1. Compliance vs. Configuration Policies

  • Compliance Policies: Define the “security floor” for a device (e.g., “Must have BitLocker enabled,” “Must be at a specific OS version”).
    • The Signal: Compliance status is the primary signal sent to Entra ID.
    • Conditional Access Integration: If a device fails a compliance check, Conditional Access can instantly block access to M365 data until the user remediates the issue.
  • Configuration Profiles: The primary tool for managing settings (the “GPO of the cloud”).
    • Settings Catalog: The modern, preferred interface for finding and configuring thousands of Windows, macOS, and iOS settings.
    • Administrative Templates: Familiar ADMX-backed settings for Windows and Office.
    • Conflict Resolution: If two profiles configure the same setting with different values, the setting enters a “Conflict” state and is not applied. Compliance policies, however, do not “conflict”—if any policy marks a device non-compliant, it is non-compliant.

2. Device Enrollment & Windows Autopilot

  • The Enrollment Spectrum:
    • BYOD (Registered): Users add a “Work or School account.” Best for Mobile Application Management (MAM).
    • Corporate (Joined): Device is fully managed by the organization.
  • Windows Autopilot: A collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.
    • Hardware Hash: The unique identifier required to register a device for Autopilot.
    • Deployment Profiles: Control the Out-of-Box Experience (OOBE), such as skipping privacy settings or forcing a “Standard” vs. “Administrator” user account.
    • Enrollment Status Page (ESP): Displays the installation progress of critical apps and profiles before the user reaches the desktop.

3. Mobile Application Management (MAM) vs. MDM

  • MAM-WE (Without Enrollment): Allows IT to protect corporate data inside specific apps (Outlook, Teams, OneDrive) without managing the entire personal device.
  • App Protection Policies (APP): The core of MAM. Use these to:
    • Prevent “Save As” to personal storage (local phone or personal Dropbox).
    • Restrict “Copy/Paste” between corporate and personal apps.
    • Require a separate PIN or biometric to open corporate apps.
  • App Configuration Policies: Pre-configure app settings (e.g., the corporate mail server URL) so the user doesn’t have to enter them manually.

4. Endpoint Security Integration

  • The Security Baseline: Pre-configured groups of Windows settings recommended by Microsoft security teams. Use these as a starting point rather than building from scratch.
  • Defender for Endpoint Plug-in: Intune is the primary deployment engine for the MDE sensor. Use the “Endpoint Security” blade to manage Antivirus, Firewall, and EDR settings centrally.
  • Remote Actions: Essential for incident response. Use the Intune portal to:
    • Retire: Removes corporate data and management (best for BYOD offboarding).
    • Wipe: Factory resets the device (best for lost/stolen corporate hardware).
    • Sync: Forces the device to check in immediately for new policies.

5. Troubleshooting & Lifecycle

  • The “Company Portal” App: The user-facing side of Intune. Users go here to install optional apps and check their device’s compliance status.
  • Intune Management Extension (IME): A background service on Windows that handles the execution of PowerShell scripts and the installation of Win32 apps.
  • Log Analysis:
    • Local Logs: Check C:\ProgramData\Microsoft\IntuneManagementExtension\Logs for Win32 app and script failures.
    • Portal Logs: Use “Troubleshooting + support” to see a per-user view of every policy and app deployment status.

6. Essential PowerShell Cmdlets (Microsoft.Graph.Intune)

  • Connection: Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All"
  • Inventory & Discovery:
    • Get all devices for a user: Get-MgUserManagedDevice -UserId user@domain.com
    • Find devices by OS: Get-MgDeviceManagementManagedDevice -Filter "contains(osVersion, '10.0.19041')"
  • Management Actions:
    • Trigger a Sync: Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId <ID>
    • Retire a Device: Invoke-MgDeviceManagementManagedDeviceRetire -ManagedDeviceId <ID>
  • Autopilot Management:
    • Get-MgDeviceManagementWindowsAutopilotDeviceIdentity (Lists registered Autopilot devices)