Managing Windows 10 devices with Microsoft Intune (2023)

Microsoft Digital is transforming the way that we manage devices for Microsoft employees. We’re embracing modern device management principles and practices to provide a frictionless, productive device experience for Microsoft employees and a seamless and effective management environment for the Microsoft Digital teams that manage these devices. We’re using Windows 10, Microsoft Intune, Azure Active Directory (Azure AD), and a wide range of associated features to better manage our devices in an internet-first, cloud-focused environment. The move to modern management has begun our transition to Microsoft Endpoint Manager, the convergence of Intune and System Center Configuration Manager functionality and data into a unified, end-to-end management solution.

Addressing the need for modern management

Microsoft Digital is responsible for managing more than 264,000 Windows 10 devices that Microsoft employees around the world use daily. Historically, our management methods have been based primarily on the network and infrastructure on which these devices reside. The corporate network has been the functional foundation of Microsoft operations for more than 30 years. Our technical past was built on Active Directory Domain Services (AD DS) and the accompanying identity and access management principles that work well within a tightly controlled and regulated on-premises network. With this model, Microsoft Digital has been able to manage devices connected within a protected and insulated digital ecosystem.

(Video) Managing Windows devices with Microsoft Endpoint Manager

However, the ways that our devices are being used have changed significantly over the past 10 years and continue to evolve. The corporate network is no longer the default security perimeter or environment for on-premises computing for many companies, and the cloud is quickly becoming the standard platform for business solutions. At Microsoft, we’ve been continually embracing this new model, engaging in a digital transformation that examines our technology and reimagines it as an enabler of greater business productivity.

As a result, the devices that our employees use are increasingly internet focused and interconnected. Our digital transformation entails removing solutions and services from the corporate network and redeploying them in the cloud on Microsoft Azure, Office 365, and other Microsoft cloud platforms.

Assessing device management at Microsoft

Our Windows devices have been managed by System Center Configuration Manager and AD DS for many years. To be our first and best customer and to support a modern device experience, we've started transitioning to Microsoft Endpoint Manager by enabling co-management with Intune and Configuration Manager. Our device management team identified several aspects of the device management experience that needed to be changed to better support our devices and users. Some of the most important aspects included:

  • Device deployment effort. Our device deployment strategy has been based largely on operating system (OS) images that are heavily customized and geared to specific device categories. As a result, we managed a large number of OS images. Each of these images required maintenance and updating as our environment and requirements changed, which resulted in Microsoft Digital employees investing significant time and effort to maintain those images.
  • Management scope. Image deployment relied primarily on a device connecting to the corporate network and the Configuration Manager and AD DS infrastructure that supported the deployment mechanisms. Devices connected outside the corporate network did not have the same experience or deployment and management capabilities as those connected to the corporate network.
  • User experience. All these issues had implications for the user experience. If an employee was connected primarily to the internet and not the corporate network, user experience suffered. Policy application and updates were not applied consistently, and many management and support tools, including remote administration, were not available. We had to implement workarounds for these employees, such as establishing virtual private network (VPN) connections back to the corporate network to facilitate more robust device management. Even with VPN, the internet-first experience was not ideal.

Moving to modern device management

To facilitate a modern device experience for our users and better support our digital transformation, we’ve begun the process of adopting modern device management for all Windows 10 devices at Microsoft. Modern device management focuses on an internet-first device connection, an agile, flexible management and deployment model, and a scalable, cloud-based infrastructure to support the mechanisms that drive device management.

(Video) Managing Corporate Devices in Microsoft Endpoint Manager Intune

Establishing internet and cloud focus

Our modern device management approach begins with and on the internet. The internet offers the most universal and widely available network for our clients. Our modern management methods are built with internet connectivity as the default, which means using internet-based management tools and methods. To enable this, we used Intune and Azure AD to create a cloud-based infrastructure that supports internet-first devices and offers a universally accessible infrastructure model.

Moving from traditional to modern with co-management

The move to modern management necessitates migrating from our traditional methods of device management rooted in Configuration Manager and AD DS. To enable a smooth transition, we decided to adopt a co-management model that enables side-by-side functionality of both traditional and modern infrastructure. This model was critical to ensuring a smooth transition and it enabled us to take a more gradual, phased approach to adopting modern management. Some advantages of the co-management model include:

  • Conditional access with device compliance.
  • Intune-based remote actions such as restart, remote control, and factory reset.
  • Centralized visibility of device health.
  • The ability to link users, devices, and apps with Azure AD.
  • Modern provisioning with Windows Autopilot.

Adopting a phased approach

We developed a phased approach to moving to modern management. This approach allowed us to adequately test and incorporate modern methods. It also enabled us to choose a transition pace that best suited our business. We outlined three primary phases:

  • Phase one: Establishing the foundation for modern management
  • Phase two: Simplifying device onboarding and configuration
  • Phase three: Moving from co-management to modern management

In each phase, we implemented one of the primary building blocks that would lead us to a fully modern, internet-first, cloud-based device management environment that supported our digital transformation and created the optimal device experience for our employees.

(Video) Enroll Windows 10 devices with Microsoft Intune Company Portal | #studywithpeter

Phase one: Establishing the foundation for modern management

We began by establishing the core of our modern management infrastructure. We determined how it would function and how we would support the transition to modern management from our traditional model. A significant portion of the overall effort was invested in phase one, which established the basis for our entire modern management environment going forward. Our primary tasks during phase one included:

  • Configuring Azure Active Directory. Azure AD provides the identity and access functionality that Intune and the other cloud-based components of our modern management model, including Office 365, Dynamics 365, and many other Microsoft cloud offerings.
  • Deploying and configuring Microsoft Intune. Intune provides the mechanisms to manage configuration, ensure compliance, and support the user experience. Two Intune components were considered critical to modern management:
    • Policy-based configuration management
    • Application control
  • Establishing co-management between Intune and Configuration Manager. We configured Configuration Manager and Intune to support co-management, enabling both platforms to run in parallel and configuring support for Intune and Configuration Manager on every Windows 10 device. We also deployed Cloud Management Gateway to enable connectivity for Configuration Manager clients back to our on-premises Configuration Manager infrastructure without the need for a VPN connection.
  • Translating Group Policy to mobile device management (MDM) policy. Policy-based configuration is the primary method for ensuring that devices have the appropriate settings to help keep the enterprise secure and enable productivity-enhancement features. We started with a blank slate, electing to forgo a lift-and-shift approach to migrating Group Policy settings into MDM policy. Instead, we evaluated which settings were needed for our devices within an internet-first context and built our MDM policy configuration from there, using Group Policy settings as a reference. This approach allowed us to ensure a complete and focused approach while avoiding bringing over any preexisting issues that might have resided in the Group Policy environment.
  • Configuring Windows Update for Business. Windows Update for Business was configured as the default for operating system and application updates for our modern-managed devices.
  • Configuring Windows Defender and Microsoft Defender Advanced Threat Protection (ATP). We configured Windows Defender and Microsoft Defender ATP to protect our devices, send compliance data to Intune Conditional Access, and provide event data to our security teams. This was a critical step, considering the internet-first nature of our devices and the removal of the closed corporate network structure.
  • Establishing dynamic device and user targeting for MDM policy. Dynamic device and user targeting enabled us to provide a more flexible and resilient environment for MDM policy application. It allowed us to start with a smaller standard set of policy settings and then roll out more specific and customized settings to users and devices as required. It also enables us to flexibly apply policies to devices if the devices move into different policy scopes.

Phase two: Simplifying device onboarding and configuration

Our process for device onboarding to modern management is relatively simple. As new devices are purchased and brought into the environment, they are deployed and managed by using the modern management model. This is our approach for the entire device-rollout process; it enables us to gradually onboard devices in a relatively controlled manner and avoid the extra effort required to create in-place migration paths for existing devices. We anticipate that this strategy will result in a complete transition to modern management within three years, according to our device purchase and refresh policies.

Simplifying with Windows Autopilot

We’re using Windows Autopilot as the vehicle for simplifying the user experience and ensuring better corporate asset management. Autopilot allows us to greatly simplify operating system deployment for our users and the Microsoft Digital employees who support the process. Autopilot provides several critical enablers to the deployment process, including:

  • Automatically join devices to Azure Active Directory.
  • Auto-enroll devices into Intune.
  • Restrict Administrator account creation.
  • Create and auto-assign devices to configuration groups based on a device's profile.
  • Simplify the out-of-box experience (OOBE) and reduce user involvement in the deployment process.

These capabilities allow us to create a simplified user experience and greatly reduce the time required for Microsoft Digital support staff to configure and deploy images to devices.

(Video) Intune to Manage local groups on Windows devices |Manage Windows 10 Local Admin accounts with Intune

Phase three: Moving from co-management to modern management

The final phase in our transition to modern management is ongoing. With our current trajectory, we estimate that 99 percent of our devices will be managed under the fully modern model within three years. We’re working within the co-management model and moving toward a fully modern-managed environment. Our next steps include:

  • Decommissioning non-modern infrastructure for Windows 10 management when Endpoint Manager and our business are ready for transition.
  • Transitioning clients from AD DS to Azure AD and moving to a 100-percent internet-first model for client connectivity.

Lessons learned

We’re still on the road to modern device management, but we’ve learned several lessons along the way. These learning experiences have helped us to better enable modern management now and prepare for the future at Microsoft. Some of the most important lessons include:

  • Build for the cloud and start fresh. We found that the extra time required to start fresh in areas like policies and deployment planning was well worth the investment. A fresh start allowed us to plan for exactly what our users and business need, rather than trying to restructure an old model to fit a new reality.
  • Go at the speed of your business. The transition to modern device management is not a one-click process. It has wide-ranging implications for an organization, and it needs to be approached intentionally and gradually. We found that large-scale, bulk migration simply didn’t provide enough benefit in relation to the effort and planning required to implement it.


Our transition to modern device management will continue over the next few years as we onboard devices and refine our Microsoft Endpoint Manager platform and methods. Microsoft Endpoint Manager gives Microsoft Digital a platform that enables simplified and efficient management and configuration for our devices in an environment that supports and drives our digital transformation. Our planned refinements to modern management will improve the user experience, reduce the time it takes to get reliable, fully functioning devices into our users’ hands, and create cost savings and greater efficiencies in device management for Microsoft Digital.

© 2022 Microsoft Corporation. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

(Video) Enroll your Windows 10 device in Microsoft Intune


Can I use Intune to manage Windows 10? ›

Microsoft Intune supports a number of distinct app types when deploying to Windows 10 and Windows 11 devices. Apps that are added to Intune can be deployed to users or devices as 'available' (optional) or 'required'.

What are the disadvantages of using Microsoft Intune? ›

  • Intune CONS :
  • * Narrow focus on mobile devices; not a full systems-management platform.
  • * Doesn't support server-side applications.
  • * Not intended for large applications.
  • * Doesn't have the feature-set to handle complex package deployments.

What is the difference between Microsoft Endpoint Manager and Intune? ›

Microsoft Intune, which is a part of Microsoft Endpoint Manager, provides the cloud infrastructure, the cloud-based mobile device management (MDM), cloud-based mobile application management (MAM), and cloud-based PC management for your organization.

Which is better SCCM or Intune? ›

Furthermore, Intune supports limited monitoring and managing of non-Windows systems. SCCM is a potent tool that can manage a variety of endpoints and has rich functionality. However, it can be complicated to work with and expensive.

Can we manage Windows device remotely using Intune? ›

Now generally available, Remote Help is a premium add-on application that works with Intune and enables your information and front-line workers to get assistance when needed over a remote connection. With this connection, your support staff can remote connect to the user's device.

Can Intune manage laptops? ›

In our last blog we focused on the mobile device management features of Microsoft Intune, but Intune can be used to manage and monitor your laptops and desktops as well.

How many devices can be managed by Intune? ›

Intune device limit restrictions set the maximum number of devices that a user can enroll (maximum setting is 15). To set a device limit restriction, sign in to Microsoft Endpoint Manager admin center.

What replaced Microsoft Intune? ›

Microsoft Intune still exists -- both in name and product -- and is now part of MEM. Even as part of Microsoft Endpoint Manager, IT administrators can still use Intune as a separate management platform for mobile device management (MDM) and unified endpoint management (UEM).

Why would a company choose to use Microsoft Intune? ›

Intune simplifies app management with a built-in app experience, including app deployment, updates, and removal. You can connect to and distribute apps from your private app stores, enable Microsoft 365 apps, deploy Win32 apps, create app protection policies, and manage access to apps and their data.

Can Intune see my browsing history? ›

Intune doesn't collect nor allow an Admin to see the following data: An end users' calling or web browsing history. Personal email. Text messages.

What devices are supported by Intune? ›

  • Android 8.0 and later (including Samsung KNOX Standard 3.0 and higher: requirements)
  • Android enterprise: requirements.
  • Android open source project devices (AOSP) supported devices. RealWear devices (Firmware 11.2 or later)
Dec 15, 2022

How do I set up device management? ›

Windows settings.

Click Windows management setup. To apply the setting to everyone, leave the top organizational unit selected. Otherwise, select a child organizational unit. Next to Windows device management, select Enabled.

Do I need an Intune license for every device? ›

The appropriate Microsoft Intune license is required if a user or device benefits directly or indirectly from the Microsoft Intune service, including access to the Microsoft Intune service through a Microsoft API.

Is Intune being replaced? ›

The rebranding Intune as Endpoint Manager initially caused some confusion because of the tools' overlap. However, companies that use Endpoint Manager now understand the full suite of capabilities available to them, said Dan Wilson, senior director analyst at Gartner.

Is Intune a MDM or MAM? ›

Microsoft Intune is a cloud-based service focusing on MDM and MAM. It can enforce policies onto devices to ensure that data does not cross organizational boundaries.

Does Intune replace SCCM? ›

What is Intune? Intune is SCCM's mobile device and application management counterpart. Unlike SCCM it is cloud native and is used to deliver software updates to mobile devices. It is part of Microsoft's Enterprise Mobility + Security (EMS) suite.

Is Intune end of life? ›

Plan for Change: Ending support for Windows 8.1

Microsoft Intune will be ending support for devices running Windows 8.1 on October 21, 2022.

What is replacing SCCM? ›

Starting in version 1910, Configuration Manager current branch is now part of Microsoft Endpoint Manager.

Is Intune free to use? ›

Trying out Intune is free for 30 days. If you already have a work or school account, sign in with that account and add Intune to your subscription. Otherwise, you can sign up for a new account to use Intune for your organization.

How do I add Windows 10 to Intune? ›

Sign in to the Azure portal, and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune. Configure MDM User scope. Specify which users' devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll for management with Microsoft Intune.

How to setup Intune for Windows 10? ›

Deploy Intune
  1. Sign in to the Endpoint Manager admin center, and sign up for Intune. ...
  2. Set Intune Standalone as the MDM authority. ...
  3. Add your domain account, such as . ...
  4. Add users and groups. ...
  5. Assign Intune licenses to your users. ...
  6. By default, all device platforms can enroll in Intune.
Oct 12, 2022

Can you manage desktops with Intune? ›

Azure Virtual Desktop is a desktop and app virtualization service that runs on Microsoft Azure. It lets end users connect securely to a full desktop from any device. With Microsoft Intune, you can secure and manage your Azure Virtual Desktop VMs with policy and apps at scale, after they're enrolled.

How do I manually register a Windows 10 device in Intune? ›

Enroll Windows 10 version 1607 and later device
  1. Go to Start.
  2. Open the Settings app. ...
  3. Select Accounts > Access work or school > Connect. ...
  4. To get to your organization's Intune sign-in page, enter your work or school email address. ...
  5. Sign in to Intune with your work or school account.

How do I manually add a Windows device to Intune? ›

To import the file by using Intune:
  1. In the Microsoft Endpoint Manager admin center, select Devices > Windows > Windows enrollment > Devices (under Windows Autopilot Deployment Program) > Import.
  2. Under Add Windows Autopilot devices, browse to the CSV file that lists the devices that you want to add.
Nov 18, 2022

How do I know if my device is enrolled in Intune? ›

How to Confirm a Device Is Enrolled in Intune
  1. Click Start on your Windows device.
  2. Click on Settings.
  3. Click Accounts.
  4. Click Access work or school.
  5. Click Connected to MESA AD domain then click Info. Note: If the Info button does not appear on your device, your device has not been successfully enrolled.
Mar 2, 2021

What is the purpose of Microsoft Intune? ›

Microsoft Intune is a cloud-based endpoint management solution. It manages user access and simplifies app and device management across your many devices, including mobile devices, desktop computers, and virtual endpoints. You can protect access and data on organization-owned and users personal devices.

Does Intune support Windows 10 multi session? ›

Azure Virtual Desktop multi-session with Microsoft Intune is now generally available. You can now use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center just as you can manage a shared Windows 10 or Windows 11 client device.

What is the difference between Intune and autopilot? ›

Autopilot lets you register devices in Intune directly when you use it to buy new hardware. With Autopilot, employees can unbox their new devices, log into their Microsoft account and have a fully setup device. Intune syncs with Autopilot and will push updates and configurations to the devices.

How does Intune communicate with devices? ›

Users "enroll" their devices, and use certificates to communicate with Intune. As an IT administrator, you push apps on devices, restrict devices to a specific operating system, block personal devices, and more. If a device is ever lost or stolen, you can also remove all data from the device.


1. S01E02 - Setting up Windows Autopilot with Microsoft Intune - (I.T)
(Intune Training)
2. How To Set Up Windows Autopilot in Microsoft Intune
(Harry Lowton)
3. Enroll Windows 10 devices into Microsoft Intune using Windows Autopilot | #studywithpeter
(Peter Kay)
4. Real World Management of Devices with Microsoft Intune and Azure Active Directory | Demo Heavy
5. Modern Windows 10 management strategies, using Configuration Manager and Microsoft Intune
(Microsoft Mechanics)
6. S01E05 - Configuring Windows Update for Business in Microsoft Intune - (I.T)
(Intune Training)
Top Articles
Latest Posts
Article information

Author: Ouida Strosin DO

Last Updated: 03/27/2023

Views: 6204

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Ouida Strosin DO

Birthday: 1995-04-27

Address: Suite 927 930 Kilback Radial, Candidaville, TN 87795

Phone: +8561498978366

Job: Legacy Manufacturing Specialist

Hobby: Singing, Mountain biking, Water sports, Water sports, Taxidermy, Polo, Pet

Introduction: My name is Ouida Strosin DO, I am a precious, combative, spotless, modern, spotless, beautiful, precious person who loves writing and wants to share my knowledge and understanding with you.