions for access. |
| Block access to apps that don't use modern authentication | Create an app-based Conditional Access policy to block apps that use authentication methods other than OAuth2; for example, those apps that use basic and form-based authentication. Before you block access, however, sign in to Microsoft Entra ID and review the authentication methods activity report to see if users are using basic authentication to access essential things you forgot about or are unaware of. For example, things like meeting room calendar kiosks use basic authentication. |
| Add custom compliance settings | With custom compliance settings, you can write your own Bash scripts to address compliance scenarios not yet included in the device compliance options built into Microsoft Intune. This article describes how to create, monitor, and troubleshoot custom compliance policies for Windows devices. Custom compliance settings require you to create a custom script that identifies the settings and value pairs. |
Use Intune endpoint security features to configure device security and to manage security tasks for devices at risk.
| Task | Detail |
|---|---|
| Manage devices with endpoint security features | Use the endpoint security settings in Intune to effectively manage device security and remediate issues for devices. |
| Add endpoint protection settings | Configure common endpoint protection security features, such as firewall, BitLocker, and Microsoft Defender. For a description of the settings in this area, see the endpoint protection settings reference. |
| Configure Microsoft Defender for Endpoint in Intune | When you integrate Intune with Microsoft Defender for Endpoint, you not only help prevent security breaches, but you can take advantage of Microsoft Defender for Endpoints Threat & Vulnerability Management (TVM) and use Intune to remediate endpoint weakness identified by TVM. |
| Manage BitLocker policy | Ensure that devices are encrypted upon enrollment by creating a policy that configures BitLocker on managed devices. |
| Manage security baseline profiles | Use the security baselines in Intune to help you secure and protect your users and devices. A security baseline includes the best practices and recommendations for settings that impact security. |
| Use Windows Update for Business for software updates | Configure a Windows Update rollout strategy with Windows Update for Business. This article introduces you to the policy types you can use to manage Windows 10/11 software updates, and how to transition from update ring deferrals to a feature updates policy. |
Use Microsoft Intune to enable or disable Windows settings and features on devices. To configure and enforce these settings, create a device configuration profile and then assign the profile to groups in your organization. Devices receive the profile once they enroll.
| Task | Detail |
|---|---|
| Create a device profile | Create a device profile in Microsoft Intune and find resources about all device profile types. You can also use the settings catalog to create a policy from scratch. |
| Configure group policy settings | Use Windows 10 templates to configure group policy settings in Microsoft Intune. Administrative templates include hundreds of settings that you can configure for Internet Explorer, Microsoft Edge, OneDrive, remote desktop, Word, Excel, and other Office programs. These templates give administrators a simplified view of settings similar to group policy, and they're 100% cloud-based. |
| Configure Wi-Fi profile | This profile enables people to find and connect to your organization's Wi-Fi network. For a description of the settings in this area, see the Wi-Fi settings reference for Windows 10 and later. |
| Configure VPN profile | Set up a secure VPN option, such as Microsoft Tunnel, for people connecting to your organization's network. For a description of the settings in this area, see the VPN settings reference. |
| Configure email profile | Configure email settings so that people can connect to a mail server and access their work or school email. For a description of the settings in this area, see the email settings reference. |
| Restrict device features | Protect users from unauthorized access and distractions by limiting the device features they can use at work or school. For a description of the settings in this area, see the device restrictions reference for Windows 10/11 and Windows 10 Teams. |
| Configure custom profile | Add and assign device settings and features that aren't built into Intune. For a description of the settings in this area, see the custom settings reference. |
| Configure BIOS settings | Set up Intune so that you can control UEFI (BIOS) settings on enrolled devices, using the Device Firmware Configuration Interface (DFCI) |
| Configure Domain Join | If you're planning to enroll Microsoft Entra joined devices, be sure to create a domain join profile so that Intune knows which on-premises domain to join. |
| Configure delivery optimization settings | Use these settings to reduce bandwidth consumption on devices downloading apps and updates. |
| Customize branding and enrollment experience | Customize the Intune Company Portal and Microsoft Intune app experience with your organization's own words, branding, screen preferences, and contact information. |
| Configure kiosks and dedicated devices | Create a kiosk profile to manage devices running in kiosk mode. |
| Customize shared devices | Control access, accounts, and power features on shared or multi-user devices. |
| Configure network boundary | Create a network boundary profile to protect your environment from sites you don't trust. |
| Configure Windows health monitoring | Create a Windows health monitoring profile to permit Microsoft to collect data about performance and provide recommendations for improvements. Creating a profile enables the endpoint analytics feature in Microsoft Intune, which analyzes collected data, recommends software, helps improve startup performance, and fixes common support issues. |
| Configure Take a Test app for students | Configure the Take a Test app for students taking tests or exams on enrolled devices. |
| Configure eSim cellular profile | You can configure eSIM for ESIM-capable devices, such as the Surface LTE Pro, to connect to the internet over a cellular data connection. This configuration is ideal for global travelers who need to stay connected and flexible while traveling, and eliminates the need for a SIM card. |
Set up authentication methods in Intune to ensure that only authorized people access your internal resources. Intune supports multi-factor authentication, certificates, and derived credentials. Certificates can also be used for signing and encryption of email using S/MIME.
| Task | Detail |
|---|---|
| Require multi-factor authentication (MFA) | Require people to supply two forms of credentials at time of device enrollment. This policy works in conjunction with Microsoft Entra Conditional Access policies. |
| Create a trusted certificate profile | Create and deploy a trusted certificate profile before you create a SCEP, PKCS, or PKCS imported certificate profile. The trusted certificate profile deploys the trusted root certificate to devices and users using SCEP, PKCS, and PKCS imported certificates. |
| Use SCEP certificates with Intune | Learn what’s needed to use SCEP certificates with Intune, and configure the required infrastructure. Then you can create a SCEP certificate profile or set up a third-party certification authority with SCEP. |
| Use PKCS certificates with Intune | Configure required infrastructure (such as on-premises certificate connectors), export a PKCS certificate, and add the certificate to an Intune device configuration profile. |
| Use imported PKCS certificates with Intune | Set up imported PKCS certificates, which enable you to set up and use S/MIME to encrypt email. |
| Set up a derived credentials issuer | Provision Windows devices with certificates that are derived from user smart cards. |
| Integrate Windows Hello for Business with Microsoft Intune | Create a Windows Hello for Business policy to enable or disable Windows Hello for Business during device enrollment. Hello for Business is an alternative sign-in method that uses Active Directory or a Microsoft Entra account to replace a password, smart card, or a virtual smart card. |
As you set up apps and app policies, think about your organization's requirements, such as the platforms you'll support, the tasks people do, the type of apps they need to complete those tasks, and who needs them. You can use Intune to manage the whole device (including apps) or use Intune to manage apps only.
| Task | Detail |
|---|---|
| Add line-of-business apps | Add macOS line-of-business (LOB) apps to Intune and assign to groups. |
| Add Microsoft Edge | Add and assign Microsoft Edge for Windows. |
| Add Intune Company Portal app from Microsoft Store | Manually add and assign the Intune Company Portal app as a required app. |
| Add Intune Company Portal app for Autopilot | Add the Company Portal app to devices provisioned by Windows Autopilot. |
| Add Microsoft 365 apps | Add Microsoft 365 Apps for enterprise. |
| Assign apps to groups | After you add apps to Intune, assign them to users and devices. |
| Include and exclude app assignments | Control access and availability to an app by including and excluding selected groups from assignment. |
| Use PowerShell scripts | Upload PowerShell scripts to extend Windows device management capabilities in Intune and make it easier to move to modern management. |
During enrollment, the device is registered with Microsoft Entra ID and evaluated for compliance. For information about each enrollment method and how to choose one that's right for your organization, see Windows device enrollment guide for Microsoft Intune.
| Task | Detail |
|---|---|
| Enable MDM automatic enrollment | Simplify enrollment by enabling automatic enrollment, which automatically enrolls devices in Intune that join or register with your Microsoft Entra ID. Automatic enrollment simplifies Windows Autopilot deployment, BYOD enrollment, enrollment using Group Policy, and bulk enrollment via a provisioning package. |
| Enable automatic discovery of MDM server | If you don't have Microsoft Entra ID P1 or P2, we recommend creating a CNAME record type for Intune enrollment servers. The CNAME record redirects enrollment requests to the right server so that enrolling users don't have to type the server name in manually. |
| Windows Autopilot scenarios | Simplify the user-driven or self-deploying OOBE for you and your users by setting up Microsoft Intune device enrollment to occur automatically during Windows Autopilot. |
| Enroll Microsoft Entra hybrid joined devices with Windows Autopilot | The Intune connector for Active Directory enables devices in Active Directory Domain Services to join to Microsoft Entra ID, and then automatically enroll in Intune. We recommend this enrollment option for on-premises environments that use Active Directory Domain Services and can't currently move their identities to Microsoft Entra ID. |
| Enroll devices using Group Policy | Trigger automatic enrollment into Intune using a group policy. |
| Bulk enroll devices | Create a provisioning package in Windows Configuration Designer that both joins large numbers of new Windows devices to Microsoft Entra ID and enrolls them in Intune. |
| Set up the enrollment status page (ESP) | Create an enrollment status page profile with custom settings to guide users through device setup and enrollment. |
| Change device ownership label | After a device has been enrolled, you can change its ownership label in Intune to corporate-owned or personal-owned. This adjustment changes the way you manage the device, and can enable more management and identification capabilities in Intune, or limit them. |
| Configure proxy for Intune Active Directory Connector | Configure the Intune Connector for Active Directory to work with your existing outbound proxy servers. |
| Troubleshoot enrollment problems | Troubleshoot and find resolutions to problems that occur during enrollment. |
After devices are set up, you can use supported remote actions to manage and troubleshoot devices from a distance. The following articles introduce you to the remote actions for Windows. If an action is absent or disabled in the portal, then it isn't supported for Windows.
| Task | Detail |
|---|---|
| Take remote action on devices | Learn how to drill down and remotely manage and troubleshoot individual devices in Intune. This article lists all remote actions available in Intune and links to those procedures. |
| Use TeamViewer to remotely administer Intune devices | Configure TeamViewer within Intune, and learn how to remotely administer a device. |
| Use security tasks to view threats and vulnerabilities | Use Intune to remediate endpoint weakness identified by Microsoft Defender for Endpoint. Before you can work with security tasks, you must integrate Microsoft Defender for Endpoint with Intune. |
The resources in this section are in the Microsoft Intune User Help documentation. This documentation is meant for employees, students, and other Intune-licensed device users who are enrolling a personal or company-provided device. Documentation links are available throughout the Intune Company Portal app and point to information about:
Tip
Make your organization's operating system requirements and device password requirements easy to find on your website or in an onboarding email so that employees don't have to delay enrollment to seek out that information.
| Task | Detail |
|---|---|
| Install Intune Company Portal app for Windows | Learn where to get the Company Portal app and how to sign in. |
| Update Company Portal app | This article describes how to install the latest version of Company Portal and how to turn on automatic app updates. |
| Enroll a device | This article describes how to enroll personal devices running Windows 10 or Windows 11. |
| Unenroll a device | This article describes how to unenroll a device from Intune and delete the stored cache and logs for Company Portal. |
For an overview of the Microsoft Intune admin center and how to navigate it, see Tutorial: Walkthrough the Microsoft Intune admin center. Tutorials are 100 – 200 level content for people new to Intune or a specific scenario.
For other versions of this guide, see:
Training
Module
Enroll devices using Microsoft Intune - Training
Students will learn how to configure and setup Intune to more easily manage Windows, Android and iOS devices.
Certification
Microsoft 365 Certified: Endpoint Administrator Associate - Certifications
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.