Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Enroll devices and manage with Microsoft Intune device management

  • February 2, 2022
  • 16 min read
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com
Cloud and Virtualization Architect. Brandon has over 20 years of experience across multiple sectors. He is responsible for the creative and technical content direction at virtualizationhowto.com


Organizations worldwide are aligning their infrastructure, services, and processes with cloud-native technologies. But, as the global pandemic quickly showed, relying on legacy on-premises solutions creates challenges for today’s hybrid workforce. For example, it includes the ability to provision and manage end-user workstations.

Traditional workflows used workstation images to load the Windows operating system and applications. IT admins then used Active Directory Group Policy to apply the policy configurations needed to control governance and what users can and can’t do. With the shift to the hybrid workforce, these approaches are no longer practical. Microsoft Intune provides a modern, cloud-native approach to managing, configuring, and applying configuration policies to workstations as part of Microsoft Endpoint Manager.

Traditional workstation management is no longer effective

Why is traditional workstation management no longer effective in today’s hybrid workforce? Traditional workstation and endpoint policy management technologies rely on legacy architecture for their functionality. It means these depend on the fact that workstations exist on the same network as the solutions controlling them.

In previous years, end-users drove into the corporate office campus and used workstations and laptops directly connected to the corporate network. Now that the workforce landscape has shifted to a hybrid configuration with many employees working remotely, the infrastructure requirements of these legacy solutions no longer apply.

What are the legacy solutions used in the enterprise today? For example, IT Admins may currently use solutions such as the following:

  • Windows Deployment Services (WDS) is typically used to image Windows clients and Windows Servers for deployment. IT admins typically create special “images” for different roles or use cases and install the appropriate image for the specific use of the client or server.
  • Windows Server Update Services (WSUS) – Windows Server Update Services is used to deploy Windows Updates to both end-user clients and Windows Servers in the enterprise datacenter. WSUS provides an interface enabling IT admins to approve Windows Updates for clients and servers and have those endpoints connect to the WSUS server to pull down the updates instead of communicating directly with Microsoft Windows Updates Services on the Internet.
  • Group Policy – Microsoft Active Directory Domain Services (AD DS) Group Policy is the traditional way that enterprise organizations enforce policies for users and computers. Group Policy requires line of sight access to a domain controller.

While the tools listed above are still very powerful in the enterprise, they are no longer adequate exclusively to provide the solutions businesses need today, supporting a very hybrid workforce.

Microsoft Endpoint Manager and Microsoft Intune

Microsoft Endpoint Manager is a cloud-based solution that provides the framework and tools to provision, manage, and secure end-user clients. However, it is not limited to PCs. Businesses can manage and monitor desktop computers, virtual machines, mobile devices, embedded devices, and even servers.

Microsoft Intune falls under the umbrella of Microsoft Endpoint Manager, as do other familiar Microsoft solutions such as the legacy Configuration Manager and Windows Autopilot. So, let’s key in further on Microsoft Intune and precisely what it is.

The Microsoft Intune solution provides two key capabilities for the enterprise. These capabilities include:

  • Mobile device management (MDM)
  • Mobile application management (MAM)

With the capabilities provided by Microsoft Intune, organizations can control many types of devices, including Android, Ios/IPadOS, macOS, and Windows 10 & 11 devices. As expected, Microsoft Intune has native integration with other Microsoft cloud-based solutions, including Azure Active Directory (Azure AD), the Microsoft Defender suite of solutions, and many others.

Microsoft is still providing on-premises interoperability

Like most technology solutions, Microsoft Intune will not totally replace all legacy tools, at least for now. Some capabilities are found in legacy on-premises Active Directory solutions that are not found yet in Microsoft Intune. For example, there is not yet feature parity with Microsoft Intune configuration profiles and Active Directory Domain Services Group Policy.

However, most businesses today are moving forward with a hybrid cloud strategy, still utilizing on-premises tools but heavy on cloud-based solutions. It allows taking advantage of the best of both worlds and using the right tool for the job. In the world of end-user clients and the hybrid workforce, cloud-based solutions make the most sense. They remove the barrier and challenges of network connectivity to the legacy solutions housed on-premises.

Microsoft is still leaving the door open to interoperability with the new cloud-based approach and on-premises technologies. Let’s look at a couple of examples of this being the case.

  • Microsoft Endpoint Configuration Manager – As part of the Microsoft Endpoint Manager product portfolio, Configuration Manager is an on-premises management solution. Configuration Manager allows configuring endpoints, servers, and laptops as part of the corporate network. In addition, Microsoft now has cloud-enabled Configuration Manager, allowing it to natively connect to the Intune cloud service and use Azure Active Directory (Azure AD), Microsoft Defender solutions, and other Microsoft cloud services.
  • Co-management – Microsoft has coined a term they are tossing around called “Co-management.” With co-management, organizations can choose which solution best meets their needs for managing and configuring end-user clients, either Intune or Configuration Manager.
  • The Intune Connector for Active Directory – Microsoft has created an Intune Connector for Active Directory Domain Services, allowing it to add entries to your on-premises Active Directory Domain Services environment for computers you enroll using Autopilot.

Enroll devices and manage with Microsoft Intune

There are essentially a couple of ways to enroll a device with Microsoft Intune. Consider the example of enrolling a Windows 10 client PC with Microsoft Intune. Let’s look at the following two ways to enroll a client with Microsoft Intune:

  • Windows Autopilot – The Windows Autopilot solution provisions new devices and applies Intune configurations automatically to get the new devices ready for use. It includes a collection of technologies that can pre-configure, reset, repurpose, and recover devices.

The Windows Autopilot lifecycleThe Windows Autopilot lifecycle

– In this way, IT admins can perform zero-touch provisioning, using the capabilities of Microsoft Intune applied with the Windows Autopilot provisioning engine.

  • Company Portal App – The Company Portal App allows an end-user to access sanctioned business-critical resources as part of Microsoft Intune and simplifies the tasks needed for remote work access. It includes:

– Enrolling your device to access corporate resources

– Receiving company-issued certificates by signing into the Company Portal

– Taking advantage of single-sign-on (SSO)

– Installing approved apps from the IT department or Microsoft Store

– Manage your enrolled devise, including performing remote wipe if they are lost or stolen

– Receive help from the IT department

Viewing the Company Portal App in the Microsoft StoreViewing the Company Portal App in the Microsoft Store

Provision business applications using Microsoft Intune

One of the great features of using Microsoft Intune is providing business applications to end-users. Instead of IT or the Helpdesk needing physical access to an end-user client or remote desktop access, using Microsoft Intune, applications can simply be assigned and provisioned to Intune managed devices.

Adding a Windows app in Microsoft Endpoint ManagerAdding a Windows app in Microsoft Endpoint Manager

IT admins have a wide range of choices they can make to provision applications on Microsoft Intune-enrolled devices, including custom Windows app (Win32) applications.

Select apps for installation in Microsoft Endpoint ManagerSelect apps for installation in Microsoft Endpoint Manager

Microsoft 365 apps can be easily assigned and provisioned on remote client PCs.

Assigning Microsoft 365 apps in Microsoft Endpoint ManagerAssigning Microsoft 365 apps in Microsoft Endpoint Manager

Endpoint Security, governance, and configuration profiles

Another area where cloud-based management shines is the ability to control and have visibility to the security posture of end-user clients used by the hybrid workforce. No matter where devices are located or which network they connect to, Microsoft Endpoint Manager’s Endpoint security helps to give IT admins visibility and control over the security settings, governance, and configuration profiles for remote devices.

Note the tools available in Endpoint Security:

  • Security baselines
  • Security tasks
  • Antivirus management
  • Disk encryption controls
  • Firewall configuration
  • Endpoint detection and response
  • Attack surface reduction
  • Account protection
  • Device compliance
  • Conditional access

Microsoft Endpoint Manager Endpoint Security optionsMicrosoft Endpoint Manager Endpoint Security options

In addition to specific security configuration control in Microsoft Endpoint Manager, the Devices blade in the Microsoft Endpoint Manager admin center provides access to tools, including:

  • Compliance policies
  • Conditional access
  • Configuration profiles
  • Scripts
  • Group Policy analytics
  • Update rings for Windows 10 and later
  • Feature updates for Windows 10 and later
  • Quality updates for Windows 10 and later
  • Update policies for iOS/iPadOS
  • Enrollment restrictions
  • eSIM cellular profiles
  • Policy sets

Features such as the compliance policies, conditional access, and configuration profiles provide organizations with powerful “Group Policy-like” tools that allow controlling what users and computers can and can’t do, enforce governance, and set conditions that must be met for corporate access.

Organizations can also use the “Update” functionality listed to control Windows Updates across the board, effectively allowing a cloud-based solution that can augment or replace legacy solutions like Windows Server Update Services (WSUS).

Microsoft Endpoint Manager Device toolsMicrosoft Endpoint Manager Device tools

Wrapping Up

Microsoft Endpoint Manager, including Microsoft Intune, provides a robust set of cloud-based tools, allowing organizations to meet the hybrid workforce’s challenges effectively. In addition, Microsoft offers multiple ways to enroll devices in Microsoft Intune and several continuing integrations between cloud-based tools and on-premises technologies.

As shown, Microsoft Endpoint Manager provides a myriad of capabilities for managing Microsoft Intune-enrolled devices. These include security, governance, configuration enforcement, and tools to manage other lifecycle tasks such as Windows Updates. As businesses continue to support the hybrid workforce and use cloud-based solutions, Microsoft Intune device management will remain a great tool to empower companies to meet the challenges of remote work.

Hey! Found Brandon’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!