Microsoft Intune

Intune-2026

Microsoft Intune Complete Setup 2026 — Enroll, Comply and Secure All Devices
Microsoft Intune Series · Week 3 · 🔥 Hot

Microsoft Intune Complete Setup 2026:
Enroll, Comply and Secure
All Devices

🧑‍💼 EUC Lead Architect · 14 Yrs Experience 📅 June 2026 ⏱ 18 min read 🎯 Enterprise & Mid-Market

The Call That Changed Everything

It was a Monday morning in 2022. My phone rang at 7:43 AM — before I had even opened my laptop. The IT Director at a 3,000-seat financial services firm was on the line, and his voice told me everything before his words did.

“We’ve had a breach. A contractor’s unmanaged laptop. It was never in SCCM. We have no idea what was on it or what it accessed.”

That single call crystallized something I had been telling clients for years: you cannot secure what you cannot see, and you cannot manage what you have never enrolled. The contractor’s laptop existed outside every boundary the organisation thought it had built. No compliance policy had ever touched it. No patch had ever reached it. And now it had become the entry point for an attacker who spent eleven days inside the network before anyone noticed.

That firm became one of my most intensive Intune deployments — 3,200 devices, six enrollment profiles, four compliance rings, and a Zero Trust Conditional Access architecture built from scratch in ninety days. This article is the distilled version of everything I learned not just from that project, but from fourteen years of deploying endpoint management solutions across industries ranging from financial services to healthcare to manufacturing.

💡 Architect’s Perspective Microsoft Intune in 2026 is not the same product it was in 2020. The rebranding to Microsoft Intune Suite, deep integration with Entra ID, and native Defender for Endpoint signal-sharing have transformed it from an MDM tool into the enforcement engine of your entire Zero Trust architecture. If you are still thinking of Intune as “mobile device management,” you are significantly underestimating what you are working with.

What Microsoft Intune Actually Is in 2026

Most engineers I interview can tell me that Intune manages devices. Very few can tell me the full scope of what that means in 2026. Let me give you the architect’s view.

Microsoft Intune is the unified endpoint management and security enforcement plane within the Microsoft 365 ecosystem. It sits at the intersection of three critical control surfaces: device management, identity governance, and security compliance. In 2026 it encompasses four distinct capability sets that most organisations treat as separate products — when in reality they are all within the Intune console.

🖥️

Mobile Device Management (MDM)

Full OS-level management for Windows 10/11, macOS, iOS, iPadOS, and Android. Configuration profiles, OTA updates, remote wipe, device inventory.

📱

Mobile Application Management (MAM)

App-level policy without device enrollment. Protect corporate data in apps on personal devices — without touching the personal partition. Critical for BYOD.

🛡️

Endpoint Security

Attack surface reduction, Defender AV policy, disk encryption (BitLocker/FileVault), firewall config, and EDR onboarding — all from a single Intune policy node.

🔗

Intune Suite Add-ons

Advanced EPM (Endpoint Privilege Management), Remote Help, Enterprise App Management, and Cloud PKI — premium capabilities added in 2023–2026.

✅ Key Architecture Point Intune does not operate in isolation. Its compliance signal feeds directly into Entra ID Conditional Access. A device that fails a compliance policy is automatically blocked from accessing corporate resources — without any manual intervention. This is the enforcement engine of Zero Trust.

The Complete Intune Setup Flow — Architecture Diagram

Before touching a single configuration in the Intune admin center, every enterprise deployment should start with a clear architecture map. After building this flow across dozens of organisations, here is the sequence that works — in order.

Microsoft Intune Complete Setup Flow 2026 FOUNDATION ENROLL COMPLY SECURE GOVERN STEP 1 — Tenant & MDM Authority Setup Set MDM Authority to Intune · Configure tenant settings · Enable device categories · Set enrollment limits STEP 2 — Entra ID Integration & Hybrid Join Configure Entra ID Connect · Enable Hybrid Azure AD Join · Set up device registration · Configure MDM scope in Entra STEP 3 — Choose Enrollment Method Select based on ownership model and OS platform Autopilot Corp · Zero-touch Windows 10/11 Co-management SCCM + Intune Hybrid migration DEP / ADDE Apple Business Mgr iOS · macOS BYOD / MAM Personal device App-only policy STEP 4 — Configuration Profiles & Baselines Windows Security Baseline · BitLocker · Firewall · Edge settings · Wi-Fi · VPN · Email · Certificate profiles STEP 5 — Compliance Policies per Platform OS version · BitLocker on · AV signatures current · Defender real-time on · Password complexity · Jailbreak detection STEP 6 — Microsoft Defender for Endpoint Integration Enable MDE connector · Deploy onboarding policy · Configure EDR · Set machine risk level in compliance policy STEP 7 — Entra ID Conditional Access Policies Require compliant device · Block non-compliant · MFA enforcement · Named locations · Sign-in risk policies STEP 8 — App Deployment & App Protection Policies Required apps · Available apps · Win32 apps · LOB apps · MAM-WE policies · App config policies STEP 9 — Monitor, Report & Continuous Improvement Intune reports · Compliance dashboard · Defender posture · Endpoint analytics · Log Analytics integration ✓ Zero Trust Enforced · All Devices Managed & Compliant Non-compliant devices automatically lose access via Conditional Access
⚠️ Architect Warning Do not skip to Step 7 (Conditional Access) before completing Steps 4 and 5. I have seen organisations enable “require compliant device” in Conditional Access before compliance policies were fully deployed — and lock every user out of Microsoft 365 simultaneously. Always build compliance policies first, monitor for 2 weeks in report-only mode, then enforce.

Enrollment Deep Dive — The Four Methods Explained

Enrollment is the foundation. If a device is not enrolled, nothing else in this article applies to it. That was the exact lesson from the breach story I opened with. Let me walk you through each enrollment method with real-world context from actual deployments.

Windows Autopilot — The Gold Standard for Corporate Devices

Autopilot is the method I specify for every greenfield corporate Windows 10/11 deployment without exception. It removes the need for imaging infrastructure entirely. A device ships from the OEM, the user powers it on, signs in with their corporate credentials, and Intune takes over — pushing configuration, apps, and security policies before the user reaches the desktop.

  • User-Driven mode — User signs in with Entra ID credentials. ESP (Enrollment Status Page) holds the desktop until all required apps and policies are applied. Default for most corporate deployments.
  • Self-Deploying mode — Zero user interaction. Device provisions itself using TPM attestation. Used for shared kiosks, meeting room devices, and digital signage.
  • Pre-provisioned (White Glove) — IT or the OEM completes the device phase before shipping. User experience at unboxing is dramatically faster because the device-phase is already done.
  • Autopilot for existing devices — Re-image existing devices with a task sequence that converts them to Autopilot-registered devices. Critical for migrations from SCCM-only environments.

we had 4,200 endpoints managed purely in SCCM. The migration brief was to get 80% into Intune co-management within six months, with the top 500 priority devices fully Autopilot-registered. We used the SCCM task sequence Autopilot conversion method for the existing fleet, and worked with the hardware vendor to pre-register all new purchases via hardware hash. By month three, new device setup time had dropped from 4 hours average to 42 minutes.

— Personal deployment experience, Land O’Lakes engagement

Co-management — The Realistic Migration Path

For any organisation with an existing SCCM estate, co-management is not optional — it is the only sensible migration architecture. Co-management lets SCCM and Intune coexist and manage the same device simultaneously, with workloads slid progressively from SCCM to Intune over time.

WorkloadSlide to Intune When…Keep in SCCM When…
Compliance PoliciesIntune compliance is fully configured and testedFirst 4 weeks of co-management pilot
Device ConfigurationGPO migration to Settings Catalog completeComplex legacy GPO still in use
Endpoint ProtectionMDE onboarding confirmed on all devicesThird-party AV still in transition
Resource AccessCloud PKI or SCEP profiles deployed via IntuneOn-prem CA still issuing certs
Windows UpdateWUfB update rings configured and testedWSUS still required for air-gapped segments
Client AppsWin32 app packaging in Intune validatedComplex app dependencies in SCCM collections

BYOD with MAM-WE — App Protection Without Device Control

This is the most misunderstood enrollment scenario I encounter. When a personal device accesses corporate data through a Microsoft 365 app, you have a choice: enroll the full device (invasive, rejected by most employees) or apply MAM Without Enrollment (MAM-WE) — which wraps only the corporate apps with policy, leaving the personal side completely untouched.

  • Data-at-rest encryption within corporate app containers
  • Prevent copy-paste from corporate to personal apps
  • Block save-as to personal storage locations (iCloud, Google Drive)
  • Remote selective wipe — removes only corporate data when employee leaves, personal photos and apps remain
  • PIN or biometric required to open corporate apps, independent of device lock screen

Compliance Policies — The Heart of Zero Trust Enforcement

A compliance policy in Intune is a set of rules that determines whether a device is considered healthy and trustworthy. The critical thing to understand is that compliance is not just an Intune concept — the compliance state from Intune flows directly into Entra ID, where Conditional Access uses it as an access control signal.

This is Zero Trust in action. The device proves it meets your security requirements. Entra ID verifies that compliance. Access is granted — or denied — based on that verified state, not on the assumption that “it is on our network so it must be safe.”

Windows 11Recommended Enterprise Compliance Policy — Windows
  • Minimum OS version: 10.0.22621 (Windows 11 22H2) — blocks downlevel devices from access
  • BitLocker required: Yes — Intune validates via Device Health Attestation (DHA) over HTTPS
  • Secure Boot required: Yes — validated via DHA, prevents bootkit attacks
  • Code Integrity required: Yes — ensures no unsigned kernel drivers are running
  • Defender real-time protection: Required — checks AV service state, not just signature age
  • Defender signature version: Not outdated by more than 3 days
  • Microsoft Defender for Endpoint risk level: Low or Clear — blocks high-risk devices from accessing corporate resources
  • Password complexity: Minimum 12 characters, alphanumeric with special characters
  • Password expiry: Align with Entra ID SSPR policy
  • Actions for noncompliance: 0 days — mark noncompliant immediately; 3 days — notify user via email; 7 days — notify user’s manager; 14 days — retire device
💡 Architect Insight — MDE Risk Level Integration The Microsoft Defender for Endpoint risk level setting in compliance policy is one of the most powerful and under-used controls available. When MDE detects active malware, suspicious process activity, or a critical vulnerability on a device, it raises the device risk level to High or Critical. If your compliance policy requires Low or Clear, that device is automatically marked noncompliant — and if your Conditional Access policy requires a compliant device, access is severed within minutes. This is automated incident response built into the access control layer.

Zero Trust Architecture with Intune and Entra ID

Zero Trust is not a product you buy. It is a security philosophy with three principles: verify explicitly, use least privilege access, and assume breach. Microsoft Intune, combined with Entra ID, gives you the technical mechanisms to enforce all three at the endpoint layer. Let me show you how the architecture works in practice.

Zero Trust enforcement flow: device to resource Device Enrolled in Intune Entra ID joined User signs in compliant? Microsoft Intune Evaluates compliance policy rules signal Entra ID Conditional Access Device compliant? MFA passed? Sign-in risk OK? Location trusted? ✓ ALLOW Access granted to M365 / Apps ✕ BLOCK Access denied. Remediate device Defender for Endpoint Device risk level signal Every access request is evaluated in real-time — no implicit trust based on network location

The Three Conditional Access Policies Every Organisation Needs First

  • CA001 — Require compliant or Entra hybrid joined device: Applies to all cloud apps, all users (excluding break-glass accounts). This is the foundational policy — no compliant device, no access. Deploy in report-only mode first.
  • CA002 — Require MFA for all users accessing Microsoft 365: Applies to Office 365 app, all users. Blocks sign-in without a second factor. The single most effective breach prevention control available.
  • CA003 — Block legacy authentication protocols: Applies to all cloud apps, all users, filter condition: client apps = legacy authentication clients. Legacy auth bypasses MFA entirely — this policy closes that gap.
❌ Critical Mistake Never apply Conditional Access policies to all users without first excluding at least two break-glass accounts. Break-glass accounts are cloud-only, Entra ID global admin accounts stored in a physical safe, exempt from all Conditional Access policies. If your CA policies are misconfigured and lock out all standard admins, break-glass accounts are how you recover access to your tenant.

Security Baselines and Endpoint Security Policies

A security baseline in Intune is a pre-configured group of settings recommended by Microsoft based on guidance from the Microsoft security team, NIST, and CIS benchmarks. They are versioned, so you can track what changed between baseline versions and make deliberate decisions about which settings to adopt.

As of 2026, Intune offers the following official baselines:

BaselineCurrent VersionCoversPriority
Windows Security BaselineNovember 2023OS hardening, credential guard, SMB signing, audit policiesDeploy First
Microsoft 365 Apps for EnterpriseMay 2023Office macro restrictions, ActiveX, add-in controlDeploy First
Microsoft Defender for EndpointSeptember 2023EDR settings, tamper protection, network protectionDeploy First
Microsoft EdgeSeptember 2023Browser security, extension control, phishing protectionDeploy Second
Windows 365 Cloud PC SecurityOctober 2023Cloud PC-specific hardeningIf Using W365
⚠️ Real-World Warning Security baselines are excellent starting points, but they are not plug-and-play in every environment. The Windows Security Baseline includes settings that break some legacy LOB applications — particularly those requiring unsigned drivers or older TLS versions. Always pilot a baseline on a small test group for at least two weeks before broad deployment. Document every setting you deviate from and the business justification.

SCCM to Intune Migration — The Architecture I Use

This is where I spend most of my consulting time. The majority of enterprise environments I enter are SCCM-dominant, with Intune partially configured or not configured at all. The migration is not a cutover — it is a phased workload transition with SCCM and Intune running in parallel throughout.

Phase 1Foundation — 0 to 30 days
  • Enable co-management in SCCM — point the SCCM cloud management gateway to your Intune tenant
  • Enrol the SCCM pilot collection (100 devices) into co-management — slide only Compliance Policies workload to Intune
  • Configure Entra ID Connect for Hybrid Azure AD Join on all SCCM-managed machines
  • Deploy Windows Security Baseline to pilot ring only
  • Enable MDE connector in Intune — do not push onboarding policy yet (verify pilot first)
Phase 2Expand Workloads — 30 to 60 days
  • Expand co-management to 25% of estate (staggered by site/geography)
  • Slide Device Configuration workload to Intune — begin GPO to Settings Catalog migration for pilot group
  • Deploy MDE onboarding package via Intune device config profile — validate sensor reporting in Defender portal
  • Configure Conditional Access CA001 and CA002 in report-only mode — review sign-in logs for policy impact
  • Begin Win32 app packaging for the top 20 applications by installation count
Phase 3Enforce & Harden — 60 to 90 days
  • Enable Conditional Access CA001, CA002, CA003 in enforce mode (post report-only validation)
  • Slide Endpoint Protection workload to Intune — Defender AV, ASR rules, and firewall policies managed from Intune
  • Enable BitLocker policy via Intune Endpoint Security — validate escrow of recovery keys to Entra ID
  • Enable Windows Update for Business rings — defer feature updates 30 days, quality updates 7 days for production
  • Audit all remaining SCCM-only workloads — plan final transition dates per workload
Phase 4Full Cloud Management — 90+ days
  • All workloads slid to Intune — SCCM retained for application deployment and OSD during transition
  • Autopilot registration completed for all new hardware purchases via hardware vendor hash upload
  • Endpoint analytics fully deployed — monitor device performance, boot times, and app reliability scores
  • SCCM decommission plan created — define final retirement date per site
  • Begin Windows 365 Cloud PC pilot if applicable for remote workforce segments

The Twelve Most Common Intune Mistakes I See in the Field

❌ Mistake 1 — No Pilot Ring Deploying configuration profiles or compliance policies directly to All Devices or All Users. Always pilot in a test group of 50–100 devices for minimum two weeks before broad deployment.
❌ Mistake 2 — Compliance Before Configuration Marking devices noncompliant for missing BitLocker or Defender before deploying the policies that enable those controls. The device cannot comply with a policy it has never received.
❌ Mistake 3 — Enforcing CA Before Compliance Coverage Enabling “require compliant device” in Conditional Access before compliance policies cover 100% of enrolled devices. This is the fastest way to generate a P1 incident by locking out your own users.
❌ Mistake 4 — No Break-Glass Accounts Applying Conditional Access policies to all accounts including Global Admins, without excluding break-glass emergency access accounts. Misconfigured CA can lock all admins out of the tenant.
❌ Mistake 5 — Ignoring the Conflict Resolution Order When multiple configuration profiles target the same setting with different values, the most restrictive setting wins on Windows — but this is not always what you intended. Review the Settings Catalog conflicts report weekly during initial deployment.
❌ Mistake 6 — BYOD Without MAM-WE Forcing full MDM enrollment on personal devices as the only BYOD option. This causes mass employee resistance and shadow IT proliferation. MAM-WE gives you data protection without touching the personal partition.

Entra ID Deep Integration — What Most Engineers Miss

The relationship between Intune and Entra ID is not an integration — it is a single unified identity and device control plane. Most engineers I mentor understand Intune for device management and Entra ID for identity. Very few understand that the compliance signal, the device object, and the access token are all part of the same evaluation chain.

Dynamic Device Groups — The Automation Layer

Manual Intune assignments to static groups do not scale. In any deployment over 200 devices, the assignment architecture should be built entirely on Entra ID dynamic device groups — membership rules that automatically place devices in the correct group based on device properties.

  • OS version targeting: (device.operatingSystemVersion -startsWith "10.0.226") — target only Windows 11 22H2+ devices
  • Autopilot device targeting: (device.devicePhysicalIds -any (_ -contains "[ZTDId]")) — automatically targets all Autopilot-registered devices
  • Corporate vs personal: (device.deviceOwnership -eq "Company") — separate management profiles for corporate vs BYOD
  • Department targeting: (device.extensionAttribute1 -eq "Finance") — use extension attributes synced from HR to apply finance-specific hardening

Entra ID Conditional Access — Named Locations and Sign-in Risk

Beyond the three foundational CA policies I described earlier, there are two additional controls that complete the Zero Trust picture at the identity layer:

  • Named Locations policy: Block access attempts from countries where your organisation has no employees. Reduces credential stuffing noise dramatically. Configure named locations with your trusted IP ranges and country whitelist.
  • Sign-in risk policy (Entra ID P2): When Entra ID Protection detects anomalous sign-in behaviour (atypical travel, leaked credentials, anonymous IP), it generates a sign-in risk score. A CA policy can require step-up MFA or block access when risk is Medium or High.

Licensing — What You Need for Each Capability

CapabilityLicense RequiredNotes
Basic MDM / MAMIntune Plan 1 (included in M365 E3/E5, BP)Core device management for all platforms
Windows AutopilotIntune Plan 1 + Entra ID P1No additional Autopilot license — Entra P1 needed for dynamic groups
Conditional AccessEntra ID P1 (included in M365 E3/E5)Named location and CA policy creation requires P1
Sign-in Risk CA PolicyEntra ID P2 (included in M365 E5)Entra ID Protection risk signals require P2
Co-management with SCCMIntune Plan 1 + ConfigMgrNo additional co-management license
Endpoint Privilege ManagementIntune Suite or EPM add-onNew in 2023 — replaces many third-party PAM solutions
Remote HelpIntune Suite or Remote Help add-onReplaces TeamViewer for compliant remote support
Microsoft Tunnel (VPN)Intune Plan 1Free, but requires Linux server on-prem or in Azure
Cloud PKIIntune SuiteReplaces on-prem NDES/SCEP infrastructure
Endpoint AnalyticsIntune Plan 1 (basic) / M365 E5 for full Adoption ScoreDevice health, boot times, app reliability

Practical Field Notes — Real Deployments, Real Lessons

At Pitney Bowes, we inherited an SCCM estate with 2,000+ Windows endpoints and 300 servers. Intune existed in the tenant but had never been configured for production use — just a handful of test devices enrolled by a previous engineer. The brief was to build a production-grade co-management architecture, deploy MDE via Intune, and establish a Conditional Access baseline that the security team could point to during their next ISO 27001 audit. We had four months. We did it in three.

— EUC Lead Architect, Pitney Bowes India Pvt Ltd

What Worked

  • Dynamic group architecture first: Before enrolling a single device in co-management, we built the full Entra ID dynamic group structure. This meant the moment a device enrolled, it was automatically placed in the right group and received the right policies — no manual assignment backlogs.
  • MDE connector before compliance policy: We deployed the MDE connector and onboarding package two weeks before adding the MDE risk level requirement to compliance policies. This gave all devices time to appear in the Defender portal and settle to their baseline risk level before being evaluated.
  • Report-only CA for 30 days: Running all CA policies in report-only mode for a full month before enforcing them revealed 23 legacy service accounts and 4 shared mailbox accounts that were being used for interactive sign-in. We had time to fix them properly rather than discovering them via a P1 lockout.
  • Pilot ring with IT champions: We onboarded the helpdesk team in the first pilot ring. They became expert troubleshooters before any business users were impacted, which reduced L1 ticket volume by roughly 40% in the first month of broad rollout.

What We Had to Fix

  • SCCM client and Intune co-management conflict on firewall profiles: The Windows Security Baseline we deployed via Intune conflicted with an existing SCCM firewall GPO. The SCCM GPO was winning on some machines, Intune on others, creating inconsistent compliance states. Resolution: slide Endpoint Protection workload fully to Intune and block the SCCM GPO via group policy loopback.
  • BitLocker recovery key escrow failure on pre-existing encrypted devices: Devices that were already BitLocker encrypted before Intune enrollment did not automatically upload recovery keys to Entra ID. We had to deploy a PowerShell script via Intune to silently re-back-up keys for all pre-encrypted devices.
  • Autopilot hash registration delay: For existing devices converted to Autopilot using the SCCM task sequence method, hardware hash upload to the Autopilot service could take up to 24 hours to sync to Intune. Build this delay into your deployment window or pre-stage hashes during a maintenance window.

Final Thoughts — Intune Is Your Zero Trust Foundation

After fourteen years of working with endpoint management platforms — from SCCM 2007 to ConfigMgr Current Branch to Intune — I can say with confidence that Microsoft Intune in 2026 is the most capable endpoint management and security enforcement platform available to organisations running Microsoft 365.

But capability is not the same as implementation. The organisations that get the most out of Intune are not the ones with the most licences — they are the ones that understand the architecture, build it in the right order, and treat device compliance not as an IT checkbox but as a live security signal feeding into every access decision across the enterprise.

  • Enroll everything — you cannot secure what you cannot see. Unmanaged devices are your biggest risk surface.
  • Build compliance policies before you build Conditional Access — sequence matters more than speed
  • Treat MDE risk level integration as mandatory, not optional — it is automated incident response built into your access control layer
  • Run all CA policies in report-only mode for at least 30 days — the sign-in logs will surprise you every time
  • Dynamic groups are not a shortcut — they are the scalable architecture that makes everything else maintainable
  • Co-management is a journey, not a cutover — slide workloads progressively, validate each phase before moving on

The next articles in this series go deep into each phase: a full Autopilot deployment lab, the Settings Catalog GPO migration guide, Endpoint Privilege Management for replacing local admin rights, and the MDE + Intune security operations workflow.

Upcoming in This Series

Week 4
Autopilot Deep Dive — Full Lab
Week 5
Settings Catalog: GPO to Intune Migration
Week 6
Endpoint Privilege Management
Week 7
MDE + Intune SOC Workflow
Week 8
Intune Reporting & Endpoint Analytics
Week 9
Intune Suite: Cloud PKI & Remote Help

Build It Right the First Time

Subscribe to the blog for hands-on Intune labs, real-world deployment walkthroughs, and enterprise Zero Trust architecture guides — from someone who builds these every day.

A
Written by
Anand Kumar
Microsoft Security Consultant and IT EUC Engineer with 15+ years helping organisations modernise endpoint management and lock down Microsoft 365 using Zero Trust principles.

Leave a Comment

Your email address will not be published. Required fields are marked *