1. Intune Architecture & Service Flow

Microsoft Intune is a cloud-based service that relies on the integration of identity, policy, and local device agents to manage endpoints.

  • Intune Service (Cloud): The central management engine where administrators define configuration, compliance, and application policies.
  • Entra ID (Identity): Serves as the source of truth for the device object. Every managed device must have a record in Entra ID to receive policies based on user or group membership.
  • MDM Channel: The native communication path (Ovirt/WNS) used by the OS to receive standard configuration profiles and compliance checks.
  • Intune Management Extension (IME): A local sidecar service installed on Windows devices to handle complex tasks the native MDM channel cannot, such as Win32 app deployments and PowerShell scripts.
  • Service Flow: The device initiates a check-in → Intune evaluates applicable policies → settings are delivered via the MDM channel or IME → the device executes the settings and reports success or failure back to the portal.

2. Compliance vs. Configuration Policies

  • Compliance Policies: These define the “security floor” for a device, such as requiring BitLocker or a specific OS version.
    • The Signal: Compliance status is a critical signal sent to Entra ID.
    • Conditional Access Integration: If a device is marked non-compliant, Conditional Access can automatically block access to M365 data until the issue is resolved.
  • Configuration Profiles: The primary tool for managing granular settings, often referred to as the “GPO of the cloud”.
    • Settings Catalog: The modern interface for configuring thousands of settings across Windows, macOS, and iOS.
    • Conflict Resolution: If two profiles attempt to set the same value differently, the setting enters a “Conflict” state and is not applied. Compliance policies do not “conflict” in this way; any single failure marks the whole device non-compliant.

3. Device Enrollment & Windows Autopilot

  • The Enrollment Spectrum:
    • BYOD (Registered): Users add a “Work or School account,” typically used for Mobile Application Management (MAM).
    • Corporate (Joined): The device is fully owned and managed by the organization.
  • Windows Autopilot: A suite of technologies used to pre-configure and set up new devices for productive use.
    • Hardware Hash: The unique ID required to register a device with the Autopilot service.
    • Deployment Profiles: Control the Out-of-Box Experience (OOBE), such as forcing a standard user account or skipping privacy settings.
    • Enrollment Status Page (ESP): Tracks the installation of critical apps and profiles before the user reaches the desktop.

4. Mobile Application Management (MAM) vs. MDM

  • MAM-WE (Without Enrollment): Allows IT to protect corporate data inside specific apps (like Outlook or Teams) without managing the entire personal device.
  • App Protection Policies (APP): The core of MAM, used to prevent “Save As” to personal storage, restrict Copy/Paste between corporate and personal apps, and require a separate PIN.
  • App Configuration Policies: Used to pre-configure app settings, such as corporate mail server URLs, to simplify the user setup experience.

5. Endpoint Security Integration

  • Security Baselines: Microsoft-recommended groups of settings that provide a hardened starting point for Windows security.
  • Defender for Endpoint Plug-in: Intune is the primary engine for deploying the MDE sensor and managing Antivirus, Firewall, and EDR settings centrally.
  • Remote Actions: Essential for incident response, including Retire (removes corporate data), Wipe (factory reset), and Sync (forces immediate policy check-in).

6. Troubleshooting & Lifecycle

  • The Company Portal App: The user-facing interface for installing optional apps and checking device compliance.
  • Log Analysis:
    • Local Logs: Win32 app and script failures are logged in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
    • Portal Logs: The “Troubleshooting + support” blade provides a per-user view of policy and app deployment status.

7. Essential PowerShell Cmdlets (Microsoft.Graph.Intune)

  • Connection: Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All"
  • Inventory:
    • Get-MgUserManagedDevice -UserId user@domain.com (Lists devices for a specific user).
  • Management Actions:
    • Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId <ID> (Triggers a forced sync).
    • Invoke-MgDeviceManagementManagedDeviceRetire -ManagedDeviceId <ID> (Removes corporate data).