๐Ÿ“ฑ

Microsoft Intune Administration Handbook

Enrollment, Compliance, Apps, and Endpoint Security

By Richard Gamarra

A working reference for running Intune day to day: how a device actually gets enrolled, what makes it compliant, how configuration profiles and apps get delivered, and what to check first when a device won't provision or a deployment silently fails. Built from real deployment work, not the feature list.

40
Visible reference cards
๐Ÿ“ฑ Enrollment โœ… Compliance โš™๏ธ Configuration ๐Ÿ“ฆ App Deployment ๐Ÿš€ Autopilot ๐Ÿ›ก๏ธ Endpoint Security โšก PowerShell / Graph ๐Ÿงญ IT Operations

๐Ÿงญ Architecture & Enrollment

Intune manages a device by first getting it trusted into Entra ID, then enrolling it into MDM so policy and apps can actually be delivered. The enrollment method you pick decides how much of that happens automatically versus how much a user has to do by hand.

From unboxing to managed
Device powers onOOBE or existing install
โ†’
Entra ID join or registration
โ†’
MDM enrollmentIntune takes over
โ†’
Policy & apps delivered

Enrollment methods

MethodScenarioUser effort
Windows Autopilot, user-drivenNew or reset PC, user completes OOBE with their own credentialsLow, sign in once
Windows Autopilot, self-deployingKiosks and shared devices, no user sign-in needed at allNone
Autopilot pre-provisioning (white glove)IT or a reseller does the heavy provisioning before the device reaches the end userVery low, just a few final checks
Co-managementExisting SCCM-managed device, workloads gradually shifted to IntuneNone, transparent to the user
BYOD / personal enrollmentPersonal phone or laptop enrolling for app-level access onlyModerate, installs Company Portal, accepts management scope

Autopilot deployment profile types

ProfileBehavior
User-drivenStandard flow, device joins Entra ID as the signed-in user, most common for laptops shipped to employees
Self-deployingNo user interaction, device joins Entra ID as itself, used for kiosks and meeting room devices
Pre-provisioned (white glove)Splits provisioning into a technician phase and a user phase, shortens what the end user has to wait through

Assign the ring group before shipping the device, not after. A device sitting in the wrong ring on day one is much harder to fix once the end user is already working on it.

โœ… Compliance Policies

A compliance policy alone does nothing to sign-in behavior; it only produces a compliant or non-compliant label on the device. The label only matters once a Conditional Access policy actually checks it.

Compliance evaluation flow
Policy assigned to device
โ†’
Device evaluatedEach setting checked
โ†’
Marked compliant or non-compliant
โ†’
Read by Conditional Access

Common compliance checks

CheckPlatformWhy it matters
Require BitLocker / device encryptionWindows / iOS / AndroidData protection if the device is lost or stolen
Minimum OS versionAllKeeps out unpatched, end-of-support builds
Defender / antivirus activeWindowsConfirms real-time protection hasn't been disabled
Jailbreak or root detectioniOS / AndroidBlocks devices with security controls bypassed
Password or PIN requiredAllBaseline device-level access control

Grace period and marking non-compliant

โณ
Grace period

Give new devices time to check in

Set a 1 to 3 day grace period so a newly enrolled device isn't marked non-compliant before its first full policy sync completes.

๐Ÿšจ
Actions for non-compliance

Escalating response

  • Day 0: send email notification to the user.
  • Day 3: mark non-compliant, Conditional Access starts blocking.
  • Day 14: optional, add to a report for the endpoint team to investigate.

โš™๏ธ Configuration Profiles

Configuration profiles are how device settings actually get pushed. Reach for the Settings Catalog for anything new; keep the older profile types only for the handful of cases they still cover better.

Profile typeWhen to use
Settings CatalogDefault choice, searchable, most complete going forward
Administrative TemplatesADMX-backed settings not yet in the Settings Catalog, or migrating a known GPO setting directly
Custom (OMA-URI)Brand-new CSP not yet exposed anywhere in the UI
Endpoint security baselinesFast-start hardening defaults before fine-tuning individual settings
App configuration policiesFeeding settings into a managed app itself, not the OS (for example, Outlook mobile config)

Common OMA-URI custom settings

๐Ÿ–ผ๏ธ
Wallpaper

Set a corporate desktop wallpaper

OMA-URI: ./Vendor/MSFT/Personalization/DesktopImageUrl
Data type: String
Value: https://yourcdn.com/wallpaper.jpg
๐Ÿ“Œ
Taskbar

Pin apps to the taskbar

OMA-URI: ./Vendor/MSFT/Policy/Config/Start/HideTaskViewButton
Data type: Integer
Value: 1
๐Ÿ”’
Restrict

Block the local Store

OMA-URI: ./Vendor/MSFT/Policy/Config/ApplicationManagement/DisableStoreOriginatedApps
Data type: Integer
Value: 1

App protection policies (MAM), not the same as device management

App protection policies wrap data protection controls around a managed app (copy/paste restrictions, require PIN to open, selective wipe) without requiring the whole device to be enrolled. This is the right tool for BYOD phones where the user won't accept full device management, but still needs corporate email or Teams access.

๐Ÿ“ฆ App Management

Deployment type, assignment intent, and detection rules are the three things that decide whether an app install actually succeeds versus silently sits in "Pending" forever.

App types

TypeFormatBest for
Win32 app.intunewin package built with the Win32 Content Prep ToolTraditional EXE/MSI installers, most line-of-business apps
Line-of-business (LOB)Raw MSI/APPX uploaded directlySimple single-file installers with no custom detection needed
Microsoft Store app (new)Reference to the Store catalogConsumer and modern Store-distributed apps
Web linkJust a URL shortcutWeb apps that don't need a local install

Assignment intents

IntentBehavior
RequiredInstalls automatically, no user action needed
Available for enrolled devicesShows in Company Portal, user chooses to install it
UninstallRemoves the app from targeted devices

Win32 app requirements checklist

๐Ÿ“ฅ
Install command

What Intune actually runs

msiexec /i "app.msi" /qn /norestart
๐Ÿ”
Detection rule

How Intune knows it's installed

Use a registry key, file version, or MSI product code, whichever is most reliable for that specific app. A bad detection rule is the single most common reason an app shows "Installed" when it isn't, or loops endlessly trying to reinstall.

๐Ÿšช
Return codes

Common install return codes

CodeMeaning
0Success
3010Success, reboot required
1603Fatal error, check the MSI log
1618Another install already in progress

๐Ÿš€ Autopilot & Provisioning

Autopilot's whole value is that a device can go straight from the box to fully configured without IT ever touching it. That only works if the hardware hash is registered and the right profile is assigned before the box gets opened.

Autopilot deployment flow
Register hardware hash
โ†’
Assign deployment profile
โ†’
Ship to end user
โ†’
OOBE + Enrollment Status Page
โ†’
Ready to use

Registering hardware

๐Ÿงพ
Local capture

Export the hardware hash from an existing device

Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo -OutputFile "C:\Temp\autopilot-hash.csv"
๐Ÿ“ค
Import

Upload the CSV into Intune

Devices > Enrollment > Windows Autopilot Deployment Program > Devices > Import. Most OEMs also register hashes directly at the reseller/manufacturer level, skipping this step entirely for new purchases.

๐Ÿท๏ธ
Group tag

Use group tags to auto-assign profiles

Set a group tag at registration time (or via the reseller), then use a dynamic Entra ID group rule based on that tag to auto-assign the right Autopilot profile without manual per-device work.

Enrollment Status Page (ESP)

SettingWhat it controls
Block device use until required apps installWhether the user can skip past the ESP before critical apps land
Allow users to reset device if installation error occursGives a self-service recovery path instead of a stuck screen and a help desk call
TimeoutHow long ESP waits before showing an error, tune this to match your slowest typical app install, not the average

๐Ÿ›ก๏ธ Endpoint Security

Endpoint security profiles are Intune's curated, security-focused settings surface, split into categories that map closely to how a security team actually thinks about hardening.

CategoryConfigures
AntivirusDefender real-time protection, cloud-delivered protection, scan schedules, exclusions
Disk encryptionBitLocker method, recovery key escrow to Entra ID, startup authentication
FirewallDomain/private/public profile rules, logging, inbound/outbound rules
Endpoint detection and responseDefender for Endpoint onboarding, sample submission, tamper protection
Attack surface reductionASR rules blocking common malware behaviors (Office macros spawning processes, credential theft, etc.)
Account protectionWindows Hello for Business, credential guard

Practical notes

๐Ÿ”—
Defender integration

Connect Defender for Endpoint to Intune

Endpoint Security > Microsoft Defender for Endpoint > enable the connector, then compliance policies can factor in the device's Defender risk score, not just local antivirus state.

โš ๏ธ
ASR audit first

Roll out ASR rules in audit mode first

Every ASR rule supports an audit-only mode that logs what would have been blocked without actually blocking it. Run in audit for at least a week before switching to Block, ASR rules have real false-positive potential against legitimate scripts and macros.

โšก PowerShell / Graph Quick Fixes

Fast commands for common Intune situations.

๐Ÿ“ฒ
Force sync

Force a device to check in with Intune

Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $deviceId

Or locally: Settings > Accounts > Access work or school > Info > Sync.

๐Ÿงฐ
Restart agent

Restart the Intune Management Extension

Restart-Service -Name IntuneManagementExtension -Force

Use when Win32 app or script deployments are stuck pending. This restarts the local sync agent without a reboot.

๐Ÿ“„
Local logs

Where Win32 app install logs actually live

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\
  IntuneManagementExtension.log
  Win32AppInventory.log
๐Ÿฉบ
Diagnostic report

Generate a local MDM diagnostic report

Settings > Accounts > Access work or school > Info > Create report
๐Ÿ—‘๏ธ
Remote wipe

Remote wipe or retire a device

Invoke-MgWipeDeviceManagementManagedDevice -ManagedDeviceId $deviceId
Invoke-MgRetireDeviceManagementManagedDevice -ManagedDeviceId $deviceId
Wipe returns the device to factory settings, retire only removes company data and management. Confirm which one before running it.
๐Ÿ“Š
Deployment status

Check a config profile's rollout status per device

Get-MgDeviceManagementDeviceConfigurationDeviceStatus -DeviceConfigurationId $configId |
  Select-Object DeviceDisplayName, Status, LastReportedDateTime
๐Ÿ”
Find non-compliant

List all non-compliant devices

Get-MgDeviceManagementManagedDevice -Filter "complianceState eq 'noncompliant'" |
  Select-Object DeviceName, UserPrincipalName, ComplianceState

๐Ÿงฏ Troubleshooting

The errors and symptoms that show up most often in the field, with the fastest verified fix for each.

Symptom / codeLikely causeFix
0x80180014Enrollment blocked by a device type restriction or the device limit per user has been reachedCheck enrollment restrictions and per-user device limits in Intune
0x87D1FDE8Sync failure, often policy conflict or a corrupted local MDM certificateRe-sync; if it persists, check dsregcmd /status for a valid MDM enrollment token
Win32 app stuck on PendingIntune Management Extension isn't running or hasn't picked up the assignment yetRestart the IntuneManagementExtension service, check its log for the specific error
App installs but shows as failed in IntuneDetection rule doesn't match what actually got installedVerify the detection rule against the real install path, registry key, or MSI product code
Device never receives any policy at allDevice isn't actually enrolled, or MDM auto-enrollment scope excludes the userdsregcmd /status to confirm join state; check Entra ID Mobility (MDM) scope is set to include the user
Autopilot device skips ESP entirely or shows wrong profileHardware hash matched to the wrong deployment profile, or profile wasn't assigned before the device bootedConfirm the serial number's assigned profile in the Autopilot devices list before shipping
ESP times out on required appsAn app in the required list is genuinely failing, or the timeout is shorter than the slowest app's real install timeCheck the specific app's install log first, only raise the timeout after confirming the app itself works
Compliance policy shows "Not applicable"Policy platform doesn't match the device's actual OS, or the assignment doesn't include that device's groupConfirm platform and group assignment on the policy match the device exactly