Modern device management with a few twists
' My goal is to share my knowledge and experiences with community members on their own road to Modern device management. I love working with Microsoft technology and hopefully I can help a few people along the way.'
MovetoModern #2 - Getting started with Microsoft Intune
So you’ve decided that Microsoft Intune is for you….. Great choice. What next…. Sometimes just knowing where to start with a product especially when there are so many options can be difficult. With Microsoft Intune there are a set number of tasks you will need to follow Day1 before you can begin enrolling and managing your devices. So this post covers the things you will need to complete at a high level and includes the fundamental steps. By covering the topics included you will have a basic configured platform which will enable you to start enrolling devices.
There are a number of planning steps to consider as part of your adoption, but this post will not cover these. If you would like to look at the types of considerations to work through for planning your rollout have a look at the Microsoft guide Here
After you've made your decisions on what Microsoft Licensing is best for you and your business the recommended Microsoft path for setting up the basic Intune configuration can be summarised with:
Microsoft Intune Handbook - Getting setup Day 1
Step 1 - Sign into your Intune subscription
Step 2 - Configure Domain Name (Optional)
Step 3 - Add your Users and groups
Step 4 - Assign Licenses
Step 5 - Configure MDM Authority and Automatic enrollment
Step 6 - Add required Applications
Step 7 - Verify enrollment restrictions and configure device settings
Step 8 - Customise the Company Portal (Optional)
Step 9 - Add an Autopilot Enrollment profile and amend device enrolment restrictions (Optional)
Step 10 - Configure app policies (Optional)
Step 1 – Login to Microsoft Endpoint Manager
Sign in to your Intune subscription using your Global Administrator account at https://Endpoint.microsoft.com
You will be presented with the Home screen as shown below. As a Global Admin user you have access and permissions to carry out all the necessary configuration steps.
The other portals you will require access to during the initial setup will be:
- The Azure Portal - https://portal.azure.com/
- Microsoft 365 Admin Centre - https://admin.microsoft.com/
- Microsoft Store for Business - https://www.microsoft.com/business-store
Step 2 – Configure Domain name
If you decide you want to connect your company domain name with Intune you will need to set the DNS registration. By default, Microsoft provides an initial domain name that looks like your-domain.onmicrosoft.com.
While this is optional, most companies will however want to configure their custom domain to connect to Intune and this ideally needs to be done before you start adding new users on to the platform and their email addresses are assigned. It also allows users to sign in using their company user credentials to access resources.
There are a couple of ways of setting up your custom domain but I use the Microsoft 365 Admin center for this.
Login at https://admin.microsoft.com as an administrator and choose:
Setup > Domains > Choose a domain
Type in your domain name and click Next. This will provide you with the values required to create a TXT record on your DNS external hosting provider. If you use GoDaddy.com you will redirected to the GoDaddy Login page and after entering your credentials the TXT record will be created automatically.
The registration of the custom domain can take up to 72 hours and this depends on the hosting provider and how long the changes are distributed across DNS servers.
To verify the change for Intune login to MEM and go to
Devices > Windows > Windows enrolment > CName validation.
Enter your custom domain name and click the test button.
Step 3 – Users and Groups
Critical to your rollout will be the use of Users and Groups. The initial subscription includes an instance of Azure Active Directory (AAD). You now have the choice of synchronising your user identities through your company AD using Azure AD Connect or creating new users and groups within Azure AD particularly if you are going the cloud only route. The use of identities are required unless you plan on using “userless” devices such as Kiosk devices.
For those who want to deploy Windows Autopilot within a Hybrid environment you will also need to deploy the Azure AD Connector. More Info can be found Here
Within MEM Navigate to Users and Groups from the left-hand navigation panel. Select the ‘Groups’ option which will open a new panel. Enter the Group name, description and membership type. Groups can be created for both users and devices. When creating a dynamic group this will automatically add users or devices based on a created expression you create.
You can find more information on the membership type Here
To create either a new Azure AD User identity or invitation to a guest user select
MEM > Users >New User /New Guest User
You nay need to create a guest user where you want to collaborate with them such as allow access to configure Intune by a third party. For this option the user is emailed an invitation to join.
For a new Azure AD user enter the username, Name, First name and last name then select the groups and job Info if required.
Step 4 – Assign Licenses
You will need to assign licenses to users so they can enrol their devices into Intune. Intune licenses can be obtain in various Microsoft packages including EMS E3/E5 and Microsoft E3/E5 options. Which you choose depends on the type of rollout for functionality and applications you require.
Find some more details Here
To assign licenses, select the user and click the ‘Licenses’ option under manage.
Step 5 – MDM Authority and Automatic enrolment
For companies who used the Pre 1911 Intune service it meant they had to set the MDM authority upon first logon. From 1911 onwards the service is automatically set to Intune as the MDM Authority option was removed.
Its worth noting that the MDM authority cannot be changed. The basic premise for this setting is that it is used by the service to ensure the correct portal is used by the devices registered with it.
Windows automatic enrolment settings
If the core of the devices you will be managing are Windows 10 then you will need to verify you have the correct settings for automatic enrolment as shown below.
These are settings which can be configured for both Windows 10 or newer corporate owned devices via MDM and personally (BYOD) owned devices.
Go to MEM > Devices \ Windows > Windows Enrollment > Automatic Enrollment
You set the scope of enrolment depending on your specific enrolment needs.
Setting the MDM user scope to Some or All means devices will join Azure AD regardless of who signs in or if the devices are corporate or BYOD. Setting this to None means devices are not joined to Azure AD or managed by Intune.
In some sceanrios you may only want to mange the company account on the device and the corporate resources it accesses. For this set the MDM user scope to None and set the MAM user scope to Some or All.
The main difference with the MAM settings are that when set to Some or All the company accounts are managed by Intune and devices are registered and not managed. MAM settings are there for BYOD or personal devices.
Step 6 - Add required Applications
The whole topic on Applications, adding, securing them, deploying, packaging etc is a fairly large subject by itself and I will write more on this in another post. For the day one setup you will more than likely want to setup Intune to deploy Microsoft 365 Applications as a core productivity requirement.
Intune allows for various types of Applications each of which are available for the different types of device (Win 10, iOS, Android). As described above you have made your choices on whether you manage user devices(including Apps), accounts or both. Once you have chosen the right applications you want to deploy these can be added into Intune.
Go to MEM> Apps > All Apps
This will show you all the Apps you have deployed. At this point you most likely won’t have any to see so select ‘Add’ from the top pane.
Add an Application
Choose the platform you want to deploy the App for. Here I will select “Microsoft 365 Apps – Windows 10”
The resulting pane will be a configuration page where you can:
· Change the Name and description
· The Category such as Productivity
· Add in any notes like this is for the Design group
· Choose if you want to make it a featured app available within the company portal.
Click the next button and configure the Apps suite options. The key setting here is the selection of Office 365 Apps you want to deploy making sure users have the correct Licenses assigned before deploying.
The other setting on this pane you will need to select is “Update Channel”. For me I chose “Current Channel” but I will go into the options here in another post and describe the options. Click Next to select the Assignment groups. You have three options here:
Required means the Application will be deployed for installation to these devices you assign them to automatically in the background. When the device next checks in with Intune approximately every 8 hours after the initial setup the app will be downloaded and installed silently.
Add groups to “Available” where you would like to make them available for the user to install in their timeframe. The App will become available within the Microsoft Company portal App (Which you will also need to deploy)
If you choose to add any groups to “Uninstall” this means those selected Apps will be uninstalled from devices assuming they already exist.
Its worth noting you the quick options available which are “All Users” or “All Devices” made available to you.
If at this stage you want to delay deploying to anyone or any devices then simply don’t select or add any groups. The Application will be added into your Intune Apps list but will not deploy.
When you do add groups click next, verify the configuration and click ‘Create’
By completing this action with groups the App will automatically start deploying to the selected user/device groups.
Step 7 - Verify enrollment restrictions and configure device settings
The first step here is verify you have the correct enrollment restrictions set up for your devices and users. This is important as it determines the types of devices and versions you allow to enrol within your tenant while also specifying the number of devices a single person can enrol.
To configure this :
MEM > Devices >Enrollment Restrictions
Under the 'Device Type restrictions' option click 'All Users' and you will be presented with a new pane. Select 'Properties' to see the default settings. Under 'Platform Settings' click 'Edit' and choose the platforms restrictions that apply for you platform management. These can be the platform type and if you want to allow personally owned devices of the type to enrol. As an added setting specify the min and max version for the device platform you want to allow. When finished click the 'Review + Save' button and then the 'X' to close the pane.
Go back to Devices> Enrollment restrictions and choose 'All Users' under 'Device Limit restrictions'
This presents a new window pane. Select 'Properties' then 'Edit. You will be presented with a drop down box from which you can choose the limit of devices each user can enrol. The maximum is 15 as per below.