How to Configure Microsoft Intune to Manage Your Workstations

  • Post author:
  • Post category:Main
  • Post last modified:February 28, 2024
  • Reading time:11 mins read

Microsoft Intune is Microsofts Cloud based solution to control and manage your workstations that are enrolled in the Microsoft Intune platform (Microsoft Endpoint Manager). It is an indirect replacement for your traditional on-premise group policy and as well as allowing you to manage your Windows Devices, you can also use it to govern IOS/IpadOS devices, MacOS device and Andriod devices. 

What are the benefits of using Microsoft Intune to manage your devices?

Microsoft Intune is cloud based and can be accessed anywhere there is an internet connection. That means it does not matter if your devices are in the office or in another country, if they are online they can receive changes to configuration or policy.

You also receive a much greater visibility on the compliance and configuration of your devices with the reporting features in Intune. Traditionally with your on-premise active directory you have low visibility as to whether as device is working properly and receiving the all important configuration settings you have applied to it. Microsoft Intune solves that problem by telling you if a device had not synced to the service recently and if it has received the latest configurations or not.

Devices within Intune can also be controlled easier if any immediate attention is needed and the device is not on your corporate network. For example if a device is lost or an employee has gone rogue you have the option to either lock out the device entirely or perform a remote wipe of the device, erasing any sensitive data on it.

Not only does Intune allow you to manage your Windows devices, but you can also enrol your mobile devices allowing you, in one single pain of glass, to have complete visibility of your data environment.

How much does Intune cost and which licenses do I need?

To understand how much Intune is going to cost you, you really first need to understand which licenses you need for your users or for your devices. 

See I said licenses for your users or your devices? That means Microsoft offers two different licensing models for Microsoft Intune. 

First is the per user license, this is the most commonly used licensing model and will likely be what you decide to use. You can purchase the Microsoft Intune license for £6 per license and assign it to your users who have devices you wish to manage with Intune. Alternatively there are some licenses which come with Intune packaged in, there are:

  • Microsoft 365 E3 & E5
  • Enterprise Mobility and Security E3 and E5
  • Microsoft 365 Business Premium 
  • Microsoft 365 F1 and F3
  • Microsoft 365 Government G3 and G5
  • Intune for Education
It is important that you evaluate which feature your need in total from Microsoft 365 to device which license or selection of multiple licenses will be most cost effective for you.

Can I migrate traditional Active Directory policies to Microsoft Intune?

Yes! Intune has a built in feature that will allow it to analyse your existing on-premise Active Directory group policy objects and then translates them into the Cloud. It works but analysing an XML export of all your GPO’s and settings, then outputs a report which will tell you which settings are supported in Microsoft Intune, which settings are depreciated and which are not supported. 

How do I export my GPOs as an XML file?

Firstly open up the group policy management app on your on-premise server and expand the group policy objects folder to view all of you GPOs. Then right click any GPO and click on Save Report, make sure you give it is relevant name then save as an XML file.

How do I import my XML file into Group Policy Analytics?

In the Microsoft Endpoint Manager go to Devices then Group Policy Analytics, you will see the import option. Choose the XML file you recently saved and import it. Once the analysis completes you will be given a list of information that you can choose to plan your deployment of cloud settings.

How do I enrol devices into Microsoft Intune?

There are many different ways to enrol your device into Intune, here I will cover some commons ways to enrol your Windows device.

Enrol a workgroup device

Firstly we will assume you would just like to enrol a single device, this device is running Windows 10 and is in a workgroup. To enrol this open up the settings app in Windows 10 and select Accounts, then select Access work or school from the left hand menu. Under Related settings in the right hand menu select Enrol only in device management. Enter the email associated with your Intune license and click next, then complete the Microsoft sign in. Now from the Microsoft Endpoint Manager admin centre, under devices and Windows you should see your newly added device.

Enrol an on-premise domain joined device

In this scenario your Windows 10 workstations is joined to your on-premise active directory and your directory is synced to Azure AD with Azure AD Connect. You need to ensure you have auto-enrolment configured in Azure AD (steps can be found here) and your device must be hybrid joined to Azure AD (this can be done in Azure AD Connect).

Group policy will then be used to enable auto-enrolments for Intune. Create a new policy that is linked to your computer OU that contains your hybrid joined devices. Add the following setting to your policy, Computer configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD Credentials.

How do I manage device configuration with Microsoft Intune?

Managing device configuration for your workstations is one of the most important features of Microsoft Intune. In the Microsoft Endpoint Manager portal you use Configuration profiles to apply your settings to your devices. 

To create a new configuration profile open the Microsoft Endpoint Manager admin centre, then from the left hand menu select Devices, then under Policy select configuration profiles.

Select Create Profile, then choose your platform from the pop out window. In this instance we are going to select Windows 10 and later. Below that change the profile type to templates to choose from any of the pre-configured settings.

Lets then choose Device restrictions from the templates list and click create. You will be brought to a new wizard driven page to create your configuration profile. Start by selecting an appropriate name and click next. From the configuration settings menu we will expand Control Panel and Settings, and change the slider next to System Time modification to Block, then click next.

From the Assignments stage, click the button to Add all devices, this will ensure the configuration applies to all devices which the profile is select for. In our case this will apply to all Windows 10 and later devices.

Under Applicability Rules tab you are able to apply this configuration if certain rules are or are not met. You have the ability to customise these rules based on your own criteria.

Lastly review your settings and click create. You have now created your first configuration profile.

Can I manage my Windows updates with Microsoft Intune?

Microsoft does a great job of allowing you to manage your Windows updates with Intune. I do recommend you use this for only managing your standard updates and not for feature updates which can be more impactful to users, but it all depends on your environment.

To manage updates with Microsoft Intune, go to the Microsoft Endpoint Manager admin centre, select Devices from the left hand menu then select Update rings for Windows 10 and later.

Click Create Profile at the top of the page and follow the wizard. Start by giving your profile a meaningful name and click next. On the update ring settings page, choose your desired settings, here are mine!

microsoft Intune update ring settings

On the Assignments page I have decided to select Add all devices as I want this policy to apply to all my devices. Then on the final page click Create.

There you have it, you have created your first update ring! If you click into the update ring you can use the monitor tab on the left hand side to view the status of your devices.

How do I run scripts with Microsoft Intune?

Running scripts is a great way to apply any custom configurations or software installations using Microsoft Intune. An example would be the requirement to map a custom drive to your Windows Profile or even to install an application and settings to your devices automatically. 

To run your own script on your devices open the Microsoft Endpoint Manager and on the left hand menu under Policy, select Scripts. Start by clicking Add at the top of the page and choose which OS this script it for (We are are going to choose Windows 10 and later). Name your script appropriately and click next. On the script settings page select your script (you must use a PowerShell script!) and accept your desired settings. For example if we were going to map a network drive with this script, we would want the script to run using the logged on credentials, but we would not want to enforce a signature check or run in the 64 bit PowerShell host.

Next choose who you wish to assign the script to (whether is be all devices, all users or a specific group) and click Review + add.

Summary

Thank you for taking the time to read our post. Here we discussed how Microsoft Intune works, how to enrol devices into the Microsoft Endpoint Manager platform and how to apply common settings and profiles to your devices. Here is some other related reading you may enjoy!

A complete overview of Azure Self Service Password Reset

How to get Free Azure Services Directory from Microsoft

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply