Down Left Arrow Logo
Logo

Getting Started With Intune

There are several reasons to setup Intune for your organization. Intune can help with managing the devices your staff use everyday. It can also help secure those devices and make access to resources easier. Not to mention it can greatly reduce the workload of your IT department, and we all love a happy IT department we like coffee, bring coffee...☕


Getting Started | Create Intune Group | Assign a License | Setup Autopilot

Setup a Local Administrator

Why I use Intune

Personally, im leveraging Intune to eliminate some recurring problems we're having. At my organization the computer skills of our users can be described as desolate - meaning they know how to press the button to power on the laptop, but thats about the extent of how comfortable they are working on a computer - to the dangerous. You know those people that are comfortble working on their computer, don't call very often, but know just enough to mess something up, then call you to fix what they were trying to do.

My main goals for Windows Clients

Getting Started with Intune

Before you start: Ensure you are familiar with the price of utilizing this online service. Licencing can add up quickly, especially in larger organizations due to requirements to run certain features. For example, an Office 365 E1 License will cost $10.50 per user. This will give each user access to Web versions of the office suite, e-mail, OneDrive and Sharepoint. For some this is certainly enough, but for those that utilise shared systems where 1 Office MAK key is needed, this cost may be prohibitive.

Let's start with Azure Active Directory (AAD), or depending on when you're readying this Entra ID. (for clarity, Microsoft has been warning of this name change for far longer than required). You'll need to have a 365 Tenant. This means your user accounts and domain information are located in Microsoft 365. If you already have an On-Premisis Active Directory Domain, you can use Microsoft Entra Cloud Sync.

Next thing you need is to ensure you have the right License. Luckily, I have a list for you:

More information can be found here: https://learn.microsoft.com/en-us/mem/intune/fundamentals/licenses

Create your Intune Group

Ok we're back. Now what to do with those tasty licenses. My suggestion is to assign them to a Security Group, then add the Users you wish to configure to that group. This way, you only have to make this assignment once, making this process much easier. Later, you'll see it's much easier to assign policies to 1 group, rather than several users or devices.

How do we do this. First, head over to https://portal.azure.com
Now find Azure Active Directory
Then Groups, then Click New Group

Azure Active Directory Groups

Now the details:
Azure Active Directory Group Details

Assign a License to your group

Once you've made your group, Find it and assign your license to the group
(Azure Active Directory -> Groups -> Licenses).
A good exercise to do now, is to go look at the users you've added to the group and see what licenses they have. You'll notice users that are part of your Intune group have Inherited their license from the group. It's important to NOT assign licenses to users and groups as thats a great way to waste licenses by having users with more than one assignment for the same license.

User Licenses

As you can see from the above image. The user has an Inherited license, AND the group the user is a member of (Inherited (Intune)), and a license that is directly assigned to the user (Direct, Inherited(Intune)).
This is a big no-no.

Having done this, what exactly does this allow you to do? For one, users can login and register to systems with their Azure AD account. We have configured the policies and best practices around that, but it is possible. Until you're ready to have this happen, I suggest not having any users in your Intune security group, aside from a user account to test with. That way nobody is affected by any changes you make to you're infrastructure.

You can now add this group to be permitted to join. Do this by going to https://portal.azure.com -> Microsoft Entra ID -> Devices -> Device Settings.

Allow Users to Join

Setup Windows Autopilot

Firstly, what is Microsoft Autopilot? Autopilot is a service which can:

Head over to your Azure Portal - https://portal.azure.com - and find your Azure Active Directory. From there scroll way down and select Mobility (MDM and MAM). From there select Add Application then select Microsoft Intune

From there you'll be presented some options. The only thing you need to change here is who you are assigning this application to Do this by selecting No groups selected then selecing thr group you created in a previous step. The other options can remain at their default unless you have something custom.

Intune MDM / MAM Settings

That wasn't too complicated now was it? Now it's time to make an Enrollment Profile.

You'll need to be in your Intune Admin Center - https://endpoint.microsoft.com then navigate to:
Devices -> Windows -> Windows Enrollment -> Automatic Enrollment

Intune MDM / MAM Settings

The next screen looks eerily like the first on this page. Ensure you select the correct groups to apply this user scope to.

Now under Windows Autopilot Deployment Program, select Deployment Profiles

Select Deployment Profiles

From there, select Create Profile then Windows PC

Below are the settings I have configured:

Basics

Name

Default Windows Enrollment Profile

Description

No Description

Convert all targeted devices to Autopilot

No

Device Type

Windows PC


Out-of-box experience (OOBE)

Deployment Mode

User-Driven

Join to Microsoft Entra ID as

Microsoft Entra Joined

Language Region

Select your appropriate region

Automatically configure keyboard

Yes

Microsoft Software License Terms

Hide

Privacy Settings

Hide

Hide change account options

Hide

User account type

Standard

Allow pre-provisioned deployment

Yes

Apply device name template

Yes

Enter a name

Intune-%RAND:5%

Assign this profile to the appropriate group(s)

Next we'll look at adding a Local Administrator to your Intune joined devices, and how to use LAPS to configure the password for this account.