Linkedin-in Facebook-f Instagram Google Coffee
Get In Touch
917 Solutions logo with blue bird and yellow text reading "delivering the future"

Microsoft Intune Setup Guide: Microsoft 365 Configuration – Step 9

Photo of a desktop computer with a blue loading screen, perhaps being erolled with Microsoft Intune
Click Here for Step 8

When it comes to device configuration and onboarding, we cannot overstate the convenience of Microsoft Intune. For the 9th installment on building your Microsoft from scratch, we are providing a Microsoft Intune Setup Guide. We have curated in-depth instructions on how to best secure your tenant and manage devices using built-in tools. 

Intune has played a transformative role in our consulting practice. Initially, the cloud-based approach of Microsoft Intune felt vastly different from the familiar world of domain-joined systems, image-based deployments, and VPN-dependent access. Intune represented a shift in mindset—from reactive management to proactive configuration and security. In addition, Intune provides a way to configure remote devices and remain compliant with centralized resources. Uniformity is possible—even for remote businesses. Note, integrated tools like Intune are also very powerful. Prior to deployment, make sure you have prepped your tenant accordingly. 

We recommend you download our Intune Checklist to audit and configure Intune in an inherited or new tenant. This checklist also includes a list of questions that we ask our clients to best understand what they currently have configured, their goals for their tenant, and how we can achieve them. 

Interested in a Step-by-Step Microsoft 365 SOP Checklist?

If you’re looking to simplify and standardize your Microsoft 365 setup, our detailed Microsoft 365 SOPs offer step-by-step checklists and templates to guide you through every aspect of configuration. 

Contact us using the button below for access to these comprehensive resources designed to ensure security and efficiency in your Microsoft 365 environment.

 
Reach out for your Template Now

Microsoft Intune Setup Guide: General Overview

There are many baselines that you can use to enforce device security settings within Intune. Also, there are many different ways that you can enforce and set Configuration Profiles. We have come across many Microsoft tenants that have changed hands a few times. So, we like to perform our due diligence and verify existing baseline settings. 

The instructions below are essentially what we have found to be the most methodical way of enforcing and troubleshooting settings pushed to Windows devices through Intune. 

⚠️We want to try and prevent any potential policy conflicts resulting from what we create in this guide⚠️

ℹ️Before running through Pre-Requisites, check to see if you have any of these baselines enabled in your tenant. This could save you some troubleshooting headaches down the road. 

Audit Existing Baseline Settings

First, navigate to Intune > click on Endpoint security > select Security baselines

Here, you should see the following baselines listed:

  • Security Baseline for Windows 10 and later – Version 23H2:
    • Release Date: October 31, 2023. This is one of the most recent updates, specifically designed for the latest Windows 10 and Windows 11 versions, ensuring up-to-date security measures.
  • Microsoft Defender for Endpoint Security Baseline – Version 24H1:
    • Release Date: Early 2024. This baseline is part of a regular update cycle and reflects the latest security practices and features available for Microsoft Defender for Endpoint.
  • Security Baseline for Microsoft Edge – Version 117:
    • Release Date: July 2024. This baseline aligns with the latest updates to Microsoft Edge and includes the newest security configurations to protect users from web-based threats.
  • Windows 365 Security Baseline – Version 24H1:
    • Release Date: Early 2024. This baseline is tailored for the Windows 365 environment. It ensures compliance with the latest security standards for cloud PC deployments.
  • Microsoft 365 Apps for Enterprise Security Baseline – Version 2306: 
    • Release Date: June 2023. This baseline covers Microsoft 365 Apps and includes settings to secure productivity apps like Word, Excel, and Outlook.

Click into each Baseline

  • First, check to see if you have created a Baseline profile.
  • Then, verify if you have Users and Devices assigned to the profile.
  • Finally, document your findings.

When you’re ready to assign all of your configuration profiles, you can go back through here and unassign the users or devices from the configured profile (if any).

Once Intune is functional and you have fully deployed it, you can come back through and delete the profiles to reduce the noise and clutter in your tenant.

Pre-Requisites

For this next portion of the guide, you’ll be navigating around Entra ID. To start, navigate to entra.microsoft.com.

Verify Security Groups are Configured

If you skipped this step, go back and set up the Security Groups from step 1. These groups will tie into different policies within Intune. Once you have that completed, come back here.

Step 1: Create Security Groups

Click Here

Entra > Settings > Mobility > Microsoft Intune

Verify MDM user scope

  • Set to Some and include Security Group OR Set to All

Entra > Identity > Devices > All Devices > Device Settings

Microsoft Entra join and registration settings

  • Users may join device to Entra: All
  • Require MFA to register or join devices with Entra: Set to No 
  • Maximum number of devices per user: 20 (recommended)

Local administrator settings

  • Global administrator role is added as local admin on device during Entra join: Set to Yes
  • Registering user is added as local admin on device during Entra join: Company-dependent
  • Enable Entra Local Admin Password Solution (LAPS): Company-dependent

Other settings

  • Restrict users from recovering Bitlocker keys for their owned devices: Company-dependent

Entra > Identity > Devices > All Devices > Enterprise State Roaming

  • Users may sync settings and app data across devices: Set to All

Next, we are going to audit a few settings inside of Intune for the next stage of configuration.

For this next portion of the guide, you’ll be navigating around Intune. Navigate to intune.microsoft.com to start.

Intune > Tenant admin > Windows autopatch

By default, this setting is disabled. If you meet the pre-requisites for autopatch you can enable the setting by selecting the box and clicking Agree

screenshot of agreement prompted before enabling Windows Autopatch in Microsoft Intune setup guide

If you do not meet the Management settings requirements, you will see a Not ready status with details provided on how you can meet the readiness.

  • Reasons for not meeting Readiness:
    • Licensing: You don’t have all the licenses you need to use Windows Autopatch 
    • Advisory: Co-Management workloads (if Co-Managed) 
    • Update rings: Update rings for Windows 10 or later
screenshot of tenant enrollment for Microsoft Intune setup guide

Windows AutoPatch will automatically configure the following Configuration Profiles: 

screenshot of Windows AutoPatch configuration profiles within Microsoft Intune setup guide

Update rings:

screenshot of Intune's windows update rings within Microsoft Intune setup guide

Feature updates:

screenshot of Intune autopatch feature updates within Microsoft Intune setup guide

Driver updates: 

screenshot of Intune Windows driver updates

Security Groups

screenshot of security groups

To use the Autopatch policies, you’ll need to assign devices to the groups that Autopatch created OR you can use the security groups that you created at the beginning of this documentation.

Intune > Tenant Admin > Connectors and tokens

Windows data

  • By default, these two settings are off. 
  • Enable both the Windows data setting and the Windows license verification and click Save to save changes. 

screenshot of connectors and tokens in Microsoft Intune

Intune > Devices > Device onboarding > Enrollment

Start by going to Intune > Devices > Device onboarding > Enrollment > Automatic Enrollment

  • Verify MDM user scope is set to Some and include Security Group OR Set to All

Go to Intune > Devices > Device onboarding > Enrollment > CNAME Validation

  • Input the primary domain name and test. The CNAME should come back with a green check mark. If you have not configured this – you will need to configure DNS records for Intune

Also in Intune > Devices > Device onboarding > Enrollment, click Device platform restriction

  • Review Device type restrictions for All users for Windows > Properties 
  • This is where you can block/allow Personally owned devices across operating systems
screenshot of user properties in Intune's Enrollment restrictions

Navigate to Intune > Devices > Device onboarding > Enrollment > Device limit restriction

  • Review Device limit restrictions for All users and devices > Properties 
  • Increase the limit to 15 (or something reasonable for your users)

And finally, in Intune > Devices > Device onboarding > Enrollment, click on Enrollment notification

  • Click + Create notifications
  • Name: You’ve enrolled a new device
  • Platform: Windows
  • Notification Settings
    • Send Email Notifications is On
    • Subject: You’ve enrolled a new device
    • Message: You’ve enrolled a new device
    • Show device details is On
    • Show company name is On
    • Show contact information is On
    • Assign All Users

Now, anytime any of users enrolls a device in Intune, they will receive this notification. If a device is enrolled in their name without their knowledge, they can report the device in the email they received.

Intune > Devices > Device onboarding > Enrollment > Windows Hello for Business

  • Configure Windows Hello for Business: Not configured
  • Use security keys for sign-in: Not configured

Intune > Devices > Manage devices > Group Policy analytics

Audit Group Policies (GPOs): Some customers will know immediately which GPOs are important and are Default Policy settings – others might need you to do that leg work for them.

Intune > Devices > Manage devices > Compliance

Intune > Devices > Manage devices > Compliance > Notifications

Click + Create notification

Name: Device is non-compliant

Header and footer settings

  • Show company logo: Enable
  • Show device details: Enable
  • Show company name: Enable
  • Show contact information: Enable

Notification message templates

Locale: English (United States)

Subject: Review Device Compliance Status

Message:

Hello,

We have detected that your device does not currently meet our organization's compliance requirements. To ensure continuous access to company resources, please take the following steps:

To resolve this issue, please follow these steps:

Open the Search app on your machine and type in Access work or school account.
Click Access Work or School.
Click the drop-down arrow by your email address.
Click Info.
Under Device sync status, click Sync.
Reboot your machine.

If you need assistance, please contact our IT team for support.

Thank you for your cooperation.

Best regards,

Set to default locale is True

Intune > Devices > Manage devices > Device categories

Create the following device categories: 

  • Employee / Internal 
  • Contractor / External 
  • Vender / External

Intune > Devices > Organize devices > Device clean up rules

  • Delete devices based on last check-in date: 
  • Delete devices that haven’t check in for this many days (30-270):

⚠️For any devices that are deleted, the user account associated with the device will not be able to log in. So, you may need to factory reset the device via USB or other mechanisms so the device can function once more.⚠️

The Complete Guide to Microsoft 365

Want full access to the ultimate Microsoft 365 deployment & security cheatsheet? Purchase our complete Golden Tenant now to get detailed instructions, in-depth explanations, and even personalized Microsoft consulting. Have peace of mind with the security of your Microsoft suite by using our CIS-compliant SOPs. 

Purchase the Golden Tenant Now
We're here to help take your business to the next level
Let us know how we can help!
Get Started

Table of Contents

Get expert tips and updates delivered straight to your inbox, join our newsletter today!

Like what you read? Share it with your network

LATEST ARTICLES

a square icon with four different colored squares

Windows 10 End of Life – Are you Prepared?

A decade after its release in 2015, October 15, 2025 is the End of Support date for Windows 10. Now, this does not mean that... Read More

Man presenting screen with distorted faces on them

Deepfake Live: How It Works & Its Implications

“Deepfakes” are back in the news after a software called “deep-live cam” was released on Github. Users are circulating photos and videos that impersonate political... Read More

the screen of a laptop with the windows security button highlighted

Microsoft Defender for Endpoint: 365 Setup Guide – Step 10

You might be wondering how “Defender for Endpoint” differs from “Defender for Office 365.” Both involve the Defender platform, but Defender for Endpoint implements the... Read More

917 Solutions Logo
Facebook-f Instagram Linkedin-in Google
Home
About
Services
Locations
Industries
Resources
Get In Touch