Topic Hub

Microsoft Intune

MDM policy, Autopilot enrollment, compliance baselines, app deployment, update rings, and co-management — operational coverage for endpoint engineers running Intune at enterprise scale.

Guides, scripts and analysis

Overview

What Intune Is Used For in Real Endpoint Environments

Intune is Microsoft's cloud-native MDM and MAM platform. In production it covers the full device lifecycle — from zero-touch provisioning through compliance enforcement, app distribution, and patch management — without requiring on-premises infrastructure.

Zero-touch device provisioning

Autopilot registers devices against your tenant so that when a machine is unboxed and powered on, it receives corporate policy, apps, and configuration with no imaging or manual setup required.

Compliance and Conditional Access

Compliance policies evaluate device health — encryption state, OS version, threat protection scores — and feed into Entra Conditional Access to block or grant access to Microsoft 365 and other cloud resources based on device posture.

App lifecycle management

Win32, Microsoft Store, and line-of-business apps are assigned as Required, Available, or Uninstall. Intune tracks install state per device and surfaces failures in the portal and via Graph API.

Configuration profiles

Settings Catalog, administrative templates, and custom OMA-URI policies replace Group Policy for cloud-managed fleets. Profiles target Entra ID security groups and report per-device application state.

Update rings and patch management

Quality and feature update deferral policies let you sequence rollout across pilot, early adopter, and production rings. Windows Autopatch can manage ring progression automatically for qualifying tenants.

Endpoint analytics and remediation

Proactive Remediation scripts (detect + remediate pairs) run on a schedule and report pass/fail counts in the portal. Endpoint Analytics tracks startup performance, restart frequency, and resource bottlenecks across the managed fleet.

Enrollment

Autopilot and Device Enrollment

How a device reaches Intune management determines what it can do and what policies apply. Most enterprise deployments use a mix of Autopilot, hybrid join, and manual enrollment for edge cases.

Recommended for new deployments

Autopilot v2 — Device Preparation

What it does: Replaces v1 user-driven mode for Entra-joined devices. Uses a Device Preparation policy rather than an Autopilot profile, with faster provisioning time and simplified ESP.
Prerequisites: Device registered in Autopilot hardware hash, Intune enrolled via OOBE, Device Preparation policy assigned to a device group (not user group).
Enrollment Status Page: Tracks account setup and device setup phases. Configure minimum apps to block on before the user reaches the desktop — omit non-critical apps to cut provisioning time.
Common failure point: ESP stuck at 0% usually indicates the device cannot reach Intune endpoints. Check WCD log at C:\Windows\Temp\MDMDiagnostics and verify network connectivity to *.manage.microsoft.com.

Legacy / kiosk scenarios

Autopilot v1 — User-Driven and Self-Deploying

User-driven mode: Device arrives pre-registered. User signs in with corporate credentials during OOBE and the device joins Entra ID and enrolls in Intune automatically.
Self-deploying mode: No user interaction required — uses TPM attestation. Suited for kiosks, digital signage, and shared devices. Requires TPM 2.0.
Pre-provisioning (White Glove): IT or OEM pre-stages device policy and apps before delivering to the end user. Splits ESP into technician phase and user phase.
Migration path: Microsoft recommends moving to v2 Device Preparation for new Entra-joined deployments. v1 profiles remain supported for hybrid join scenarios.

Mixed on-premises / cloud

Hybrid Azure AD Join + Co-management

What it is: Devices joined to on-premises Active Directory and also registered in Entra ID. Enables co-management with SCCM — workloads split between ConfigMgr and Intune.
Workload sliding: In SCCM co-management settings, each workload (Compliance, Device Configuration, Windows Update) can be set to Pilot Intune or Intune when you are ready to migrate it.
Policy conflict risk: Hybrid-joined devices can receive both GPO and Intune policy. Ensure a single management authority for each setting — especially Windows Update, BitLocker, and Defender.
Common failure point: AAD Connect sync delay causes the Entra object to not appear when Intune tries to match the enrollment. Check sync status and the device object in Entra ID.

MAM / user enrollment

BYOD and Corporate-Owned Personal

Entra registered (BYOD): User enrolls via Company Portal or Settings > Access Work or School. Device receives MAM or MDM policy depending on tenant configuration. Not Entra joined.
User enrollment (iOS/macOS): Apple-specific enrollment mode that separates managed and personal data at the partition level. Intune can manage work apps and data without touching personal storage.
Opt-in MDM enrollment: A 2026 preview setting lets admins block automatic MDM enrollment triggered during Microsoft account sign-in to Windows — important for BYOD and multi-tenant scenarios.
App protection policies: MAM policies enforce encryption, copy-paste restrictions, and PIN on managed apps (Outlook, Teams, Edge) without full MDM enrollment — suited for unmanaged personal devices.

Latest News

View all

May 2026 Patch Tuesday: admin deployment notes and checks

May 2026 Patch Tuesday deployment notes covering KB5089549 for Windows 11, Windows Server updates, BitLocker PCR7 known issue, Secure Boot certificate readiness, Intune Autopatch hotpatch, and WSUS deployment checks.

13 May 2026

April 2026 Patch Tuesday Breakdown – What Sysadmins Must Do This Month

Three zero-days confirmed exploited in the wild, plus KB5055523 fixes the Autopilot OOBE timeout regression on Dell and HP hardware that has been blocking zero-touch deployments for six weeks. Prioritise this month.

Apr 8, 2026

Best Practices for Securing Microsoft Intune

Microsoft's Intune Customer Success team has published a security hardening guide covering least-privilege admin role assignments, phishing-resistant authentication, privileged access hygiene, and Multi Admin Approval for sensitive configuration changes.

Mar 14, 2026

Compliance

Compliance Policies and Conditional Access

Compliance policies evaluate device state against a defined standard. Entra Conditional Access uses compliance signal as a gate — non-compliant devices can be blocked from Microsoft 365 services automatically.

Built-in compliance settings

Cover OS version minimum, BitLocker state, Secure Boot, code integrity, Defender real-time protection, and maximum allowed threat severity from Defender for Endpoint. Evaluated by the Intune management extension on a configurable schedule.

Custom compliance scripts

For settings not covered by built-in rules, PowerShell detection scripts return JSON that Intune evaluates against compliance rules you define. Useful for third-party AV state, hardware inventory checks, or custom security controls.

Actions for noncompliance

Configurable grace period before a device is marked noncompliant. Actions include: send email to user, remotely lock device, retire device, or mark as noncompliant immediately. The grace period gives IT time to remediate before access is blocked.

Conditional Access integration

The "Require device to be marked as compliant" CA grant control uses Intune compliance signal. Pair with "Require Entra joined or hybrid joined device" and MFA to build a strong access baseline. Emergency access accounts must be excluded from device compliance requirements.

Compliance policy targeting

Policies assign to Entra ID user or device groups. A device with no assigned compliance policy defaults to compliant — configure the tenant-wide default in Endpoint security > Device compliance > Compliance policy settings.

Monitoring compliance state

Devices > Monitor > Noncompliant devices shows per-device noncompliance reasons. The compliance per setting report shows which specific settings are failing across the fleet. Export-IntuneDeviceReport surfaces complianceState for bulk analysis.

Patch management

Update Rings and Windows Autopatch

Intune update rings give you ring-based quality and feature update deferral without WSUS infrastructure. Windows Autopatch layers automation on top, managing ring assignment and pause decisions based on fleet signal.

Ring	Quality deferral	Feature deferral	Target group	Deadline enforcement
Ring 0 — Pilot	0 days	0 days	IT staff, lab machines	3 days
Ring 1 — Early Adopters	7 days	30 days	Technically confident users, dev machines	5 days
Ring 2 — Broad Phase 1	14 days	60 days	Standard workforce sample	7 days
Ring 3 — Production	21 days	90 days	Remaining managed fleet, VDI	7 days

Map each ring to an Entra ID dynamic device group. Assign update ring policies to device groups, not user groups, to ensure consistent enforcement regardless of who signs in. For Windows Autopatch, ensure devices meet prerequisites (Windows 11 or Windows 10 22H2+, Intune-managed, Entra joined or hybrid joined).

For the current monthly quality update, review the May 2026 Patch Tuesday deployment notes before broad Intune, Windows Update for Business, or Autopatch rollout.

Pausing a ring

Devices > Update rings > select ring > Pause. Pauses quality updates for up to 35 days. Use immediately when a problematic KB is confirmed — before it hits your next ring.

Windows Autopatch

Automates ring progression and pause decisions based on Microsoft telemetry. Releases devices from rings when update health metrics are green. Requires Intune P1 or Microsoft 365 E3/E5.

Avoiding GPO conflicts

Hybrid-joined devices with both a WSUS-targeting GPO and an Intune update ring will behave unpredictably. Audit with gpresult /H — only one management authority should own Windows Update settings.

Deep-Dive Tutorials

View all

Rolling Out Microsoft Defender for Endpoint with Intune in a Managed Windows Fleet

A practical operational guide for rolling out Microsoft Defender for Endpoint with Intune across a managed Windows fleet, covering tenant connection, licensing, Plan 1 versus Plan 2, onboarding, endpoint security policies, antivirus, firewall, ASR, EDR, baselines, pilot rings, reporting, coexistence, rollback, and prevention checks.

30 min read · Advanced

Migrating Intune Administrative Templates to Settings Catalog Without Breaking Policy Behaviour

A practical migration guide for moving Intune Administrative Templates and older configuration profiles to Settings Catalog, covering inventory, duplicate settings, assignments, Graph PowerShell checks, conflict detection, pilot design, validation, reporting, rollback, and prevention controls.

26 min read · Advanced

Secure Boot CA 2023 Rollout Readiness for Enterprise Windows Fleets

A practical enterprise readiness guide for the Secure Boot CA 2023 rollout, covering 2026 certificate expirations, client and server differences, Intune readiness checks, PowerShell verification, registry and event evidence, BitLocker risk, Hyper-V Generation 2 VMs, firmware coordination, rollout rings, and recovery planning.

24 min read · Advanced

App deployment

App Deployment and Remediation Scripts

Intune handles app deployment from discovery through installation tracking. Proactive Remediations let you enforce state beyond what configuration profiles cover, using detect-and-remediate PowerShell script pairs.

Win32 app deployment (.intunewin)

Package the installer and dependencies using the Win32 Content Prep Tool to create an .intunewin file. Define install and uninstall commands, return codes, and detection rules. Win32 apps support complex dependency chains and are the right choice for most enterprise applications.

Detection rules

Detection rules tell Intune whether an app is installed. Use MSI product code for MSI packages, file or folder existence for custom installs, or registry key/value for apps that write a known key on install. Avoid version-only detection unless the app writes a consistent version string.

Required vs Available vs Uninstall

Required: installs automatically on targeted devices without user interaction. Available: appears in Company Portal for user-initiated install. Uninstall: removes the app from targeted devices. Assign to device groups for kiosks and shared devices; user groups for personal use cases.

Microsoft Store integration (new Store)

The refreshed Store app integration in Intune syncs Store apps directly — no sideloading or offline packaging required. Assigns like any other app type. Best suited for apps that publish to the new Store and maintain their own update mechanism.

Proactive Remediation scripts

Script pairs — a detection script and a remediation script — run on a schedule and report pass/fail counts per device in Endpoint Analytics. Use for enforcing settings that fall outside compliance policy scope: time zone, proxy config, local group membership, or legacy app cleanup.

PowerShell scripts (one-time)

One-time PowerShell scripts run once per device and are suited for configuration tasks at provisioning time. Unlike Proactive Remediations, they do not re-run on schedule. The Intune Management Extension (IME) log at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log captures execution detail.

Scripts & Automation

View all

Get-StaleDevices

Identifies devices inactive for a configurable threshold across Intune, Entra ID, and on-premises Active Directory. Outputs CSV and HTML reports with remediation actions.

PowerShell

Export-IntuneDeviceReport

Uses the Microsoft Graph API to export a full Intune device inventory including compliance state, OS version, last check-in, and primary user to CSV or JSON.

PowerShell

Diagnostics

Reporting and Troubleshooting Workflow

Intune troubleshooting starts in the portal and goes deeper into device-side logs when the portal gives insufficient detail. Knowing where to look at each layer is what separates fast resolutions from hour-long guesses.

Intune portal — device detail blade

Devices > select device > Device configuration shows per-profile application status and the specific setting that failed. Devices > Troubleshoot + support > Troubleshoot shows assignment resolution for a specific user, including group membership and policy conflicts.

MDM Diagnostic Tool

Run mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning;Autopilot -zip C:\Temp\mdm.zip on the affected device. The ZIP contains MDM event logs, registry snapshots, and the enrollment status page log — the fastest way to diagnose enrollment and ESP failures without remote access.

Event Viewer — MDM channels

Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider. The Admin and Debug channels log policy processing, setting application, and CSP errors. Event ID 404 = CSP setting failed. Event ID 814 = policy conflict.

Intune Management Extension log

C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log records Win32 app downloads, installs, detection rule results, and PowerShell script execution. Filter by the app name or script ID for targeted investigation.

Graph API queries

GET /deviceManagement/managedDevices/{id}/deviceConfigurationStates returns per-profile compliance state. GET /deviceManagement/managedDevices?$filter=complianceState eq 'noncompliant' returns all noncompliant devices. Combine with Export-IntuneDeviceReport for exportable baselines.

Windows Autopilot deployment report

Devices > Monitor > Autopilot deployments shows per-device phase timing, ESP step results, and failure codes. The deployment profile assignment column confirms which profile the device matched. Cross-reference with the hardware hash in Devices > Enrollment > Windows enrollment > Devices.

Troubleshooting

View all

Windows Autopilot Device Not Importing: Hardware Hash CSV, Duplicate Records, and Profile Assignment

A practical troubleshooting guide for Windows Autopilot import failures, covering hardware hash collection, CSV validation, duplicate records, tenant permissions, Intune Connector checks, deployment profile assignment, dynamic groups, Graph, safe retry, and recovery.

22 min read · Intermediate

Intune Device Not Syncing: Last Check-in Stale, Sync Button Not Helping, or Policies Not Arriving

A practical troubleshooting guide for Windows devices that stop syncing with Intune, covering portal checks, MDM enrolment state, Company Portal, scheduled tasks, event logs, registry evidence, IME health, network issues, Entra device objects, Graph checks, safe retry, and recovery.

21 min read · Intermediate

Microsoft Entra Dynamic Group Not Updating: Users, Devices, and Intune Assignments

A practical troubleshooting guide for Microsoft Entra dynamic groups that do not update, including rule syntax, user and device attributes, Graph checks, processing delays, Intune assignment impact, Autopilot targeting, stale device objects, and safe recovery.

20 min read · Intermediate

Intune Remediation Script Not Running, Detecting, Remediating, or Reporting

A practical troubleshooting guide for Intune Remediations that do not run, detect, remediate, or report correctly, covering licensing, exit codes, schedules, IME logs, PowerShell context, reporting delay, retry, and rollback.

18 min read · Intermediate

Intune Win32 App Install Stuck at Waiting, Pending, Installing, or Failed

A practical troubleshooting guide for stuck Intune Win32 app installs, covering IME health, AppWorkload.log, detection and requirement rules, targeting, dependencies, supersedence, Company Portal sync, retry, and rollback.

19 min read · Intermediate

Windows Update for Business Deferral Policy Not Applying in Intune: Practical Diagnosis

A practical diagnostic guide for Windows Update for Business deferrals that are ignored, overwritten, or blocked by feature update policies, quality update policies, Group Policy, WSUS, MECM, or co-management.

18 min read · Intermediate

Common problems

Where Intune Deployments Go Wrong

Most Intune failures are configuration or targeting problems, not platform bugs. These are the patterns that appear most often in production environments.

ESP stuck at 0%

The Enrollment Status Page hangs because the device cannot reach Intune service endpoints during OOBE. Check that *.manage.microsoft.com and *.cdn.manage.microsoft.com are reachable before the user completes sign-in. A proxy or firewall blocking these endpoints is the most common cause.

Policy not applied — wrong group type

Configuration profiles and update rings assigned to device groups apply based on the device object in Entra. If you assign to user groups, the policy applies when the user signs in — not at provisioning time. Kiosk and Autopilot self-deploy scenarios must use device groups.

Compliance shows "Not evaluated"

A device shows Not evaluated when it has not checked in since a compliance policy was assigned, when the IME service is not running, or when the device object in Entra does not match the Intune-enrolled identity. Trigger a sync via the Sync action in the portal or the Settings app.

Win32 app stuck in pending install

Check the IME log for download or detection failures. Common causes: incorrect detection rule (app is installed but detection returns false), install command not running as SYSTEM when required, or a dependency app that failed installation first.

Hybrid join device not enrolling in Intune

SCCM co-management must be configured with the Intune enrollment workload enabled. The co-management authority and the MDM auto-enrollment GPO (HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM\MDMEnrollmentURL) must point to Intune. Check the SCCM co-management dashboard for blocked devices.

BitLocker key not escrowed to Entra

This is a silent failure — no error on device, no alert in Intune. The key escrow happens via the BitLocker configuration profile CSP. Verify the profile is applied, then force escrow with Manage-bde -protectors -adbackup C: -id {keyprotectorID}. Check Entra ID device properties for the Recovery Keys tab.

Duplicate or stale device objects

Re-enrolled devices sometimes create a second Intune object. The old object retains the last compliance state and group memberships. Delete the stale object in Intune (Devices > All devices) — but verify it is not the active enrollment before deleting.

Policy conflict on hybrid-joined devices

A device receiving both a GPO and an Intune CSP for the same setting will apply whichever wins the MDM vs GPO precedence rules for that specific CSP. Use gpresult /H and the Intune device configuration state page together to identify which settings are being overridden.

Reading path

Intune vs SCCM / MECM

Co-management has blurred the lines between the two platforms, but the strategic direction is clear. Read the full breakdown to understand where each tool still earns its place.

Microsoft Intune vs. SCCM/MECM in 2025: Which Should You Use?

For new deployments and cloud-first organisations, Intune is the clear path. SCCM still has a role in environments with complex OSD requirements or significant on-premises infrastructure — but plan your exit strategy.

Official docs

Key Microsoft Documentation

Authoritative references for Intune configuration, compliance, and deployment. Use these alongside AdminSignal guides when you need policy syntax or service limits.

Microsoft Intune overview ↗

Platform capabilities, licensing requirements, and supported platforms.

Windows Autopilot documentation ↗

All Autopilot scenarios, prerequisites, and deployment modes including v2 Device Preparation.

Device compliance policies ↗

Built-in compliance settings, custom compliance scripts, and noncompliance actions.

Update rings for Windows ↗

Quality and feature update deferral policy configuration in Intune.

Win32 app management ↗

Packaging, uploading, detection rules, dependencies, and supersedence.

Windows Autopatch overview ↗

Automated update ring management on top of Intune — prerequisites and how ring progression works.

Microsoft Intune

What Intune Is Used For in Real Endpoint Environments

Autopilot and Device Enrollment

Latest News

Compliance Policies and Conditional Access

Update Rings and Windows Autopatch

Deep-Dive Tutorials

App Deployment and Remediation Scripts

Scripts & Automation

Reporting and Troubleshooting Workflow

Troubleshooting

Where Intune Deployments Go Wrong

Recommended AdminSignal Reading Path

Intune vs SCCM / MECM

Key Microsoft Documentation