Anoop C Nair

Let’s discuss the Intune Starter Kit, a Helping Hand for IT pros who want to learn Intune. Loads of people requested a starter kit for Intune, as I have one for the SCCM 2012 starter kit, and the SCCM 2012 starter kit page was handy for the community (I think that is why people are requesting the Intune Starter Kit).

This post will mainly concentrate on Intune standalone (not Intune Hybrid and Office 365 Intune MDM). In most cases, there is no need/very minimal need for on-prem infrastructure if you go with Intune standalone and all the other cloud components like Azure Active Directory, Office 365, etc. I’ll keep adding new things to this page. This is just starting 😉

I started working with Intune in the latter part of 2012, and Microsoft Intune has evolved a lot over the years. In 2013, I started a post called “Microsoft Intune Wiki” (most of the links are outdated, but it’s worth going through if you want to see how Intune was).

We already have a Facebook group for Intune Professionals. If you would like to join the Facebook community of Intune Professionals, click here

• 63 Episodes Of Free Intune Training For Device Management Admins HTMD Blog
• Intune Training Course 2023
• Top 75 Latest Intune Interview Questions and Answers
• Top 50+ Latest SCCM Interview Questions and Answers

What is Microsoft Intune? – Intune Starter Kit a Helping Hand for the ITPros who wanted to Learn Intune

Intune is Microsoft’s enterprise mobility management (EMM) solution. The EMM provider helps manage mobile devices, network settings, and other mobile services and settings. Microsoft Intune combines Device, Application, Information Protection, Endpoint Protection (antivirus software), and Security/Configuration policy management solution (SaaS) facilitated by Microsoft in the Cloud.

Additionally, Intune has features where admins can create a “Conditional Access” policy to get access to company resources. Only Intune will provide access to company or corporate resources (corporate mail, SharePoint, etc.) if the devices meet those conditions. 

Previously, I mentioned Microsoft Intune as a lighter version of SCCM or ConfigMgr in the cloud. However, I don’t want to make it so simple this time. Intune architecture is entirely cloud-based and agile.  To get a more detailed idea about Intune (Yes, this video is old and outdated in some parts as Intune evolved along with Microsoft’s Enterprise Mobility and Security (EMS).

Read more – What is Microsoft Intune?

Management Options using Intune?

I’m going to explain this in a slightly different way. Let me know if this is confusing. We can manage devices with an Intune client agent and arguably without one. For example, Intune company portal application(s) in different app stores like Google Play and Apple Store are Intune client agents.

So, when you install the Intune company portal onto your Android or iOS devices, you are doing agent-based management. Also, the Microsoft Intune client MSI can be downloaded once you have a valid Intune subscription. You can download and install it on Windows machines that you want to manage.

I have an old post (published in Dec 2012) here to help you understand the basics of Intune MSI agent installation. Once you install the Intune MSI agent on Windows machines, Intune will “fully manage” those machines.

So, what is arguably agent-less Intune management? Within Windows 10, we have a “build—Native” MDM agent as part of the operating system. We can enrol Windows 10 devices in Intune using the “in build—Native” MDM agent. In this scenario, we must use the Intune company portal to install applications like a shopping cart.

So, the Intune company portal does not act as an Intune agent in native MDM enrolment scenarios. Native MDM-managed devices are arguably NOT fully managed devices (at this point). I’m sure this will change sooner or later. The Windows 10 in-built MDM agent can enrol your Windows 10 devices in any other MDM management software, such as VMware Airwatch, Mobileiron, etc.

• Enrolled via the Intune company portal.
• Enrolled via Installation of Intune MSI client.
• Enrolled via Windows 10 1607 and above in build Azure AD join and MDM enrolment.
• MAM without MDM enrolment.

How Do you Get an Intune Account and Start Working/Testing with Intune?

Download the Microsoft EMS step-by-step guide from here. This guide will help you get a free trial version of Office 365, Azure AD, and Intune subscription. If you already have an Azure AD (Azure AD premium) subscription, things are straightforward, as I posted in the blog here.

Suppose you don’t have an Azure AD subscription. It is better to start with an Enterprise Mobility Suite (EMS) trial account, an Azure Free Trial Account (an Azure trial account is already created as an EMS trial account), and an Office 365 free trial subscription. Creating a NEW outlook.com account and getting ready with credit card details to activate the Azure trial subscription is better for getting these trail accounts. 

Getting a trial version of Azure AD, Office 365, and Intune is very straightforward if you have never done this same process with your credit card and mobile number. Azure AD and Office 365 are prerequisites for Intune if you want to test all its features.

Note: Intune can also be signed up separately from here. If you want to test only Intune now, this is the way to go.

How to Start using Microsoft Intune Console

Once you have completed the subscription steps, you can log in to the Microsoft Intune (http://manage.microsoft.com/) portal (Silverlight is necessary for the Intune console to work). Internet Explorer with the Silverlight plugin is the best internet browser for the Intune console.

However, the Intune console will work on any internet browser that can add Silverlight as a plugin. It might even work without the Silverlight plugin, and I would love to see this soon.

How Do you Select the MDM Authority from the Intune Console?

MDM authority and management options are significant to me. Please note that you won’t be able to change it once you set MDM (Mobile Device Management) authority to Intune in the following place at the Intune console.

To change Intune MDM authority, you must raise a ticket with CSS or a service request via the Intune/Office 365 portal. So be very careful when you click on any links on the following page at the Intune console.

Quick question: Do I need to re-enrol devices if the MDM authority is changed from o365 MDM to Intune MDM? It works without re-enrolment of devices; it is just a compliance check, and everything looks okay on the device. I heard it’s supported, as both use Intune for MDM.

How to Start Managing Windows/iOS /Android Devices with Intune?

Managing Windows devices is very straightforward. Yes, Windows 10 management is very straightforward; earlier, we needed side loading and key SEP certificates to manage/deploy apps for Windows and Windows Phone devices.

Most of these certificates and sideloading essential requirements have been removed for most scenarios. Managing Android devices is also very straightforward. It takes 10 minutes to sync your Windows Store for Business and Microsoft Intune. More details are provided in the post “Integrate Windows Store for Business” here.

If you want to install store apps without using a Microsoft account, read the blog post “How to Add Apps to Business Store and Install Intune Company Portal without Using MS Account” here.

However, iOS\MAC OS device management has certificate requirements, and we need to go to the Apple portal, upload your cert for the tenant, and get the certificate for your Intune tenant.

The process for SCCM CB is explained in the following video, but the process is similar for Intune. More details here Microsoft document specifically for Intune.

How Do I Deploy MSI Applications to Windows PCs using Intune?

Like SCCM, Intune can also deploy different applications to other devices. The types of applications that Intune supports now are EXE, MSI (Windows Installer and Windows Installer through MDM), APK, IPA, XAP, and APPX—APPXBUNDLE for Windows app package and Windows Phone app package. We can make software or applications available to devices via three methods.

1. 1. Software Installer – select the type of software you want to install
2. 2. External Link – this can be used for deploying the applications in the Google Store via deep linking
3. 3. Managed iOS apps from Apps Store – this can be used to deploy the apps in the Apple Store via the deep linking method

The following post, “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune Part 1,” will help you understand the application deployment process using Intune.

Creating policies in Intune is another crucial step in configuring and managing devices through Intune. The following is the list of policies you can create and deploy via Intune.

• Configuration Policies
• Compliance Policies
• Dynamics CRM Online Conditional Access Policy
• Exchange Online Conditional Access Policy
• Exchange On-premises Conditional Access Policy
• SharePoint Online Conditional Access Policy
• Skype for Business Online Conditional Access Policy
• MAM Application Policy
• MAM Browser Policy

What is the difference between the Intune Configuration and Intune Compliance Policy? You can see similar settings in compliance and configuration policies in some cases. So, what is the exact difference? Compliance policy works with conditional access policies; however, configuration policies are independent of conditional access. Compliance policies can deploy ONLY to USERS, whereas Configuration policies can be deployed to Devices and Users.

The Following Video will Explain How to Create and Deploy Intune Compliance Policies from the Console.

Compliance policy won’t force the device to change its configuration; rather, it will wait until the device enters the compliance stage to provide access to company resources like mail/SharePoint (in case a Conditional access policy is set). The configuration policy forces the device or user to change the configuration setting mentioned in the policy (which is arguably not true in all scenarios).

What are MAM (Mobile Application Management) Policies?

Mobile Application Management policies are application-specific policies you can set up via Intune. What is the difference between configuration, Compliance policies, and MAM policies? Configuration and Compliance policies are for the entire device. It applies to everything on the device. MAM policies will be used only for the application with which it’s associated.

The following post, “How to Deploy Applications and MAM Policies to Mobile Devices Using Intune,” will guide you through deploying MAM policies to iOS or Android devices.

What is MAM without MDM enrolment (MAM WE – MAM Less MDM)?

This is another policy type in Intune. What is the difference between MAM with MDM enrolment and MAM without MDM enrolment? These are Mobile Application Management policies without enrolling in Intune. They help secure corporate data using BYOD/personal devices to access corporate mail, SharePoint, etc.

Why is the Intune option visible in the Azure portal (https://portal.azure.com/)? This is good news for SCCM/Intune admins. We are getting new features in Intune. This time, it’s Intune MAM (Mobile Application Management) without MDM enrolment.

For complete mobile device management, we must use the original Intune portal (https://manage.microsoft.com). Forums and other communities regularly asked whether Intune could coexist with MDM products like Airwatch or Mobile Iron.

How Do You Manually Add Users to the Intune Console?

How do you add users to the Intune console and provide permissions to users in the Intune console? We don’t have to do this when Intune Silverlight console is migrated to the Azure portal??

Before you try to provide service administrator access (limited roles available in Intune Silverlight console Full Access, Read-Only access, or Helpdesk—Group Node access) to users in Intune, you should make sure the administrator or server administrator user is already available in the Intune administrator console. More info here.

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.