This blog is mostly about Intune Endpoint Management. Modern Workplace and Mobile Device Management (MDM), with a special focus on security.

This post will treat a high-level introduction to Microsoft Intune. The audience are people that are new to specifically Intune. You don't need to have a high technical understanding but may be familiar with some products, that Microsoft offers. The idea is to give a starting point and refer to other posts that give more detailed information.

If you want to dig deeper, you can follow my whole path to the technology. There is a more technical version found here if you don't just want to scratch the surface.

What is Intune in the Microsoft Cloud?

Let's start with the fundamentals. The Microsoft Cloud is nothing else than datacenters all over the world, that provide all kind of IT products/services and resources.

  • Microsoft 365 is a multitenancy SaaS (Software as a Service) model
  • Azure is a platform that hosts all Microsoft Cloud services
  • Intune is an Azure SaaS product, that is located within the Enterprise Mobility + Security suite


What is Intune?

Microsoft Intune is a cloud-based Mobile Desktop Management (MDM) solution, that enables organizations to enroll, configure, update and monitor device endpoints and manage applications.

Why should you use Intune?

There are common factors that are a drawback for a previous MDM systems and profits for Intune:


  • Previous system administration and operation overkill
  • Few or no updates were made (OS/security/update)
  • A conflict to the contemporary enterprise strategy


  • It's a Microsoft product, many other products live in their ecosystem (servicejungle, e.g. AzureAD, Defender suite)
  • Up-to-date from every angle
  • Simplicity & automation options
  • (License)costs and future-proofness


  • Manage devices
    • OS-independent
    • Configurations and scripts
  • Endpoint Security
    • Antivirus/Disk encryption/Firewall/Endpoint Detection & Response/Attack Surface Reduction/Account Protection
  • Apps
    • Include Win32 packages
    • Windows Store
  • Reports
    • Analytics to compliance, update and security
    • Compliance integrated


Endpoint manager admin center

This is the Endpoint Manager Admin Center, which is the central portal for all tasks.

Enterprise Join

The next thing to consider is the Enterprise Join type. You can go for Hybrid Azure AD Join (with on-premises components) and Azure AD Join (cloud-only). With an Active Directory Domain Services join, you will need connector services, though there are more possibilities in a Hybrid environment.

Configuration options

There are 3 main ways to control endpoints:

1. Device configuration profiles

Here you can configure everything that happens on the system. (formerly group policy objects, but in Intune there is a wider range of configurations and settings.)

2. Scripts

You can natively embed Powershell scripts to do certain tasks.

3. Compliance profiles

Compliance is measured to the configurations you make compulsory, also specify actions, that are taken, when these are not retained.

OS updating

Windows feature and quality updates run through scheduled update rings or targeted release profiles. Once the policy is configured, all updates will nearly run without interaction. A common attempt is to define different rings, that delay updates to create an update cycle. First you may have the IT department, subsequently pilot users and then the company.


As you would expect, in terms of security, Microsoft provides industry leading capabilities and lots of products. Intune collaborates to most of them. Endpoint detection and response supplied by Microsoft Defender first-hand (read more about Microsoft Defender for Endpoint) and identity & access management (IAM) solutions from Azure AD are key points.

This is my security guide covering all topics within the Microsoft sphere.


Intune works with some great third-party products, that can be implemented to even rise the technology and automation level.


Teamviewer enables remote support, built-in to the Intune device portal. Read my blog article about TeamViewer + Chocolatey + Intune, a modern attempt for enterprise remote assistance.


I also recommend taking a look on Chocolatey package manaer to install and keep common software up-to-date with a minimal amount of effort.

How to go on

After this introduction, I would suggest following with these posts:

You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.