Lesson 41 of 60 intermediate

Intune & Endpoint Management Awareness

Managing devices at scale

Open interactive version (quiz + challenge)

Real-world analogy

Intune is fleet management for laptops and phones. You don’t visit every car in person — you push the same rules, apps, and updates to all of them, and block any car that falls out of spec.

What is it?

Intune (now under Microsoft Intune Suite) is Microsoft’s cloud-based MDM/MAM platform. Even when you don’t manage it directly, you should recognize enrollment, compliance, configuration, apps, and Conditional Access patterns.

Real-world relevance

A sales executive loses their laptop in an airport. Within 15 minutes: IT blocks the account (Entra), triggers Intune remote wipe, and BitLocker + device wipe ensure data is inaccessible. Two days later, new laptop auto-enrolls via Autopilot and the executive is productive again.

Key points

Enrollment — the first step — Devices must enroll before they can be managed. Windows Autopilot, corporate-owned iOS/Android, BYOD enrollment, macOS via DEP. Enrollment ties device identity to a user and organization.
Compliance policies — A compliance policy defines what ‘healthy’ means: OS version, encryption on, screen-lock timeout, no jailbreak. Non-compliant devices can trigger Conditional Access to block resources until fixed.
Configuration profiles — Push settings: Wi-Fi, VPN, certificates, password rules, Windows baseline security. Admins don’t touch each device; they change profiles, Intune pushes.
App management — Deploy apps (required vs available). For mobile, app protection policies control company data inside apps (MAM) without full device control (MDM) — good for BYOD.
Remote actions — Lock, wipe, reset, collect diagnostics, sync policy. A lost executive laptop can be wiped in minutes, especially when combined with BitLocker/FileVault.
Updates and patching — Update rings for Windows Update for Business, feature update policies, driver updates. This is how modern fleets stay current without SCCM-era weekend cycles.
Security baselines & Defender integration — Apply Microsoft security baselines (Windows, Edge, M365 apps). Integrate with Defender for Endpoint: risky devices push back into compliance + Conditional Access.
Reporting and exceptions — Show which devices are compliant, what policies are pending, what failed. Exceptions must be tracked with expiry, owner, and justification — never quietly forever.

Code example

// Conditional Access + Intune pattern (high level)

Policy: "Require compliant device for email and SharePoint"
  Target:    All users (exclude break-glass)
  Apps:      Office 365 + SharePoint
  Platforms: Windows, macOS, iOS, Android
  Condition: device state
  Control:   Require device marked as compliant

Compliance Policy (Windows):
  - OS version >= N
  - Encryption: BitLocker enabled
  - Defender Antivirus: active, signatures up to date
  - Password/PIN required
  - Firewall: enabled
  - Not jailbroken / rooted (mobile)

Action for non-compliance:
  - Notification email after 24h
  - Block access via CA after 72h if still non-compliant
  - Helpdesk remediation steps in self-service portal

Line-by-line walkthrough

1. CA + Intune pattern
2. Policy header
3. Target users
4. Apps scope
5. Platforms
6. Conditions
7. Control
8. Blank separator
9. Compliance policy header
10. OS version minimum
11. Encryption on
12. Defender active
13. Password/PIN required
14. Firewall enabled
15. Not jailbroken/rooted
16. Blank separator
17. Non-compliance actions
18. Notification email
19. CA block after grace
20. Self-service remediation steps

Spot the bug

Junior relaxes ALL compliance policies to ‘make the CEO’s tablet work faster’. Business data now flows to unencrypted, unmanaged devices.

Need a hint?

What’s the right fix, and what risk did this introduce?

Show answer

Data leakage and regulatory breach. Never weaken tenant-wide policies for one user. Use: scoped exception with explicit expiry, app protection (MAM) for BYOD where MDM is not feasible, and Conditional Access to require compliant device for sensitive apps. Review via PIM/access review.

Explain like I'm 5

Intune is a magic wand for every company laptop. Wave it once and all laptops learn: lock in 5 minutes, encrypt the disk, install the VPN, and if someone loses one, erase it remotely.

Fun fact

In many mature orgs, the phrase ‘your device is non-compliant’ has replaced ‘call IT’ as the front door to endpoint support. Users self-remediate via clear guidance, and IT only touches the edge cases.

Hands-on challenge

In a Microsoft 365 Dev tenant, enroll your own (spare) Windows VM or iPhone test device. Create a compliance policy requiring encryption and a screen-lock, then a CA policy that requires ‘compliant device’ for Exchange Online.

More resources

Microsoft Intune documentation (Microsoft Learn)
MD-102 Endpoint Administrator (Microsoft Learn)
Intune essentials (John Savill)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp