Microsoft Intune Setup Guide: Endpoint Management Step-by-Step [2026]

Managing endpoints used to mean walking floor to floor with a USB drive and a checklist. That era is over. Organizations now support Windows laptops, macOS devices, iPhones, Android phones, and tablets — many of them owned by employees, connecting from home networks, coffee shops, and airports. The attack surface has expanded dramatically, and the management challenge has grown with it.

Microsoft Intune is the cloud-native endpoint management platform within the Microsoft ecosystem. It handles device enrollment, compliance enforcement, configuration management, application deployment, and security policy delivery — all from a single console, with no on-premises infrastructure required. If your organization runs Microsoft 365, Intune is the natural choice for endpoint management, and it integrates directly with Azure Active Directory (Entra ID), Conditional Access, and Microsoft Defender for Endpoint.

This guide walks through setting up Intune from scratch: licensing, portal configuration, device enrollment, compliance policies, app deployment, Windows Update management, conditional access integration, and monitoring. Each section includes the specific steps and configuration decisions you need to make.

Prerequisites and Licensing

Before you touch the Intune portal, you need the right licenses and infrastructure in place. Skipping this step leads to enrollment failures, missing features, and wasted time troubleshooting licensing issues.

License Requirements

Intune is included in several Microsoft 365 and Enterprise Mobility + Security (EMS) bundles:

• Microsoft 365 Business Premium — includes Intune with device limits (up to 300 users), suitable for small and mid-sized organizations
• Microsoft 365 E3/E5 — includes Intune Plan 1 with full device management capabilities
• Microsoft 365 F1/F3 — includes Intune for frontline workers with some feature limitations
• Enterprise Mobility + Security E3/E5 — includes Intune as a standalone add-on for organizations not on M365 E3/E5
• Intune Plan 2 (add-on) — adds advanced endpoint management features such as specialty device management and Tunnel for mobile app management
• Intune Suite (add-on) — adds remote help, endpoint privilege management, advanced analytics, and Tunnel for MAM

Verify your licenses in the Microsoft 365 admin center under Billing > Licenses. Every user who will have a managed device needs an Intune license assigned.

• Confirm you have sufficient Intune licenses for all users who will enroll devices
• Assign Intune licenses to users (or use group-based licensing in Azure AD)
• Verify that Azure AD Premium P1 is available (required for conditional access and dynamic groups)

Infrastructure Prerequisites

• Ensure you have Global Administrator or Intune Administrator role access
• Verify your Azure AD tenant is configured and users are synced (if using hybrid identity with Azure AD Connect)
• Configure a custom domain name in Azure AD if not already done
• For Apple device management: obtain an Apple MDM Push certificate (requires an Apple ID)
• For Android Enterprise: set up a Managed Google Play account
• Ensure DNS records are configured correctly — EnterpriseEnrollment.yourdomain.com and EnterpriseRegistration.yourdomain.com should point to Microsoft’s enrollment servers

Intune Portal Setup and Tenant Configuration

The Microsoft Intune admin center is where all device management happens. Before enrolling devices, configure tenant-wide settings that apply to your entire environment.

Tenant Administration

• Navigate to Tenant administration > Tenant status and verify your tenant details, MDM authority (should be set to “Microsoft Intune”), and service health
• Under Tenant administration > Roles, review built-in roles and create custom roles if you need to delegate management without granting full Intune Administrator access
• Configure Terms and Conditions under Tenant administration > Terms and conditions — these are presented to users during enrollment and are required for compliance in many regulated industries
• Set up organizational branding under Tenant administration > Customization — add your company name, logo, and support contact information to the Company Portal app

Device Enrollment Restrictions

Define what devices can enroll before you open enrollment to users.

• Navigate to Devices > Enrollment restrictions
• Configure Device type restrictions: specify which platforms are allowed (Windows, iOS/iPadOS, Android, macOS) and set minimum OS version requirements
• Set Device limit restrictions: define the maximum number of devices each user can enroll (default is 15, which is too high for most organizations — consider 5 or fewer)
• Block personally owned devices at this level if your organization does not support BYOD, or create separate restriction profiles for different user groups

Device Enrollment

Enrollment is how devices come under Intune management. The enrollment method you choose affects the user experience, the level of control you have over the device, and the ongoing management capabilities. Different platforms require different approaches.

Windows Enrollment

Windows offers the most enrollment flexibility. The three primary methods are Windows Autopilot, Azure AD Join, and hybrid Azure AD join.

Windows Autopilot (Recommended for New Devices):

Autopilot transforms the out-of-box experience. A user opens a new laptop, connects to Wi-Fi, signs in with their corporate credentials, and Intune handles the rest — installing apps, applying policies, and configuring settings. No IT technician touches the device.

• Register device hardware IDs with Autopilot: collect hardware hashes from your OEM or use a PowerShell script to extract them from existing devices
• Create an Autopilot deployment profile under Devices > Windows > Windows enrollment > Deployment Profiles
• Choose between “User-driven” (user signs in during setup) and “Self-deploying” (for shared devices or kiosks)
• Configure the Out-of-Box Experience (OOBE) settings: hide license terms, privacy settings, and account change options to simplify the user experience
• Assign the deployment profile to a device group
• Create an Enrollment Status Page (ESP) to control what users see during provisioning and prevent them from using the device before critical apps and policies are applied

Azure AD Join (Existing Devices):

For devices already in use, Azure AD join enrolls them in Intune through Windows Settings.

• Navigate to Settings > Accounts > Access work or school > Connect on the Windows device
• Select “Join this device to Azure Active Directory”
• The user signs in with corporate credentials, and the device is registered and enrolled

Automatic Enrollment via Group Policy:

For organizations with existing Active Directory environments, you can configure automatic MDM enrollment for hybrid Azure AD joined devices using Group Policy.

iOS and iPadOS Enrollment

Apple device enrollment requires an Apple MDM Push certificate. Without it, iOS enrollment will not work.

• Obtain and upload the Apple MDM Push certificate in Devices > iOS/iPadOS > iOS/iPadOS enrollment > Apple MDM Push certificate
• Renew this certificate annually — if it expires, all enrolled iOS devices lose management

Apple Business Manager / Automated Device Enrollment (Corporate Devices):

• Link Apple Business Manager (ABM) to Intune under Devices > iOS/iPadOS > iOS/iPadOS enrollment > Enrollment program tokens
• Create an enrollment profile that enables supervision (supervised devices give you significantly more management control, including silent app installation and single app mode)
• Assign the profile to devices in ABM

User Enrollment (BYOD):

• Configure a user enrollment profile for personally owned iOS devices
• User enrollment provides a managed Apple ID and separates work data from personal data at the OS level
• Users download the Company Portal app from the App Store and follow the enrollment prompts

For comprehensive guidance on securing personal devices, see our article on mobile device security in the workplace.

Android Enrollment

Android enrollment varies significantly depending on whether the device is corporate-owned or personally owned.

Android Enterprise — Corporate-owned, Fully Managed:

• Set up the Managed Google Play account connection in Tenant administration > Connectors and tokens > Managed Google Play
• Create an enrollment profile under Devices > Android > Android enrollment > Corporate-owned, fully managed user devices
• Enroll devices using QR code, NFC, zero-touch enrollment, or token-based enrollment

Android Enterprise — Work Profile (BYOD):

• Users download the Intune Company Portal app from Google Play
• During enrollment, a separate work profile is created on the device, isolating corporate apps and data from personal content
• You manage only the work profile — you cannot wipe personal data or see personal apps

BYOD vs. Corporate-Owned: Choosing the Right Approach

The enrollment method you select has significant implications for security, privacy, and user experience. Organizations that support BYOD policies need to balance security requirements with employee privacy.

Factor	Corporate-Owned	BYOD (Personal)
Management level	Full device management	Work profile / app-level only
Wipe capability	Full device wipe	Selective wipe (work data only)
App visibility	All apps visible to IT	Only work apps visible
Privacy	Company owns the device	Personal data stays private
Cost	Organization purchases devices	Employee provides device
User experience	IT controls the full device	Work and personal are separated

For most organizations, a hybrid approach works best: corporate-owned devices for employees who handle sensitive data, and BYOD with work profiles for employees who prefer their own devices.

Compliance Policies

Compliance policies define the minimum security requirements a device must meet to be considered “compliant.” A non-compliant device can be blocked from accessing corporate resources through conditional access — this is where Intune and Azure AD security work together to enforce zero trust principles.

Creating Compliance Policies

Navigate to Devices > Compliance policies > Create policy and select the platform.

Windows Compliance Policy Settings:

• Device health: Require BitLocker, Secure Boot, and code integrity
• Device properties: Set minimum and maximum OS version requirements (block devices running unsupported Windows versions)
• System security: Require a password, set minimum password length (8+ characters), and require password complexity
• Microsoft Defender for Endpoint: Require a machine risk score of “Clear” or “Low” (integrates with Defender for Endpoint)
• Defender for Cloud: If applicable, integrate cloud security posture signals

iOS Compliance Policy Settings:

• Require a device passcode with minimum length of 6 digits
• Block jailbroken devices
• Set minimum OS version (block devices running iOS versions that no longer receive security updates)
• Require device encryption (enabled by default on iOS when a passcode is set)

Android Compliance Policy Settings:

• Block rooted devices
• Require Google Play Services and up-to-date security patches
• Set minimum OS version
• Require device encryption and a screen lock with minimum complexity

Actions for Non-Compliance

Configure what happens when a device falls out of compliance. Do not immediately block access — give users time to remediate.

• Day 0: Mark device as non-compliant; send email notification to user explaining the issue
• Day 3: Send a reminder notification
• Day 7: Block access to corporate resources (enforced through conditional access)
• Day 14 (optional): Retire the device (remove corporate data)

This graduated approach reduces helpdesk tickets and gives users the opportunity to fix issues on their own.

Configuration Profiles

While compliance policies define minimum requirements, configuration profiles actively push settings to devices. These profiles configure Wi-Fi, VPN, email, device restrictions, and security baselines.

Key Configuration Profiles to Deploy

Navigate to Devices > Configuration profiles > Create profile.

Security Baselines:

Microsoft provides pre-configured security baselines for Windows that align with CIS and Microsoft recommended settings. These baselines cover hundreds of settings including browser security, Windows Defender configuration, network security, and local policy settings.

• Deploy the Microsoft Edge security baseline
• Deploy the Windows security baseline (review settings before deploying — some defaults may be too restrictive for your environment)
• Deploy the Microsoft Defender for Endpoint baseline

Device Restrictions:

• Configure password policies, screen lock timeouts, and camera restrictions where appropriate
• Block USB storage on devices that handle sensitive data
• Control Windows Update behavior (defer feature updates, require quality updates)

Wi-Fi and VPN Profiles:

• Create Wi-Fi profiles for corporate wireless networks so devices connect automatically
• Configure VPN profiles for remote access (or configure Microsoft Tunnel for mobile devices)
• Use certificate-based authentication for Wi-Fi and VPN where possible

Email Profiles:

• Deploy Exchange Online email profiles to automatically configure the Outlook app on mobile devices
• Use app protection policies to prevent corporate email data from being copied to unmanaged apps

For organizations looking to harden their broader Microsoft 365 environment alongside Intune, see our Microsoft 365 security hardening checklist.

Application Deployment

Intune supports deploying several types of applications. Getting app deployment right is critical for user productivity — if users cannot access the tools they need, they will find workarounds that bypass your security controls.

Microsoft Store Apps

The simplest deployment method. Microsoft Store apps are maintained and updated by the store.

• Navigate to Apps > All apps > Add > Microsoft Store app (new)
• Search for the app in the Microsoft Store catalog
• Assign the app to user or device groups as “Required” (auto-install), “Available” (user chooses to install from Company Portal), or “Uninstall”

Win32 Apps

For traditional desktop applications not available in the Microsoft Store, Intune supports Win32 app deployment using the .intunewin package format.

• Download the Microsoft Win32 Content Prep Tool
• Package your application: IntuneWinAppUtil.exe -c <source_folder> -s <setup_file> -o <output_folder>
• Upload the .intunewin file under Apps > All apps > Add > Windows app (Win32)
• Configure the install and uninstall commands (e.g., setup.exe /quiet /norestart for install, msiexec /x {ProductCode} /quiet for uninstall)
• Define detection rules to determine whether the app is already installed (registry key, file existence, or MSI product code)
• Set requirements (minimum OS version, disk space, architecture)
• Configure dependencies and supersedence if this app replaces or requires another app
• Assign to groups as Required or Available

Line-of-Business (LOB) Apps

LOB apps are custom applications specific to your organization, packaged as .msi, .appx, .ipa, or .apk files.

• Navigate to Apps > All apps > Add and select the appropriate LOB app type
• Upload the package file
• Configure app information (name, description, publisher)
• Assign to appropriate user or device groups

Managed Google Play and Apple VPP Apps

For mobile devices, use Managed Google Play (Android) and Apple Volume Purchase Program / Apple Business Manager (iOS) to distribute apps.

• Approve apps in Managed Google Play or Apple Business Manager
• Sync the apps to Intune
• Assign apps to device or user groups

App Protection Policies (MAM)

App protection policies protect corporate data at the application level, even on unmanaged devices. This is essential for BYOD scenarios where you want to protect corporate data without enrolling the personal device.

• Create app protection policies under Apps > App protection policies
• Configure data protection settings: prevent copy/paste from managed to unmanaged apps, require encryption, block screen capture
• Configure access requirements: require PIN or biometric to open managed apps
• Configure conditional launch: block access from jailbroken/rooted devices, require minimum OS version, set offline grace period

Windows Update Rings

Intune manages Windows Updates through Update Rings, which control when and how updates are delivered. This replaces WSUS and Group Policy-based update management for cloud-managed devices.

Configuring Update Rings

Navigate to Devices > Windows > Update rings for Windows 10 and later > Create profile.

• Quality update deferral: Set to 7 days for the general population (gives you a week to identify issues before updates roll out broadly) and 0 days for a pilot group
• Feature update deferral: Set to 30-90 days depending on your organization’s tolerance for new features and your testing capacity
• Maintenance window: Configure active hours to prevent restarts during business hours
• Automatic update behavior: Set to “Auto install and restart at a scheduled time” for most users
• Deadline settings: Configure compliance deadlines to force installation of critical updates within a defined window (e.g., 5 days for quality updates, 14 days for feature updates)

Feature Update Policies

For more granular control over Windows feature updates, create feature update policies.

• Navigate to Devices > Windows > Feature updates for Windows 10 and later
• Select the specific Windows version you want devices to run (e.g., Windows 11 24H2)
• Assign to device groups to control which devices receive which feature update version

This approach is particularly useful for holding certain devices on a specific Windows version while allowing others to move forward.

Conditional Access Integration

Conditional access is where Intune’s compliance data becomes actionable security policy. Without conditional access, a non-compliant device is flagged but not blocked. With conditional access, a non-compliant device is automatically denied access to corporate resources.

Key Conditional Access Policies for Intune

Navigate to the Microsoft Entra admin center > Protection > Conditional Access > Policies.

Require Compliant Devices for Cloud Apps:

• Create a new policy targeting all users (exclude break-glass accounts)
• Target cloud apps: Office 365, Exchange Online, SharePoint Online, Teams
• Under Grant, select “Require device to be marked as compliant”
• Enable the policy in “Report-only” mode first to evaluate impact before enforcement

Block Access from Unsupported Platforms:

• Create a policy that blocks access from platforms you do not manage (e.g., Linux, ChromeOS) if those platforms are not part of your endpoint strategy

Require App Protection Policy for Mobile Access:

• For BYOD mobile devices not enrolled in Intune, require an app protection policy as a grant control
• This ensures corporate data in apps like Outlook and Teams is protected even on unmanaged devices

Integrate with Microsoft Defender for Endpoint:

• Connect Intune to Microsoft Defender for Endpoint under Endpoint security > Microsoft Defender for Endpoint
• Enable the compliance connector so that device risk scores from Defender flow into Intune compliance evaluation
• Create compliance policies that require a “Clear” or “Low” risk level
• Build conditional access policies that block high-risk devices from accessing sensitive resources

This integration is a key component of a zero trust security model, where device health is continuously evaluated before granting access.

Endpoint Security Policies

Intune’s Endpoint Security node consolidates security-specific policies in one place, separate from general device configuration.

Key Security Policies to Configure

Navigate to Endpoint security in the Intune admin center.

• Antivirus: Configure Microsoft Defender Antivirus settings including real-time protection, cloud-delivered protection, and scan schedules. For more on endpoint protection, see our guide on the benefits of endpoint protection
• Disk encryption: Deploy BitLocker policies for Windows and FileVault policies for macOS
• Firewall: Configure Windows Defender Firewall rules through Intune rather than relying on local Group Policy
• Endpoint detection and response (EDR): Deploy Defender for Endpoint onboarding packages to devices
• Attack surface reduction (ASR): Enable ASR rules to block common attack techniques like Office macro abuse, credential theft, and ransomware behavior

Reporting and Monitoring

Deployment is not the end — ongoing monitoring is how you catch issues before they become incidents.

Key Reports to Monitor

• Device compliance report (Devices > Monitor > Device compliance): Shows the compliance status of all managed devices. Investigate any devices stuck in “Not compliant” or “Not evaluated” status
• App installation status (Apps > Monitor > App install status): Track which apps succeeded, failed, or are pending installation. Win32 app deployments commonly fail due to detection rule misconfigurations
• Configuration profile status (Devices > Monitor > Assignment status): Identify profiles that are failing to apply, which often indicates conflicts between profiles
• Windows Update compliance (Reports > Windows updates): Monitor update ring compliance and identify devices that are falling behind on patches
• Enrollment failures (Devices > Monitor > Enrollment failures): Track and troubleshoot enrollment issues by platform and error code

Setting Up Alerts

• Configure diagnostic settings to send Intune logs to a Log Analytics workspace for long-term retention and advanced querying
• Create alert rules for critical events: enrollment failures, compliance status changes, and policy assignment failures
• Review the Intune Troubleshooting + Support blade for individual user and device troubleshooting

Common Pitfalls and How to Avoid Them

After deploying Intune across many organizations, certain mistakes appear repeatedly. Avoiding these will save you significant time and frustration.

1. Not testing policies before broad deployment. Always deploy new compliance policies and configuration profiles to a small pilot group first. Use Azure AD dynamic groups to create test rings (e.g., a group based on a department attribute or a specific test user group). Deploying an untested compliance policy with conditional access enforcement can lock your entire organization out of email.

2. Conflicting configuration profiles. When multiple profiles configure the same setting with different values, the result is unpredictable. Intune will report a conflict, but the device may end up with either value or neither. Audit your profiles regularly and use the “Settings catalog” instead of “Templates” for better visibility into individual settings.

3. Forgetting to renew Apple MDM Push and APNs certificates. If the Apple MDM Push certificate expires, all enrolled iOS devices lose management. You must renew with the same Apple ID that was used to create the original certificate. Set a calendar reminder 30 days before expiration.

4. Overly aggressive compliance timelines. Marking devices non-compliant immediately and blocking access on day one generates a flood of helpdesk tickets and frustrated users. Use the graduated enforcement model described above — notify first, then escalate.

5. Ignoring the Enrollment Status Page (ESP) for Autopilot. Without an ESP, users can start using a device before critical security policies and apps are installed. Configure the ESP to block device use until required apps are installed and compliance policies are evaluated.

6. Not planning for app detection rules. Win32 app deployments succeed or fail based on detection rules. If the detection rule does not accurately identify whether the app is installed, Intune will either reinstall the app repeatedly or report success when the app did not actually install. Test detection rules thoroughly.

7. Skipping app protection policies for BYOD. Relying solely on device enrollment for BYOD users is a mistake. Many users resist full device enrollment on their personal phones. App protection policies provide data protection without enrollment, giving you a fallback for mobile device security when users decline enrollment.

8. Not connecting Intune to Defender for Endpoint. Running Intune without the Defender for Endpoint integration means your compliance decisions do not account for active threats on the device. A device can be “compliant” with password and encryption requirements while actively running malware. The Defender integration closes this gap.

Recommended Deployment Order

If you are starting from scratch, follow this sequence to minimize risk and build on each layer:

1. Configure tenant settings and enrollment restrictions — establish the foundation
2. Set up Apple MDM Push certificate and Managed Google Play — unblock platform enrollment
3. Create compliance policies in monitor-only mode — measure your baseline before enforcing
4. Deploy security baselines and configuration profiles to a pilot group — validate settings
5. Configure app protection policies — protect corporate data on mobile devices immediately
6. Roll out device enrollment to pilot users — test enrollment flows end-to-end
7. Deploy applications — start with essential apps, then expand
8. Configure Windows Update rings — control the update cadence
9. Enable conditional access in report-only mode — evaluate impact before enforcement
10. Enforce conditional access policies — block non-compliant devices from corporate resources
11. Connect Defender for Endpoint — add threat-based compliance signals
12. Expand to production — roll out to all users in phases

Next Steps

Intune is not a one-time deployment. Device management requires ongoing attention — reviewing compliance trends, updating policies as new OS versions ship, adding new apps, and adjusting configurations based on user feedback and security incidents. Build a monthly review cadence to audit compliance reports, check for policy conflicts, and verify that enrollment and app deployment are working as expected.

For organizations building a broader security posture, Intune is one piece of a larger puzzle. Pair it with a Microsoft 365 security hardening checklist, implement zero trust principles across your environment, and ensure your endpoint protection strategy extends beyond device management to threat detection and response.

If you need help designing, deploying, or managing Intune for your organization, contact Exodata for a consultation. We help businesses of all sizes implement endpoint management solutions that are secure, scalable, and aligned with their operational needs.