Organizations can deploy Microsoft Intune effectively by following five critical steps that establish security, compliance and device management from the ground up.
Deploying Microsoft Intune for the first time demands a structured approach that aligns licensing, identity, security, applications and enrollment into a cohesive management strategy.
Many organizations already use Microsoft 365 or Azure services, which means they have the foundation in place. However, a successful Intune rollout still requires IT to complete several essential configuration steps in the right order.
To get started with Intune, organizations must carry out five important steps:
Set up the Intune tenant.
Add device configuration profiles to configure the different aspects of devices.
Add device compliance policies to determine when access to corporate data and apps is allowed.
Add apps to get users immediately productive.
Configure device enrollment profiles to get the devices into the Intune tenant and managed.
These steps don't represent every possible configuration -- such as Apple Business Manager integration, Windows Autopilot setup or advanced Conditional Access design -- but they do establish the basic environment for IT to start managing devices with Intune. By following this sequence, organizations create a secure baseline, ensure users can access the tools they need and lay the groundwork for expanding into more advanced Intune capabilities as their deployment matures.
Step 1: Setting up the Microsoft Intune tenant
Before getting started with Intune, make sure the organization meets the licensing requirements. Using Intune requires at least a Microsoft Intune Plan 1 license per user. Intune Plan 1 is available as a standalone license and is also included in Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 Business Premium, Enterprise Mobility + Security E3 and E5.
When the required licenses are available, sign up for or log in to Intune. The actual starting point depends on whether a work or school account is already available. If other Microsoft 365 or Azure services are already being used, which often is the case, a Microsoft Entra ID tenant already exists. The Entra ID tenant contains the users and groups that Intune uses for setup and management. Every user needs their own account and license. The initial setup of the Entra ID tenant creates a default domain: onmicrosoft.com. Organizations can also add a custom domain name if they want users to sign in with their own company domain.
After setting up the Intune tenant, verify that the mobile device management (MDM) authority is set to Microsoft Intune. The MDM authority determines which service manages devices in the organization -- Intune, Microsoft Configuration Manager in co-management with Intune, or Basic Mobility and Security for Microsoft 365. For a user to start enrolling devices, the MDM authority must be set to Intune.
Step 2: Configuring and securing devices
The second step is to configure the most important security features and the best user experience. To do this within Intune, IT can use device configuration profiles. This should be a layered approach and can contain various levels of device configurations.
Intune contains configuration profiles for all supported platforms.
The key focus, however, should be device security. Make sure the basic security configurations -- antivirus, firewall, encryption, password and software updates -- are enabled and installed. Additionally, provide users with easy and secure access to corporate data and apps, including email, personal data and group data. Depending on the expertise of the IT staff, this can be further enhanced to include more features and configurations.
Intune contains configuration profiles for all supported platforms. For Windows, a strong starting point is the set of security baselines available in Intune. These baselines include the most important security features that should be enabled by default, along with additional recommended configurations,
Step 3: Protecting access to corporate data and apps
The third step is to protect access to corporate data and apps through device compliance policies and Conditional Access. IT can use Intune to configure the compliance policies that define the requirements devices need to meet, and Entra ID to configure Conditional Access policies that enforce those requirements before granting access to corporate data and apps. This combination is an important enabler for zero trust within the environment.
Every application connected to Entra ID can be protected with Conditional Access, making strong compliance policies essential. These policies define core security requirements and are continuously evaluated to ensure devices remain compliant. Unlike configuration profiles, which simply apply settings, compliance policies generate a compliance status that Conditional Access can use to allow or block access.
Step 4: Adding apps
Next, IT must add applications to Intune. This is the step that enables end users to be productive. Adding applications from native app stores, such as Google Play on Android devices, is very simple. Adding Microsoft apps is even easier. Many of them are built into Intune, so IT can deploy them right away with almost no setup.
When looking at Windows devices specifically, it often becomes a bit more challenging, as the process often relies on installers created by different vendors. Microsoft introduced the Win32 app model to address this issue. The model enables IT administrators to wrap the different installers and deploy them through Intune. It also provides advanced options for detecting app installation, defining installation requirements and superseding older versions of the app. This makes it easy to replace one app with another, such as when switching PDF readers within the organization. Admins can also add configurations with applications. This helps get users to a productive state more quickly by preconfiguring items like email profiles.
Intune also provides the ability to protect corporate apps and data. Just like with device compliance policies, app protection policies can be used in combination with Conditional Access to secure enterprise data across devices.
Step 5: Enabling device enrollment
The last step is enabling users to enroll devices into Intune. This ensures that the users' devices receive all the required apps and configurations. First, determine which devices users can enroll within the environment. This includes choosing which OSes are supported and whether personal or BYOD endpoints are allowed. Ultimately, an organization should only allow the enrollment of devices that can actually be managed with its existing Intune configuration policies. A more lenient approach could give unmanaged or unsupported devices access to corporate data and apps.
IT administrators can then make sure that there are enrollment profiles available for each supported platform. Once those enrollment profiles are in place, users can start enrolling their devices.
Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert.
