Field-tested Intune engineering for iOS, Android, Windows, and MacOS: 373 deep-dive guides, four open-source toolboxes, and the failure modes the official docs don’t mention — written and maintained by working endpoint engineers.
373 guides4 platforms144 open-source tools311 official Microsoft links
Pick a platform to enter its library — the menus, guides, search defaults, and scripts all follow your choice. Switch any time from the selector at the top of the page.
Intune endpoint automation, PowerShell tooling, and Graph-native engineering — with contract engineers available for your fleet. Built by the same hands that maintain these guides.
Senior endpoint engineer by day, with two decades of scripting experience and 50,000+ endpoints managed across my career. I built everything on IntuneNerds myself — the guides, the Intune Simulator, the Decision Center, and the MD-102 Study Lab below.
Begin your journey with easy navigation and comprehensive guides for every platform you manage with Microsoft Intune.
Starting is pretty easy. Just navigate the sidebar menu on the left and scroll through the content you are interested in. But let's see how you can get the most value out of the guides.
Note
IntuneNerds isn't here to compete with the communities you already trust — the Slack workspaces, the Discords, the MVP blogs. It exists for the layer those formats can't hold: long-form, maintained engineering guides for every platform, with the failure modes written down next to the happy paths.
Get the Most out of the Content
As you can see on the left, there are multiple topics covering the platform you have selected — switch platforms at the top of the sidebar and the entire site follows. The goal is to add a short overview, a guide to configure the setting or policy, as well as insights based on real-world experiences that are not documented anywhere else, e.g., Microsoft Docs.
Navigating the Site
Sidebar Menu: Use the sidebar menu on the left to quickly find the topics you are interested in.
Search Functionality: Use the search bar at the top to find specific guides, tools, or best practices.
Types of Content Available
Guides: Step-by-step instructions on how to set up and configure enrollment, policies, and apps.
Scripts: Ready-to-use Microsoft Graph automation to manage your fleet at scale, straight against the same API the console uses.
Best Practices: Recommendations based on industry standards and real-world experiences.
Insights: Unique insights and tips that you won't find in official documentation, shared by community members.
Thanks for using IntuneNerds — built to make endpoint administration with Microsoft Intune easier and more reliable.
Home
About
IntuneNerds — built and maintained by Tom Ward, solely sponsored by Cloud Forge Automation.
IntuneNerds is written, built, and maintained by Tom Ward — Co-Founder & Principal Architect at Cloud Forge Automation. It's a one-person project: every guide, the Decision Center, the Intune Simulator, and the MD-102 Study Lab are built and tested by the same hands that run real production fleets.
Cloud Forge Automation is the sole sponsor of IntuneNerds — Intune endpoint automation, PowerShell tooling, and Graph-native engineering, with contract engineers available for your fleet.
Home
Feedback
Tell us what's working, what's missing, and what you want to see next on IntuneNerds.
We want this site to be the place you check before you build anything in Intune. That only works if you tell us what's missing.
Ways to Reach Us
LinkedIn: The fastest way — message Tom Ward with content requests, corrections, or bugs.
Cloud Forge Automation: For engagements and open-ended questions, reach out via cloudforgeautomation.com.
What Helps Most
Which guide you were reading and what was unclear or out of date.
The Intune service release and device OS version where behavior differed from the guide.
Topics you searched for and didn't find.
Home
Changelog
What's new on IntuneNerds.
June 2026 — Initial release 🎉
IntuneNerds is live. The site launches complete rather than aspirational: 373 deep-dive guides across four platform libraries, written and tested by working endpoint engineers, with the failure modes documented next to the happy paths. Pick your platform at the top of the page and the entire site — navigation, search, and every guide — follows your selection.
🚀 Four complete platform libraries — every guide written platform-pure for the fleet you actually manage, with explicit prerequisites, step-by-step processes, and verification on every procedure.
🧪 Intune Simulator — a full, browser-based replica of the Microsoft Intune admin center that runs entirely on your device. Generate a tenant of users and devices, build dynamic groups with real query logic, deploy configuration profiles, apps, compliance, and Endpoint security, then advance time to watch check‑ins, compliance drift, and queued device actions land. Nothing touches a real tenant — the safe place to learn the console before you click in production.
⚙️ Graph API Automation — a production PowerShell script library (inventory reports, bulk actions, license audits, connector health) and a snippets collection built to copy, adapt, and ship.
🔎 The site itself — platform-scoped navigation and search (Ctrl/Cmd+K), per-page contents, prev/next reading chains, dark and light themes, and a single fast page that works offline once loaded.
From here, every change to the library lands on this page.
Start Here
Learning Path
A 30/60/90-day roadmap from zero to competent endpoint engineer — with platform-specific milestones that adapt to your fleet.
Endpoint management rewards structured learning: the concepts stack, and the order matters. This path takes you from nothing to genuinely competent in ninety days of consistent effort — read, then build, then break, in that loop, every week. The spine is universal; the milestones below adapt to the platform selected.
Days 1–30FoundationsLab built, first devices enrolled — goal: explain enrollment-to-policy flow on a whiteboard
Days 31–60DepthYour platform's hard topics plus a first Graph script — goal: three failures diagnosed to root cause
Days 61–90Production thinkingRings, RBAC, change discipline — goal: defend a design decision to a skeptical room
Days 1–30 — Foundations. Understand what MDM actually is, build your lab, enroll your first devices, and learn the tenant's anatomy: groups, filters, profiles, apps, compliance. Goal: you can explain enrollment-to-policy flow on a whiteboard.
Days 31–60 — Depth. Pick your platform's hard topics and go deep; ship your first Graph script; break things in the lab on purpose and fix them with the troubleshooting pages. Goal: you've diagnosed three failures to root cause.
Days 61–90 — Production thinking. Rings, RBAC, change discipline, reporting rhythms, and the architecture corner. Goal: you can defend a design decision to a skeptical room.
Certifications: MD-102 (Endpoint Administrator) covers the Intune fundamentals this path builds on, and Apple's own deployment and management training deepens the platform track you just walked.
Certifications: MD-102 (Endpoint Administrator) covers the Intune fundamentals this path builds on, and Google's Android Enterprise training academy deepens the platform track you just walked.
Certifications: MD-102 (Endpoint Administrator) maps almost one-to-one onto this track — if any badge is worth the exam fee here, it's this one.
Certifications: MD-102 (Endpoint Administrator) covers the Intune fundamentals this path builds on, and Apple's own deployment and management training deepens the platform track you just walked.
The single highest-leverage habit on this path: write down every failure you diagnose — symptom, wrong guesses, root cause. Ninety days of that document is worth more in an interview than any certification, because it's proof you've actually operated.
The device-health rulebook whose verdict feeds Conditional Access
Dynamic group
Entra group whose membership a rule calculates — powerful, but lags. Cookbook
Entra ID
Microsoft’s cloud identity platform — where devices register and Conditional Access decides
Graph API
The REST API behind every console blade; the automation surface for all of Intune. Quickstart
LOB app
Line-of-business app — your organization's own application package, deployed directly rather than from a public store
MDM
Mobile Device Management — the management protocol channel each platform exposes to Intune
MTD
Mobile Threat Defense — risk engines (Defender, third-party) feeding compliance
SCEP
Simple Certificate Enrollment Protocol — how devices request identity certs
Scope tag
Intune RBAC boundary controlling which objects an admin sees. Guide
Settings Catalog
Intune's per-setting policy surface for every platform
Conditional launch
App Protection Policy checks (min OS, jailbreak/root, app version) that block or wipe app data at launch when conditions fail — part of MAM enforcement.
Configuration profile
Device configuration policy that pushes managed settings (Wi-Fi, VPN, certs, restrictions) to enrolled devices — distinct from app and compliance policy.
Token Protection
Conditional Access control that cryptographically binds a sign-in token to a specific device, blocking token theft and replay.
Primary user
The user tied to a device record; drives user-targeted policy, licensing, and the Company Portal experience.
Selective wipe / Retire
Removes only corporate data, apps, and policies from a device while leaving personal data intact — the BYOD off-boarding action.
Enrollment restriction
Tenant policy controlling which platforms, ownership types, and how many devices a user may enroll.
Device Enrollment Manager (DEM)
Special account allowed to enroll many devices (up to 1,000) without per-device user affinity — for shared and kiosk fleets.
Cloud PKI
Intune Suite service hosting a managed certificate authority and SCEP RA in the cloud — removing on-prem AD CS, NDES, and the cert connector.
Device category
Admin-defined label users pick at enrollment (or admins assign) that can drive automatic dynamic-group membership and targeted policy.
Endpoint analytics
Intune reporting on startup performance, app reliability, and remediations, rolled up into an org-wide endpoint experience score.
iOS & iPadOS Terms
Term
Meaning
ABM
Apple Business Manager — Apple's org portal for devices, app licensing, and Managed Apple Accounts. Guide
Apple device state unlocking the full management surface — set at ADE/Configurator enrollment, never retrofittable without a wipe
Setup Assistant
The out-of-box flow where ADE takes hold
Token (ADE/server)
The .p7m trust bond between an ABM MDM server entry and Intune
VPP
Volume Purchase Program — now "Apps & Books"; device-based app licensing. Guide
Web clip
A managed home-screen icon pointing at a URL. Guide
Account-Driven User Enrollment
BYOD iOS enrollment where the user signs into Settings with a Managed Apple Account; walls off work data on a managed volume. Replaces profile-based UE.
Account-Driven Device Enrollment
Corporate enrollment where the user signs in with a Managed Apple Account in Settings to fully enroll a device, without ADE/ABM token assignment.
User Enrollment (UE)
Apple's privacy-preserving BYOD mode separating work apps/data from personal; admins can't wipe the device, see personal apps, or read the serial.
Device Enrollment (Apple)
Standard MDM enrollment via Company Portal for org-owned or personal devices — broader than User Enrollment, narrower than supervision.
Managed Apple Account federation
Linking ABM/ASM to Entra ID so users sign in with corporate creds and Managed Apple Accounts auto-provision — no manual Apple ID creation.
Software Update Enforcement (DDM)
Declarative policy that autonomously installs a target OS by an enforced deadline on supervised devices; replaces the deprecated MDM update commands.
Managed Software Updates
Intune's update model built on Apple DDM that schedules OS updates with deferral windows and deadlines for iOS/iPadOS.
Status Channel (DDM)
Declarative mechanism where the device proactively reports state (installed apps, OS, declaration status) to MDM instead of being polled.
Configuration (DDM)
A declaration type in Declarative Device Management that applies settings, gated by Activations and able to reference Assets — replacing many mobileconfig payloads.
Managed Device Attestation
Apple feature using the Secure Enclave to cryptographically prove a device's identity/integrity to MDM and ACME, hardening cert issuance.
ACME
Automated Certificate Management Environment — Apple's attestation-backed cert enrollment that hardens device-identity certs versus legacy SCEP.
Managed Open-In
Data-flow controls (Open-In and managed pasteboard) that restrict opening or pasting work documents only into managed apps and accounts.
Managed app configuration
Key-value settings Intune pushes to managed apps over the MDM AppConfig channel, pre-configuring apps like Edge or Outlook at deploy.
Shared iPad
Supervised, ABM-enrolled iPad mode letting multiple users sign in with Managed Apple Accounts to separate, cloud-backed partitions on one device.
Lost Mode (Managed)
MDM command that remotely locks a supervised device, shows a custom message, suppresses use, and can report the device's location.
MDM commands (supervised)
Remote actions on supervised devices — e.g. ClearPasscode, RestartDevice, ShutDownDevice, EraseDevice — issued from Intune.
Android Terms
Term
Meaning
AE
Android Enterprise — Google's management framework; the only modern way to manage Android. Overview
Windows Hello for Business — device-bound passwordless credential. Guide
WUfB
Windows Update for Business — rings, deadlines, feature-update pinning. Guide
Device Preparation (Autopilot)
The newer, simpler Autopilot replacement that provisions devices via enrollment-time grouping and a device-prep profile — no hardware-hash pre-registration.
Security baselines
Preconfigured, Microsoft-recommended groups of hardened settings (Windows, Defender, Edge) you deploy as a profile and track drift against.
OMA-URI / custom profile
A manually specified CSP path (Open Mobile Alliance URI) in a custom profile, used to set values Intune's UI doesn't expose natively.
EPM (Endpoint Privilege Management)
Intune Suite add-on letting standard users run approved apps elevated via rules — removing the need for permanent local admin rights.
MSIX / App attach
Modern Windows app package format; App attach dynamically mounts MSIX apps in AVD/Windows 365 rather than installing them into the image.
Enterprise App Catalog
Intune-curated, prepackaged Win32 apps (Microsoft-hosted) you add and auto-update without manually wrapping installers into .intunewin files.
Driver & firmware updates
Windows Update for Business policy in Intune that approves or defers OEM driver and firmware updates delivered through Windows Update.
Feature & quality update profiles
WUfB policies that pin a target Windows feature version and control deferrals/deadlines for monthly quality (security) updates.
Expedited updates
WUfB capability to rapidly force a specific critical/zero-day security update on an accelerated timeline, bypassing the normal deferral rings.
Update ring
Policy grouping devices into deferral/phasing tiers (e.g. pilot vs. broad) to stage feature and quality update rollout.
BitLocker encryption report
Endpoint-security disk-encryption policy plus Intune reporting of per-device BitLocker status and recovery keys escrowed to Entra ID.
WUfB-DS
Windows Update for Business deployment service — the backend (used by Autopatch and update rings) that schedules, rolls out, and monitors update content.
Automatic MDM enrollment
Auto-enrollment triggered when a device Entra-joins, configured via the Entra MDM scope so corporate devices enroll into Intune automatically.
Custom compliance
Admin-authored script plus JSON rules that extend compliance evaluation to settings Intune doesn't natively check.
Tamper protection
Defender feature, manageable from Intune, that stops apps or users (even local admins) from disabling antivirus, real-time protection, or core security settings.
Account protection / Credential Guard
Endpoint-security policies hardening sign-in; Credential Guard uses virtualization-based security to isolate secrets and block credential theft.
MacOS Terms
Term
Meaning
ADE (Mac)
Automated Device Enrollment — supervised, wipe-persistent Mac enrollment. Guide
Bootstrap token
Escrowed authorization for deep operations on Apple silicon. Guide
Custom attribute
Script output as a per-device inventory column. Guide
FileVault / PRK
Disk encryption and its escrowed personal recovery key. Guide
Installomator
Community label-driven installer for hundreds of Mac apps. Guide
Managed login items
The payload that pins agents on and greys the user's off switch. Guide
MAU
Microsoft AutoUpdate — Office/Defender update channels on Mac. Guide
PKG / DMG app types
Intune's installer-package and drag-drop app delivery lanes. Guide
Platform SSO
Entra-bound local accounts; Secure Enclave passwordless. Guide
PPPC / TCC
Privacy grants (Full Disk Access etc.) pre-approved by profile. Guide
Preference domain
An app's plist settings namespace, manageable by payload. Guide
profiles (command)
profiles status / sudo profiles show — device-side enrollment truth. Guide
System extension
The modern kernel-adjacent extension model; approved by team ID. Guide
User-approved MDM
Non-ADE enrollment requiring the user's explicit approval. Guide
Apple foundation terms
Term
Meaning
ABM
Apple Business Manager — Apple’s org portal for devices, app licensing, and Managed Apple Accounts. Mac context
Apple device state unlocking the full management surface — set at ADE enrollment
Token (ADE/server)
The .p7m trust bond between an ABM MDM server entry and Intune
VPP
Volume Purchase Program — now “Apps & Books”; device-based app licensing. Shared foundation
ACME enrollment
Automated Certificate Management Environment — replaces SCEP for Apple MDM identity certs, hardware-binding the cert to the Secure Enclave for stronger trust.
Managed Device Attestation (MDA)
Apple feature using the Secure Enclave to cryptographically prove a Mac's identity/properties to MDM; needs Apple silicon + macOS 14+, pairs with ACME.
Enrollment SSO
Apple's user-enrollment SSO flow where signing into Entra ID during Setup Assistant or Company Portal completes account-driven enrollment and licensing.
Account-driven enrollment
The user starts BYOD enrollment by signing in with their Managed Apple Account in Settings — no Company Portal app or profile download.
Software Update "Enforce latest"
DDM update mode (Settings Catalog) where you set a deferral and enforcement deadline and Intune targets the newest eligible build per Mac model.
Target OS version (DDM)
Declarative update setting pinning Macs to a specific macOS version/build by a deadline — for controlled rollouts when app compatibility requires it.
Status subscription
DDM mechanism where the Mac proactively reports status (update progress, installed software) to Intune instead of being polled on a schedule.
Activation / Configuration (DDM)
Declarative building blocks: Configurations define desired settings, Activations gate when they apply — enabling autonomous on-device policy.
Await final configuration
An ADE option that holds the Mac at Setup Assistant until required Intune profiles/apps land, ensuring compliance before the user reaches the desktop.
SSO extension (SSOe)
The app-extension framework behind Platform SSO and Kerberos SSO; the payload type that registers the identity-provider extension on macOS.
Kerberos SSO extension
Apple's built-in SSOe that fetches Kerberos tickets from on-prem AD, syncs the local password, and enables seamless access to Kerberized services.
Network extension
Framework for VPN, content-filter, and DNS-proxy clients (e.g. Defender, Global Secure Access); needs a profile to pre-approve it silently.
Notification settings payload
Managed config controlling per-app notification style, badges, and Lock Screen visibility — used to pre-approve Company Portal/Defender prompts.
Power management payload
Settings Catalog config for sleep, display-off, wake-for-network, and scheduled power events — useful to keep Macs awake for patch deadlines.
FileVault deferred enablement
A FileVault setting that defers encryption until the user's next logout/login, then captures and escrows the recovery key to Intune.
Shell script
An Intune-deployed zsh/bash script run as root or user on a schedule for remediation or config; output can surface for reporting.
A blast-radius-zero environment where enrollment flows get broken on purpose — start with the universal foundation that's identical on every platform, then build the lab your platform actually needs.
Every confident production change on this site was rehearsed somewhere safe first. A lab is where enrollment flows get broken on purpose, where scripts run their first time, and where "what happens if" gets answered without a ticket queue watching. The good news is that the foundation is identical on every platform: a dedicated test tenant (a free Intune trial or developer tenant — never a corner of production), a naming discipline (LAB- prefixes on everything so nothing ambiguous ever reaches a production scope), the snapshot ethos that keeps every lab device one reset away from clean, and a fence of scope tags plus a dedicated RBAC role so experiments physically cannot touch production objects. Build that spine once and it carries iOS, Android, Windows, and macOS equally. What goes into the lab differs by platform — and each platform gets its own dedicated page below.
RequiresDedicated test tenant — free Intune trial or developer tenant
NamingLAB- prefix on every group, profile, and policy
Reset ethosEvery lab device one reset away from clean
ScopeFenced with scope tags and a dedicated RBAC role
Adopt the universal spine
These steps are platform-agnostic. Do them once, in order, and you have a tenant that any of the four platform labs can plug into. None of them touches device hardware yet — this is the part of the lab that lives entirely in the admin center.
Stand up the dedicated tenant. Create a free Intune trial or a Microsoft 365 developer tenant — never a slice of production. This is the single rule that makes everything afterwards safe: a tenant that contains nothing real can't break anything real. Sign in once and confirm Intune is provisioned before you go further.
Apply LAB- naming from the very first object. Prefix every group, profile, policy, app, and filter with LAB- the moment you create it. The discipline pays off the first time you copy something toward production and the name announces exactly where it came from — and it makes a stray lab object impossible to mistake for the real thing.
License one admin and one test user. You need exactly two identities to exercise every flow: an administrator to build and assign, and a standard test user to receive policy and feel what a real end user feels. Resist the urge to license more — a two-account lab stays cheap and stays honest.
Fence the lab with scope tags and a dedicated RBAC role. Create a LAB- scope tag, tag every lab object with it, and grant your lab work through a dedicated RBAC role scoped to that tag alone. Now an experiment cannot reach a production group even if you fat-finger an assignment — the fence is structural, not a matter of remembering to be careful.
Calendar any certificate renewals the day they're issued. Some platform labs mint certificates with hard expiry dates — Apple's APNs certificate is the classic example. The instant you issue any cert in the lab, put its renewal on a calendar. Rehearsing the renewal you'll own in production starts with never letting the lab's own cert lapse silently.
Then build your platform's lab
With the spine in place, the rest is platform-specific — different hardware truths, different virtualization stories, different things that simply refuse to be simulated. Each page below reuses and expands the per-platform build it once lived inside: what you're building, prerequisites, the step-by-step, the honest limits, and exactly what to rehearse.
iOS & iPadOS
Simulators don't enroll — MDM, profiles, and apps all need real hardware. The lab centers on a spare iPhone or iPad you can wipe, supervised locally with Apple Configurator.
The friendliest platform to lab: emulators take real work-profile and fully-managed enrollments, so most of the lab runs on the laptop you already have — Google built the lab tools.
The most rehearsable platform — VMs take real Autopilot enrollments, and a checkpoint at OOBE turns every experiment into a two-minute revert instead of a reinstall.
Apple silicon VMs are gold for profile and script dry-runs, but real metal plus ABM reality carries enrollment, attestation, and recovery — a used Mac mini earns its keep fast.
The platform pages differ, but the working habits don't. These practices apply identically whether your lab is a drawer of spare iPhones, a folder of emulators, a stack of checkpointed VMs, or a bench Mac — and they're what separate a lab that builds confidence from one that just burns time.
Snapshot before every experiment. A clean restore point ahead of each change means you're always one revert from a known-good state — and you'll actually run the risky test instead of tiptoeing around it.
Provoke failures on purpose. Break enrollment, fail an app install, expire a token, watch the timeout. A failure you caused and watched end to end is the fastest education in reading the ones you didn't.
Mirror your production ring structure. Build the same group and ring layout you run in production so what graduates from the lab lands in a shape ring 1 already recognizes — the lab is the first rung of that same ladder.
Document what broke and how you fixed it. A short note per failure turns a one-time scramble into a runbook, and turns incident response from research into recognition.
When you want to rehearse a console flow without standing up any hardware at all, practice risk-free in the Intune Simulator — every click is reversible, so it pairs naturally with the snapshot-and-break ethos above.
Do
Build the universal spine first, then the platform lab
Fence the lab behind scope tags and a dedicated RBAC role
Prefix every lab object with LAB- and snapshot before experiments
Treat the lab as the first rung of the ring ladder
Don't
Run experiments in a corner of the production tenant
Let an ambiguously named object near a production scope
Skip the snapshot and then fear the risky test
Promote a change that skipped both the lab and ring 1
Insights
The lab's highest-value product isn't validation — it's calibrated confidence: knowing exactly what a failure looks like before it happens in production turns incident response from research into recognition.
Budget honesty: a free tenant, two licensed identities, and whatever your platform's page calls for — usually one spare device, one bench unit, and a hypervisor you already own. The lab that never gets built is the one specced as a rack; the one that changes your career fits in a drawer.
A blast-radius-zero iOS environment — a throwaway tenant, a lab-only Apple relationship, and one spare device you are free to wipe — plus the hardware truths that decide what you can rehearse and what you can't.
The universal lab foundation — dedicated test tenant, LAB- naming discipline, the snapshot ethos, and scope-tag fencing — lives on the cross-platform Build a Lab hub; this page is the iOS/iPadOS-specific build that sits on top of it.
An iOS lab is one dedicated test tenant, one physical device you are free to wipe, and a small set of Apple relationships that belong to the lab alone. The non-negotiable hardware truth up front: simulators don't enroll. The Xcode iOS Simulator renders a UI, but it has no MDM stack — no enrollment, no profile delivery, no managed app installation, no APNs path. Everything that makes this site real requires physical hardware, so the centerpiece of the lab is at least one real iPhone or iPad. An older spare is ideal: enrollment behavior, restriction handling, and app-config delivery do not need a current model, and an aging device you can reset without a second thought is worth more than a flagship you instinctively protect.
TenantDedicated trial or developer tenant, LAB- naming on every object
Apple relationshipLab-only test Apple Account + the lab tenant's own APNs certificate
HardwareOne spare iPhone/iPad — simulators do not enroll
ABM caveatNo throwaway ABM — ADE flows rehearse on a production ring-1 device
The Lab at a Glance
Five moves take you from a blank tenant to a device you are deliberately breaking. Most of this needs no Apple Business Manager at all — only the final ADE-dependent rehearsals do, and the ABM Reality section below explains where those go instead.
Step 1Stand up the tenantTrial/developer tenant, one admin + one test user, LAB- from object one
Step 2Create the Apple relationshipLab test Apple Account, then the lab tenant's APNs certificate
Step 3Supervise the spareWipe + supervise locally with Apple Configurator
Step 4Enroll and break thingsDeliver a profile, deploy an app, then provoke failures on purpose
Step 5Optional: run an open-source MDMPoint micromdm/nanomdm at the spare for a weekend
Prerequisites
A dedicated test tenant (free Intune trial or developer tenant), fenced with its own LAB- naming on every group, profile, and policy so nothing ambiguous ever drifts toward a production scope.
A separate, team-owned test Apple Account for the lab — never your personal account, and never the production organizational account that backs your live APNs certificate.
The lab tenant's own APNs certificate, created with that lab Apple Account, with the renewal date calendared the day it is issued — the same one-year clock you will own in production, rehearsed where a lapse costs nothing.
One spare iPhone or iPad dedicated to the lab, a cable, a desktop running Apple Configurator (macOS) or the bench-recovery equivalent, and the patience to wipe the device often.
Build It, Step by Step
Stand up the tenant. Create the trial or developer tenant, license one admin and one test user, and apply the LAB- naming discipline from the first object you create. The habit pays off the first time you copy a policy into production and the name announces exactly where it came from. Fence it immediately with scope tags and a dedicated RBAC role so a stray assignment can never reach a real group.
Create the lab Apple relationship. Sign up the test Apple Account, then issue the APNs certificate for the lab tenant with it. Nothing Apple-side enrolls until this certificate exists — every command Intune sends to every Apple device flows through APNs using it — and creating one in the lab demystifies the production renewal you will eventually own. Note the identity that created it: renewing with a different Apple Account forces a re-enroll, which is itself a failure mode worth seeing here first.
Supervise the spare device locally. Wipe the device and supervise it with Apple Configurator. Local supervision unlocks most of the supervised-only surface — device restrictions, Single App and kiosk modes, forced settings, non-removable management — without any organizational ABM enrollment, which makes it the fastest route to testing the policies that matter most. This is the single highest-leverage step: it gives you a supervised device to aim policy at today.
Enroll and start breaking things. Enroll the supervised device into the lab tenant, deliver a configuration profile, deploy an app, then deliberately cause the failures documented on the troubleshooting pages so you see each one where it costs nothing: provoke an enrollment error, force a profile installation failure with a conflicting payload, and block APNs at the network edge to watch push connectivity degrade. A failure you caused on purpose is the fastest education in reading the ones you didn't.
Optional, but career-changing: run an open-source MDM for a weekend. Pointing micromdm or nanomdm at the spare device teaches you what the MDM protocol actually does under Intune's console — the enrollment handshake, the command/result loop, the APNs wake. Every enrollment conversation you have afterward is sharper for it.
The ABM Reality
Apple Business Manager is a real-organization enrollment: legal-entity details, a D-U-N-S number, and a verifiable contact mean a throwaway lab ABM usually isn't possible — and shouldn't be faked. Plan for it instead of fighting it. The flows that require ABM — full Automated Device Enrollment, the Intune–ABM token exchange, Apps & Books (VPP) licensing, and Return to Service — get rehearsed on a production ring-1 device, which is precisely what ring 1 exists for. Everything else on this page works without ABM, and one detail bridges the gap honestly: a device captured into ABM with Apple Configurator's enrollment-capture behaves like an ADE device, but the capture is real and not reversible on a whim — so reach for it on production ring-1 hardware, not a borrowed spare.
Profile and app-config behavior: delivery timing, conflict resolution, and what the device actually shows the user.
App Protection Policy prompts on a BYOD-style setup, so the first user who asks "why is it asking me for a PIN" gets an answer from experience.
Enrollment restrictions — block a platform, then watch the device-side message — so the production posture is a decision you have seen, not one you guessed.
Full ADE / zero-touch enrollment without ABM — it lives on a production ring-1 device, not the spare.
Anything from the iOS Simulator — it has no MDM stack and will never enroll.
Apps & Books (VPP) silent install at scale — that needs the real ABM token, so prove it in ring 1.
A throwaway ABM tenant — don't fabricate legal-entity details to force one into existence.
Insights
The lab's highest-value product isn't validation — it's calibrated confidence: knowing exactly what a failed APNs push or a conflicting restriction looks like before it happens in production turns incident response from research into recognition.
Budget honesty: one spare iPhone, a free tenant, and a Mac you already own. The iOS lab that never gets built is the one specced as a fleet of devices; the one that changes your week fits in a drawer.
Local supervision plus the open-source MDM weekend together teach more about Apple management than any amount of console clicking — the protocol stops being a black box.
A blast-radius-zero Android Enterprise environment — almost all of it on the laptop you already have, with one spare device for the truths only hardware can tell.
Every confident production change starts as a rehearsal somewhere safe. The universal foundations of a lab — a dedicated test tenant (a free Intune trial or developer tenant, never a corner of production), a LAB- naming discipline so nothing ambiguous ever reaches a production scope, and the snapshot ethos that keeps every device one reset away from clean — are covered once on the universal Build a Lab hub. This page is the Android-specific build: what goes into the lab, what runs on the emulator, what genuinely needs metal, and exactly what to rehearse before any of it touches a managed fleet.
TenantDedicated trial or developer tenant, LAB- naming on every object
Managed Google PlayOne dedicated lab Google account — the binding identity, never personal Gmail
EmulatorsAndroid Studio AVDs with Play-enabled images take real enrollments
HardwareOne spare Pixel you are free to factory-reset on repeat
What You're Building
Android is the friendliest platform to lab, because Google built the lab tools. The reference device policy controller (Test DPC), emulator images that take real enrollments, and a free work-profile sandbox mean most of the lab runs on the machine you are reading this on — with one physical device reserved for the hardware-only truths. The arc is: bind Managed Google Play once, learn the platform's ceiling with Test DPC, enroll emulators in every management mode side by side, and keep the spare Pixel for NFC, QR, FRP, and battery behavior that no virtual device can fake.
Step 1Bind Managed Google PlayThe lab Google account binds the tenant — the gateway every enrollment depends on
Step 2Learn the ceiling with Test DPCGoogle's reference DPC exposes every AE capability as a toggle
Step 3Enroll emulators in all four modesPlay-image AVDs take real work-profile and corporate-owned enrollments
Step 4Reserve the Pixel for hardware truthsNFC, QR, FRP, and battery realities live only on metal
Prerequisites
A dedicated test tenant (free Intune trial or developer tenant) with LAB- naming on every group, profile, and policy. Fence it with scope tags and a dedicated RBAC role so experiments can never reach a production group.
A dedicated Google account for the lab's Managed Google Play binding — owned by the team, documented, and never reused from production. This account becomes the permanent enterprise binding identity, so make it an organizational mailbox (mgp-lab@yourdomain-style), never a personal Gmail.
Android Studio with Play-enabled emulator images (pick an AVD system image whose target shows the Google Play badge, not merely Google APIs — only Play images carry the Managed Google Play surface enrollment needs). Container-minded engineers can use emulator-container-scripts instead.
One spare physical device — a spare Pixel is ideal because it is GMS-certified, gets provisioning fixes first, and is cheap to keep current — that you are free to factory-reset repeatedly.
Build It, Step by Step
Stand up the tenant and bind Managed Google Play. Create the trial or developer tenant, license one admin and one test user, and apply LAB- naming from the first object. Then bind Managed Google Play with the lab Google account. This connection is the gateway every Android Enterprise enrollment and app deployment depends on — making the lab binding by hand rehearses the single most consequential setup step the platform has, and it is five minutes that unlocks the entire Android Enterprise surface.
Install Test DPC and learn its toggles.Test DPC is Google's reference device policy controller, and it exposes every Android Enterprise capability as a switch. When you wonder whether the platform supports something the Intune UI doesn't expose, Test DPC answers in five minutes — before you spend a day on a support case arguing about a setting that was never going to exist. It is also the cleanest way to feel the work-profile boundary and the fully-managed surface without any console in the way.
Enroll emulators in every management mode. Android Studio AVDs with Play images take real work-profile and fully-managed enrollments. Build one of each — work profile (BYOD), fully managed, corporate-owned work profile, and a dedicated-device enrollment — side by side. Mode comparison becomes a laptop exercise instead of a hardware shuffle, and you can leave all four running while you lead a choosing-a-mode conversation from the screen in front of you.
Use the physical Pixel for the hardware truths. Factory Reset Protection behavior, NFC provisioning, camera/QR enrollment flows, and battery realities only exist on real hardware. Generate QR provisioning payloads from the lab tenant and run the full dedicated-device flow on the Pixel — the bump-or-scan moment, the network-during-setup behavior, the wipe-and-re-provision loop. This is the device that tells you the truth about provisioning.
Put Shelter on a personal device.Shelter creates a work profile with no MDM attached — a free education in exactly how the profile boundary feels to your users: the badged apps, the separate clipboard, the cross-profile prompts. It is the part no console screenshot teaches, and it costs nothing but an afternoon.
Provoke the failures on purpose. Once the modes enroll cleanly, break them deliberately: a deliberately-failed Play Integrity verdict, a stalled app install, a work profile that won't provision. Each failure caught in the lab is worth ten tickets read cold — see the enrollment-error and work-profile troubleshooting pages for the failures worth rehearsing first.
Honest Limits
Two things genuinely resist simulation, and pretending otherwise wastes a weekend. Zero-touch enrollment requires a real reseller relationship — devices are registered to your enterprise at the point of purchase, which a throwaway lab cannot fabricate. The honest workaround: QR provisioning payloads generated from the lab tenant produce the same provisioning result, just triggered by a scan instead of by the supply chain, so you rehearse everything downstream of the trigger. The same logic applies to Samsung KME. The second limit is OEMConfig: a schema is only as real as the device that implements it, so OEMConfig testing honestly requires the OEM's own hardware. A Pixel will not validate a Samsung Knox OEMConfig key. Budget a borrowed or surplus unit of the specific OEM you manage when that day comes, and treat the emulator as out of scope for OEMConfig from the start.
What to Rehearse Here
Rehearse until it's muscle memory
All four management modes side by side, until the choosing-a-mode conversation is something you can lead from memory.
Managed Google Play app flows — approval, assignment, update behavior, and what the device shows at each stage.
Runtime permission policy first-runs, watched on-device so auto-grant behavior is never a surprise to a user.
Play Integrity failures provoked deliberately — a failed verdict you caused reads instantly when a real one arrives.
The full QR dedicated-device flow on the Pixel, end to end, including a wipe-and-re-provision.
Don't expect the lab to cover
Zero-touch / KME triggers — those need a reseller; QR payloads stand in for the downstream behavior.
OEMConfig schema validation — that needs the specific OEM's hardware, not an emulator or a Pixel.
Real-world battery and thermal behavior — emulators lie about both; only the physical device tells the truth.
NFC bump provisioning — a flow that exists only on metal with a second seed device.
Insights
The lab's highest-value product isn't validation — it's calibrated confidence: knowing exactly what a Play Integrity failure or a stalled provisioning looks like before it happens in production turns incident response from research into recognition.
Budget honesty: Android needs the least hardware of any platform. One spare Pixel, a laptop running Android Studio, and a free tenant cover the entire surface short of zero-touch and OEMConfig. The lab that changes your career fits in a drawer, not a rack.
A blast-radius-zero Windows environment — a dedicated tenant, a hypervisor that takes real Autopilot enrollments, and one physical machine for the truths VMs can't carry.
Every confident production change starts as a rehearsal somewhere safe. The universal foundations — a dedicated test tenant, LAB- naming on everything, scope-tag fencing, and the one-reset-from-clean ethos — are covered on the cross-platform Build a Lab hub; start there if you haven't. This page is the Windows-specific build, and Windows is the most rehearsable platform in the fleet for one reason: VMs take real Autopilot enrollments. The entire pipeline — hardware-hash registration through ESP completion — runs on the machine you are reading this on. The lab's superpower is checkpoint discipline: snapshot once at the out-of-box screen, and every experiment afterwards is a two-minute revert instead of a half-hour reinstall.
TenantDedicated test tenant — free Intune trial or developer tenant, LAB- naming throughout
HypervisorHyper-V or your choice, with disk for several checkpointed VMs
ToolingGet-WindowsAutopilotInfo to harvest hashes, Get-AutopilotDiagnosticsCommunity to decode
Physical metalOne real machine for firmware, TPM, DFCI, drivers, and OSDCloud bare-metal
What You're Building
A Windows lab is a dedicated tenant, a hypervisor with room for a handful of checkpointed virtual machines, and one physical machine held in reserve for the hardware-bound truths. Virtualization is a first-class citizen here, not a compromise: a Hyper-V VM registers as Autopilot hardware, runs the full user-driven flow, holds at the Enrollment Status Page while policy and apps land, and reverts to a clean OOBE in two minutes so the next experiment starts identical to the last. That revert loop is what turns Windows enrollment from a thing you watch once into a thing you drill until it's muscle memory.
The high-level arc looks like this:
Step 1Stand up the tenantTrial or developer tenant, one admin, one test user, LAB- discipline
Step 2Checkpoint a VM at OOBEInstall Windows, stop at the first out-of-box screen, snapshot
Step 4Run user-driven + ESPWatch the Enrollment Status Page hold, then revert and rerun
Step 5Break ESP on purposeForce a failure, decode it with the diagnostics script
Prerequisites
A dedicated test tenant (free Intune trial or developer tenant) with LAB- naming on every group, profile, and policy — the habit pays off the first time you copy something into production and its name announces exactly where it came from.
A hypervisor — Hyper-V is the natural choice on a Windows host, but any hypervisor that exposes a TPM works — with enough disk for several checkpointed VMs. Each checkpoint chain costs real space; budget for it rather than discovering the limit mid-drill.
Get-WindowsAutopilotInfo for harvesting hardware hashes, and Get-AutopilotDiagnosticsCommunity for decoding what the enrollment actually did afterwards — install both from the PowerShell Gallery before you need them.
One physical machine for the truths a VM cannot represent: real firmware, TPM attestation, docking-station behavior, and vendor drivers.
Build It, Step by Step
Stand up the tenant. Create the trial or developer tenant, license one admin and one test user, and apply the LAB- prefix discipline from the first group you create. Confirm Entra join is permitted for your test user and that the MDM auto-enrollment scope covers the lab group — Windows enrollment rides identity, so this verification is the real setup work.
Build the reference VM and checkpoint it at OOBE. Install Windows in the VM, enable a virtual TPM, stop at the first out-of-box-experience screen, and take the checkpoint. This checkpoint is the lab. Every enrollment experiment starts from it and ends with a revert, which is the entire reason a Windows lab is faster than any other platform's.
Harvest the hash and register the VM. From the VM, run Get-WindowsAutopilotInfo to export the hardware hash, import it into the lab tenant, and assign the lab's Autopilot deployment profile (user-driven, Entra join). The VM is now corporate-registered hardware as far as the pipeline is concerned — indistinguishable from a real device to Intune.
Run the full user-driven flow, including ESP. Revert to the OOBE checkpoint, boot, and run Autopilot user-driven end to end. Watch the Enrollment Status Page hold the session while policy and apps land — the blocking-apps decision you make here defines the provisioning experience forever after. Then revert, change one variable, and run it again. The two-minute loop is what makes Windows worth labbing at all.
Break ESP on purpose. Assign an app that cannot install — a deliberately broken Win32 package, an impossible requirement rule — and watch the timeout behavior. Then decode the result with Get-AutopilotDiagnosticsCommunity and the Autopilot and ESP failures playbook. An ESP failure you caused on purpose is the fastest possible education in reading the ones you didn't.
Reserve the physical machine for hardware truths. Move to metal for the flows a VM genuinely cannot fake: real firmware and DFCI, vendor driver and firmware update behavior, TPM-attestation nuances, and dock or peripheral quirks. OSDCloud from the open-source toolbox earns its slot here for bare-metal-to-Autopilot practice — imaging a wiped machine straight into your registered fleet.
What Needs Real Hardware
A VM carries the enrollment pipeline faithfully, but four things resist virtualization and belong on the physical machine. Firmware and DFCI: Device Firmware Configuration Interface speaks to UEFI settings a hypervisor doesn't expose, so locking the BIOS or disabling boot devices is a metal-only drill. Driver and firmware updates: the vendor catalog only delivers to the hardware it matches, so update behavior is meaningless on a VM. TPM attestation: a virtual TPM passes the basic Autopilot checks, but attestation-backed flows and conditional-access posture want a real, vendor-provisioned TPM to be honest. And docks, peripherals, and battery realities simply don't exist in a VM. Treat the physical machine as scarce and precious — most of your hours live in the VM revert loop, and the metal is for the specific truths only it can tell.
What to Rehearse Here
Rehearse in the VM loop
Every Autopilot variant you intend to run in production, each from the same clean OOBE checkpoint
ESP failure triage, repeated until the diagnostics output reads like a narrative instead of a log
Save for the physical machine
DFCI and firmware lockdown — UEFI settings a hypervisor never surfaces
Driver and firmware update delivery against the real vendor catalog
TPM-attestation-backed enrollment and conditional-access posture checks
OSDCloud bare-metal-to-Autopilot, docks, and peripheral behavior
Insights
The Windows lab's highest-value product isn't validation — it's calibrated confidence. Knowing exactly what a broken ESP looks like before it happens to a real user turns incident response from research into recognition.
Budget honesty: a hypervisor you already own, one physical machine you can wipe, and disk for a few checkpoint chains. The Windows lab that never gets built is the one specced as a rack of hardware; the one that changes how you work fits inside a single workstation.
A Mac lab is two tiers in one: disposable Apple silicon VMs for fast profile and script iteration, and a single physical bench Mac for the enrollment, attestation, and FileVault flows that virtualization can't honestly represent. This page is the macOS-specific build; the cross-platform reasoning — ring discipline, scope-tag fencing, and why a lab beats a production corner — lives on the universal Build a Lab hub.
TenantDedicated trial/dev tenant, LAB- naming on everything
Apple relationshipLab Apple Account + the tenant's APNs push cert and ADE token
HardwareOne erasable Apple silicon Mac + disposable VMs
ABM caveatVMs are never ABM-known — rehearse ADE on a real ring-1 device
What You're Building
Apple silicon made the Mac lab genuinely affordable. UTM and Parallels — both built on Apple's Virtualization framework — spin up disposable macOS guests that are gold for profile testing, script dry-runs, and validating each new OS release before it reaches the fleet. Sitting underneath that fast tier is one piece of real metal: a bench Mac you are willing to erase. On Apple silicon, Erase All Content and Settings makes a full reset a sixty-second menu item rather than a reinstall afternoon, so the same physical unit can take a fresh enrollment several times a day. The whole lab — host, VMs, and one used Mac mini — fits in a drawer and costs less than a single production incident.
Step 1Stand up the tenantTrial/dev tenant, LAB- discipline, one licensed test user
Step 2Wire the Apple plumbingLab Apple Account, APNs cert, ADE token from the lab's ABM
Step 3Build the VM tierOne UTM/Parallels guest per OS release, snapshotted clean
Step 4Enroll the bench MacReal ADE + bootstrap token + FileVault escrow on metal
Step 5Rehearse the hard flowsPlatform SSO, DDM updates, PPPC — until they hold no suspense
Prerequisites
A dedicated test tenant (free Intune trial or a developer tenant) with LAB- prefixing on every group, profile, and policy so nothing is ever mistaken for production.
A lab Apple Account created as an organizational identity (appleid-mdm-lab@yourdomain, backed by a shared mailbox) — never a personal Apple ID, because it owns the lab tenant's push certificate and must outlive whoever set it up.
The lab tenant's APNs certificate (one per tenant covers every Apple enrollment) and, for device enrollment, an ADE token exchanged against the lab's own ABM organization.
An Apple silicon host running UTM or Parallels for disposable VMs, plus one erasable bench Mac — a used mini earns its keep inside the first quarter.
Build It, Step by Step
Stand up the tenant. Spin up a trial or developer tenant, license one test user, and commit to LAB- naming immediately — the discipline is worthless if it starts late.
Wire the Apple plumbing in order. Connect the lab Apple Account's APNs certificate first (nothing Apple enrolls without it), then exchange an ADE token against the lab's ABM organization, and add a VPP token so app licensing exists before your first app assignment. Calendar the APNs renewal before you close the tab.
Create the disposable VM tier. Build a UTM or Parallels guest per OS release you support, snapshot each one in a clean state, and make this tier the default first-run destination for every profile, script, and update policy. Revert-to-snapshot is your fastest reset.
Put the bench Mac through real enrollment. Assign it an ADE profile in the lab tenant and run Automated Device Enrollment end to end — Setup Assistant, MDM check‑in, the works. VMs are never ABM-known hardware, so this physical unit is the only thing that tells you the truth about the enrollment flow.
Rehearse the bootstrap token and FileVault escrow. Confirm the bootstrap token escrows to the lab tenant during enrollment, enable FileVault, and verify the personal recovery key escrows and is retrievable from the admin center. Then deliberately simulate a locked-out morning and recover from the escrowed key — before a real one makes it urgent.
Reset and repeat. Use Erase All Content and Settings to wipe the bench Mac back to a clean Setup Assistant and run the whole sequence again. Each loop is one more rehearsal of the day a real device fails.
The ABM + virtualization reality
This is the one place a Mac lab cannot cheat, and it mirrors the iOS story exactly. ADE requires Apple Business Manager, and ABM requires a real organization — a legal entity, a D-U-N-S number, a verifiable contact, and a signup that takes days. There is no sandbox ABM. So your lab tenant either gets its own real (small) ABM organization, or you accept that the genuine ADE rehearsal happens on a ring-1 device in the org's actual ABM, treated as the first cautious production enrollment rather than a throwaway.
Virtualization has a hard ceiling too. macOS guests on Apple silicon are real and useful, but they are not ABM-known hardware, so ADE simply cannot target them. They also lack a Secure Enclave and the T2/secure-boot identity that several management behaviors depend on: Managed Device Attestation, hardware-bound keys, and some bootstrap-token and FileVault interactions need real metal to behave honestly. Apple's VM licensing also bounds how many guests you may run — the Apple silicon operations page covers the count. For everything below the enrollment layer — profile payloads, script logic, app installs, OS-release smoke tests — VMs are the faster, cheaper tool and you should reach for them first.
When you need local supervision without ADE — capturing a retail-bought Mac, or bench-provisioning a unit — Apple Configurator on a second Mac is the tool. Its companion flow can also add a retail Mac into ABM after the fact, which is how a lab unit bought off the shelf joins the org relationship at all.
What to rehearse here
The lab's job is to turn every production surprise into recognition. Drive these until they bore you:
Rehearse on the bench Mac
Platform SSO registration and its failure modes — watched once in the lab, recognized forever after
Declarative software updates with a real deadline, so you see the user-facing countdown and enforcement before a fleet does
PPPC prompts against the actual apps you deploy, confirming the payload silences the prompt it's meant to
Bootstrap-token escrow and FileVault recovery, run end to end until they hold no suspense
Split the work by altitude: iterate in VMs, validate on metal. Almost everything you change day to day is a payload or a script, and those belong in a snapshot-revert VM. The bench Mac is reserved for the few flows — enrollment, attestation, escrow — that only real hardware can prove.
When enrollment or a profile misbehaves in the lab, the Mac enrollment and profile issues page is the first stop — and the lab is exactly where you should learn to read those failures, where the stakes are zero.
The lab that never gets built is the one specced as a rack. One erasable Mac, a hypervisor you already own, and a free tenant is a complete macOS lab — and it changes how calm you are at 9 a.m. on a FileVault lockout.
The known-good starting floor for every platform — where to start, what to adopt, and how to adapt a baseline to your org.
A baseline is a reviewed set of security and configuration decisions that gets a new tenant from blank to defensible without re-deriving every setting yourself. It is a starting point, not a final state — you adopt it, then adapt it. Every platform on this site has a baseline — all four are below, with where each one comes from and what it covers, plus the adoption discipline that applies everywhere.
Adopting Any Baseline, Step by Step
Review before assigning. Every baseline encodes opinions. Inventory the settings that change user-visible behavior and flag anything your org cannot accept. The review takes about an hour and prevents a wave of support tickets.
Deploy to a pilot ring first. A baseline meets your hardware, apps, and users for the first time in the pilot — surface conflicts there, not across the whole company.
Track your deviations; don't fork. Keep a short document recording where you depart from the published baseline. When the upstream baseline updates, you re-apply your known deltas instead of re-evaluating every setting from scratch.
Re-review on a cadence. Baselines age as the OS and threat landscape change. Schedule a quarterly review and treat baseline version bumps like any other ringed rollout.
Android's floor is the hardening baseline — the restriction and security posture that corporate-owned modes should start from — backed by compliance policies with Play Integrity anchoring the trust story, and device restrictions tuned per management mode. As with Apple, Microsoft ships no Android security baseline — hardening comes from CIS, Android Enterprise, and the App Protection Framework.
Start with Microsoft's own security baselines — deployed in audit mode first, exactly as that guide prescribes — then layer the ASR rules cookbook and the endpoint security family. The community OpenIntuneBaseline is the field-tested alternative when you want opinionated coverage that maps to real-world fleets. Windows is the one platform where Microsoft ships real importable baselines — treat them as the floor and CIS as the regulated overlay.
A baseline's real value is a documented, defensible default. When a security review asks why a setting is configured the way it is, "we reviewed the published baseline and recorded our deviation" is an answer; "that's how it was when I got here" is not.
Keep the baseline separate from the hardening roadmap. The baseline is what every device gets today; the roadmap is a separate, ringed project of future tightening. Combining them stalls both.
r/Intune — day-to-day questions, war stories, and the occasional gold-mine thread.
Mac Admins Slack — Apple-centric by name, but #microsoft-intune is one of the most active Intune channels anywhere and platform-agnostic in practice. Join here.
The Apple admins community Slack — its #microsoft-intune channel is one of the most active Intune channels anywhere, with deep Apple device management expertise on tap. Join here.
The #microsoft-intune community Slack — a long-running admin community workspace whose Intune channel is one of the most active anywhere and platform-agnostic in practice. Join here.
bayton.org (Jason Bayton) — the community Android Enterprise resource: mode deep-dives, zero-touch guides, and honest platform commentary. Required reading alongside the Android sections of this site.
call4cloud (Rudy Ooms) — the deepest Intune-internals writing anywhere; the investigative method transfers to every platform.
scloud.work (Florian Salzmann) — practical Intune guides and ready-to-use templates.
andrewstaylor.com (Andrew Taylor) — Intune automation and Graph scripting at volume.
Ugur Koc's blog — Intune automation and community tooling, including IntuneAssignmentChecker.
oofhours.com (Michael Niehaus) — Autopilot and Windows deployment lore from the person who built much of it; the Windows section's recommended deep-reading.
SkipToTheEndpoint — Windows endpoint engineering and the OpenIntuneBaseline project.
Der Flounder (Rich Trouton) — two decades of MacOS administration depth; required reading for anyone running Macs in production.
Watch and Listen
Intune.Training — the long-running community YouTube series; excellent onboarding material for the Learning Path.
Mac Admins Podcast — Apple platform management weekly; the MDM-protocol episodes are required listening for anyone running Apple devices under MDM.
Mac Admins Conference (Penn State) — the Apple-management community's annual gathering; Intune content grows every year.
The Apple admins conference at Penn State — the Apple-management community's annual gathering; Intune content grows every year.
MMS (Midwest Management Summit) — deep Microsoft endpoint management, small-room format, heavy Intune track year after year.
WWDC (online, free) — where the Apple management features covered on this site are first announced.
Google I/O (online, free) — where the Android management features covered on this site are first announced.
Microsoft Ignite (sessions stream free) — where the headline Intune and Windows-management announcements land each year.
Community
Community Tools and Scripts
The open-source and free tooling Intune admins actually use, organized by job.
Tools built by the community (and a few by vendors, free) that make device management with Intune meaningfully better. Found something that belongs here? Let me know via the Feedback page.
Graph, Automation, and Config-as-Code
Graph Explorer (Microsoft) — run any Graph call against your tenant interactively. Prototype here, script after.
Graph X-Ray — browser extension that reveals the exact Graph calls the Intune portal makes as you click. The fastest way to discover an undocumented endpoint or payload shape — indispensable for everything in our automation section.
IntuneAssignmentChecker (Ugur Koc) — answers "what is actually assigned to this user/device/group" across policies and apps, every platform. The assignment-audit tool the portal should have shipped with.
IntuneCD (Tobias Almén) — configuration-as-code: backs up, documents, and diffs your entire Intune configuration (every platform, the lot) into a Git repo. Change tracking, drift detection, tenant-to-tenant promotion.
IntuneDeviceDetailsGUI (Petri Paavola) — a PowerShell GUI showing everything about one device — assignments, group memberships, applied policies — in a single pane.
Apple-Side Tooling
Apple Configurator (the desktop app plus its iPhone companion app) — Apple's own tool; essential for adding retail devices to ABM and bench provisioning.
Apple Configurator — Apple's own tool; the companion app captures retail-bought Macs into ABM, and the desktop app revives or restores Apple silicon Macs that no longer boot.
Apple Devices app (Microsoft Store) — Apple's app for updating and restoring iPhones and iPads from an ordinary office desktop; the bench-recovery tool when no dedicated Apple hardware is around.
libimobiledevice — open-source CLI suite for talking to iOS devices from practically any desktop OS; idevicesyslog streams live device logs with no extra Apple hardware required.
Android-Side Tooling
Test DPC (Google) — Google's open-source test device policy controller: spin up a work profile or device-owner sandbox and explore every Android Enterprise policy hands-on before you build it in Intune. The single best Android learning tool in existence.
PSAppDeployToolkit — the community-standard framework for installs needing logic: process closing, user dialogs, pre/post steps. If a Win32 package has more than two moving parts, it belongs in PSADT.
OpenIntuneBaseline (SkipToTheEndpoint) — community Windows security baseline as reviewable Settings Catalog policy; the settings-as-code counterpart to Microsoft's sealed baselines.
Mist — fetches MacOS installers/IPSWs on demand; the lab and re-provisioning companion.
Frequently Asked Questions
FAQ
Frequently asked questions about managing devices with Microsoft Intune — organized by platform.
Common questions every admin runs into. The first three apply to every tenant; the rest are specific to the platform you have selected.
What licenses do my users need?
Microsoft Intune Plan 1 (included in Microsoft 365 E3/E5, Business Premium, EMS E3/E5, and others) covers everything on this site unless a page notes otherwise.
Why is a brand-new device "not compliant" right after enrolling?
Compliance needs a first full check‑in plus Entra device registration to complete — usually a few minutes. If it persists past ~15 minutes, open the device's compliance blade and check which specific setting is failing. The blanket "not compliant" state is a symptom; the per-setting view is the diagnosis.
What's the difference between Retire, Wipe, and Delete?
Retire removes company data, apps, and management while leaving personal data intact — the action for a personal device leaving management.
Wipe is a full factory reset — the action for corporate hardware being decommissioned or redeployed.
Delete removes only the Intune record without touching the device — a last resort for dead or unreachable hardware, never the first move.
Each platform has nuances on what these actions reach; the platform's enrollment pages carry the details.
Do iOS devices support scripts?
No — iOS exposes no mechanism for MDM to execute arbitrary code on the device. Everything you configure happens through MDM profiles, managed apps, and declarative configurations; fleet automation happens server-side via the Microsoft Graph API.
What's the difference between supervised and unsupervised?
Supervision is an Apple device state (not an Intune setting) that unlocks the most powerful management capabilities: Lost Mode, Single App Mode, Home Screen Layout, blocking app removal, silencing Activation Lock, many restrictions, and more. Devices become supervised through Automated Device Enrollment or Apple Configurator. BYOD devices are never supervised.
Do I really need Apple Business Manager?
For corporate-owned devices: yes, full stop. ABM gives you Automated Device Enrollment (zero-touch, supervised, non-removable management) and Apps & Books (app licensing without Apple IDs). For a pure BYOD/MAM environment you can technically operate without it, but you still need ABM for Managed Apple Accounts if you want account-driven enrollment.
Why does my Apple MDM Push certificate matter so much?
Every command Intune sends to every Apple device flows through the Apple Push Notification service using that one certificate. If it expires, all enrolled Apple devices stop receiving commands until you renew it — and if you renew with a different Apple ID, every device must be re-enrolled. Treat the Apple ID that created it as a crown jewel. See Apple MDM Push Certificate.
Can users remove management from their devices?
ADE-enrolled (supervised): No, if the enrollment profile is locked — management survives even a device wipe.
Device enrollment (web/Company Portal): Yes, users can remove the management profile.
Account-driven user enrollment (BYOD): Yes, users can sign out of work at any time, which removes all work data.
Should I use device licenses or user licenses for VPP apps?
Device licensing is the default recommendation: no Apple ID required on the device, apps install silently on supervised devices, and licensing is tied to the serial number. User licensing only makes sense for Shared iPad scenarios with Managed Apple Accounts.
Does Intune support eSIM?
Intune can collect eSIM identifiers (EID) in hardware inventory and supports eSIM activation via mobile network operators that provide activation servers, but carrier support varies widely. Plan a pilot with your carrier before committing to an eSIM-only fleet.
Can I rename devices remotely?
Yes — supervised devices accept the setDeviceName action (per-device in the portal, or fleet-wide with our Bulk Device Rename script). Pair it with a restriction blocking user renames so your naming convention holds.
Can I block iOS updates forever?
No — deferral maxes out at 90 days (supervised). Apple intends this as a validation window, not an indefinite hold. Build the ring-based enforcement model instead.
Does wiping a device remove it from Apple Business Manager?
No. ABM ownership is permanent (after any provisional window) and survives every wipe — that's exactly what makes ADE management non-removable. Devices leave ABM only by explicit release in the portal.
Is GCC / government cloud different?
The Apple half (ABM, APNs, VPP) is identical; the Microsoft half uses different endpoints in GCC High/DoD and trails commercial on feature releases. Details and script portability guidance: Sovereign Clouds and GCC.
Why can't I use Android device administrator anymore?
Google removed its powers — Android 10 deprecated most of the legacy device admin API, and Android Enterprise is the only supported management model now. Anything still on device admin is technical debt that will require re-enrollment.
Can my company see my personal apps in a work profile?
No — and not as a policy choice, as architecture. The work profile is a sealed container; the org manages inside it and cannot see personal apps, photos, or messages. The OS enforces the separation, which is what makes the work profile the right BYOD answer.
What does "Wipe" actually do on Android?
It depends on the management mode: on a BYOD work profile, wipe/retire removes only the work profile — the device and personal data are untouched. On fully managed and dedicated devices, wipe is a full factory reset. Confirm which fleet you are targeting before clicking; the button reads the same.
Is Play Integrity the same thing as SafetyNet?
Play Integrity is SafetyNet's successor — Google's device attestation service. Intune compliance policies consume its verdicts to verify the device is certified and untampered; if your documentation or vendor still says "SafetyNet," read it as Play Integrity.
Can Intune manage Android devices without Google services?
Only via AOSP mode, with a reduced feature set — no Managed Google Play, no Play Integrity. It exists for GMS-less rugged and specialty hardware on Intune's supported list. For everything else, GMS certification is a hard requirement — check before buying gray-market hardware.
Can I deploy paid apps through Managed Google Play?
Practically, no — Managed Google Play's enterprise distribution is built around free apps and your own private apps; there is no bulk purchase mechanism. Vendors with paid consumer apps nearly always offer an enterprise or private build — that is the conversation to have.
Do I need Configuration Manager to manage Windows with Intune?
No — cloud-native Windows (Entra join + Autopilot + Intune) needs no ConfigMgr at all. Where ConfigMgr already runs the estate, co-management lets workloads move to Intune one at a time; it is a migration bridge, not a requirement.
Entra join or hybrid join?
Entra join for everything new; hybrid only where a specific, enumerated legacy dependency forces it — and even then as a bridge with a retirement date. The on-prem-resources objection is mostly obsolete: cloud Kerberos trust lets Entra-joined devices reach AD file shares and printers.
Does Autopilot replace imaging?
For cloud-native fleets, yes — the OEM image plus Autopilot's transformation of OOBE replaces build-and-capture imaging. You give up the golden image and the work of maintaining it.
Where do BitLocker recovery keys live?
Escrowed to Entra ID by policy, with audited admin retrieval, user self-service lookup, and rotation after use. Measure escrow coverage, not just encryption coverage — an encrypted disk whose key never escrowed is a future lockout.
Can users stay local admins?
The defensible posture is standard users plus Windows LAPS as the managed break-glass path. Give power users a defined elevation path rather than standing admin rights; broad exemptions undermine the whole model.
Does Intune replace Jamf for Macs?
For most fleets, capability-wise, yes — ADE, DDM updates, Platform SSO, FileVault escrow, PPPC, and scripts are all first-class. The honest caveats: the idioms differ (Smart Groups become filters, policies become scripts), and Apple's June feature announcements land in Intune on Microsoft's adoption curve. For Microsoft-stack orgs, single-console economics usually decide it.
Do Macs need Apple Business Manager?
For corporate Macs, treat it as required: ABM is what makes Automated Device Enrollment possible — supervised, mandatory, wipe-surviving management — plus app licensing through Apps & Books. A Mac outside ABM can still enroll, but management is removable and the deeper controls stay locked.
Where do FileVault recovery keys live?
Personal recovery keys escrow to Intune by policy, with audited retrieval and rotation after use. Measure escrow coverage, not just encryption coverage, and rehearse the locked-out-recovery procedure on a bench unit before you need it in production.
Can users stay local admins?
The mature posture is standard users plus a hidden managed admin account plus a defined elevation process — the account strategy decision made at enrollment time. Standing admin rights undermine the security model; a real elevation path keeps it intact while still serving power users.
What must exist before the first device enrolls — licensing, identity, admin access, and the platform-specific accounts and programs.
This page is the checklist to complete before tenant setup. Four items apply to every tenant; the rest depend on the platform you manage.
LicenseIntune included and assigned to pilot users
IdentityHealthy Entra ID — cloud-only or fully syncing
Admin accessIntune Administrator for daily work; Global Admin reserved as break-glass
BrowserModern browser signed into the correct tenant
Universal Prerequisites
Licensing. Confirm your plan includes Intune (Intune Plan 1 standalone, EMS E3/E5, or a Microsoft 365 bundle — verify against the licenses doc) and assign the license to your pilot users in Microsoft 365 admin center > Users. A purchased-but-unassigned license blocks enrollment.
Identity. Entra ID must be healthy — cloud-only, or with Entra Connect sync fully configured. A partially-configured hybrid identity (sync errors, unverified UPN suffixes) is the most common cause of day-one enrollment failures.
Admin access. Assign the built-in Intune Administrator role for routine work. Keep Global Administrator for break-glass only and document the break-glass accounts — see RBAC and Scope Tags.
Browser and tenant. Use a current browser signed into the correct tenant. Confirm the tenant in the account switcher before configuring anything; an admin signed into the wrong tenant is a recurring source of lost time.
Platform-Specific Prerequisites
Two Apple relationships must exist before any iOS/iPadOS device enrolls:
An Apple Account for the APNs certificate. Create it as an organizational account (for example appleid-mdm@yourdomain, backed by a shared mailbox), never a personal Apple ID — this identity must outlive any individual employee. The APNs certificate page covers why its renewal date belongs on multiple calendars.
Apple Business Manager enrollment for anything supervised at scale. ABM signup requires legal-entity details and a D-U-N-S number and takes days, not minutes — start it first. BYOD-only pilots can begin on the APNs certificate alone.
One Google relationship: the account that binds Managed Google Play to the tenant. Create a fresh Google account specifically for this (for example mgp@yourdomain, backed by an organizational mailbox) — never a personal Gmail, because this identity owns the enterprise's Play relationship permanently and cannot be changed later without re-binding. There are no device-side prerequisites beyond GMS-certified hardware (AOSP fleets are documented separately). Zero-touch and Knox Mobile Enrollment are set up later through resellers and need nothing pre-staged now.
The shortest list:
Confirm Entra join is permitted. In Entra admin center > Devices > Device settings, allow users to join devices; in Entra > Mobility (MDM and MAM) > Microsoft Intune, set the MDM user scope to your pilot group.
Confirm the edition story. OEM Pro hardware steps up to Enterprise via subscription activation when the user's license carries it, so the Windows license assignment belongs on this checklist, not later.
Autopilot needs no further pre-work beyond deciding who will harvest or supply hardware hashes.
Macs run on the tenant's shared Apple foundations:
APNs certificate. A single APNs certificate per tenant covers every Apple enrollment — if one already exists for iOS, Macs are covered.
Licenses assigned to pilot users (not just purchased).
Identity signs in cleanly with no sync errors.
Admin roles issued and break-glass accounts documented.
Platform accounts created with renewal dates on a shared calendar.
Insights
Treat every credential created on this page as organizational infrastructure: shared-mailbox-backed, documented, and renewal-calendared. The two failures this prevents — an APNs certificate tied to a departed employee's Apple ID, and a Managed Google Play binding on a personal account — both require disruptive re-enrollment to recover from.
From empty tenant to enrollment-ready — the universal configuration spine, then the per-platform connectors in the right order.
A fresh tenant becomes enrollment-ready in an afternoon if the steps run in order. The universal spine first: confirm the MDM authority is Intune (modern tenants default correctly), set auto-enrollment scope (Entra > Mobility > Microsoft Intune — MDM user scope to your pilot group), build the starter group structure (dynamic groups and filters — an all-pilot-users group and per-platform device filters carry you surprisingly far), apply company branding (logo and support contact — it appears in every enrollment flow and Company Portal, so first impressions are configured here), and set enrollment restrictions deliberately rather than inheriting defaults — personal-device posture per platform is a policy decision, not an accident.
Step 1Confirm MDM authorityIntune — modern tenants default correctly
Step 2Set auto-enrollment scopeEntra > Mobility > Microsoft Intune — MDM user scope to the pilot group
Step 3Build starter groupsAll-pilot-users group plus per-platform device filters
Step 4Apply company brandingLogo and support contact appear in every enrollment flow
Step 5Set enrollment restrictionsPersonal-device posture is a decision, not an inherited default
Then the platform connectors, in the order that avoids rework:
Order matters absolutely here. First the APNs certificate — nothing Apple enrolls without it; created with the organizational Apple Account from prerequisites, renewal calendared before you close the tab. Then the ABM token: link Intune as an MDM server in ABM, exchange tokens, set the default device assignment. Then VPP: the Apps and Books token so app licensing exists before the first app assignment. Finish with an ADE enrollment profile for corporate devices, and the enrollment-method page decides the BYOD lane.
One connector does most of the work: bind Managed Google Play using the dedicated Google account from prerequisites — five minutes that unlocks the entire Android Enterprise surface. Then create enrollment profiles per management mode you'll actually run (work profile arrives nearly free; corporate-owned modes generate the provisioning tokens and QR payloads), approve your first apps in Managed Google Play, and set Android enrollment restrictions to match your BYOD stance.
Windows enrollment rides identity, so most setup is verification: auto-enrollment scope covers the pilot group (set in the spine above), then stand up Autopilot — import a first hardware hash, create a deployment profile (user-driven, Entra join), and configure the Enrollment Status Page deliberately: the blocking-apps decision made here defines your provisioning experience forever after. A starter Settings Catalog profile and one required app make the first enrollment prove the whole pipeline.
Macs reuse the Apple plumbing — a single APNs certificate per tenant covers every Apple enrollment (if your tenant already has one, this step is done), and the same ABM token serves Mac ADE; what's Mac-specific is its own enrollment profile (the Setup Assistant and await-configuration decisions) and the early account-strategy choice that's expensive to change later. Add VPP app licensing and a first shell script to prove the script channel, and the bench Mac from the lab takes the inaugural enrollment.
Prove It
The setup isn't done when the consoles are green — it's done when one device per platform has enrolled, received a profile, installed an app, and reported compliant. That four-line verification is the afternoon's real deliverable, and the device that did it becomes ring 1's founding member.
Insights
Resist configuring everything on day one: the tenant needs exactly enough to enroll and prove the pipeline. Every policy added before the first successful enrollment is a variable you'll have to rule out when something fails — the build-up discipline starts here.
A full simulated Microsoft Intune admin center — Devices, Apps, Endpoint security, Enrollment, Updates, Reports, Users, Groups, Tenant administration, and Troubleshooting, mirroring the real console's menus blade by blade. Generate a fleet, build dynamic groups with real query logic, deploy configuration and apps, harden with Endpoint security, watch compliance evolve. Nothing here touches a real device.
Simulated tenant
Everything below runs locally in your browser and persists to this device. Set the environment size in Tenant administration → Simulator settings, then explore — or hit Advance time and watch the fleet live. Reset any time.
Loading simulator…
Exam Prep
MD-102: Endpoint Administrator — Study Lab
A complete, free prep workspace for MD-102 and the Microsoft 365 Certified: Endpoint Administrator Associate badge: a readiness dashboard, objective tracker, 175 flashcards, a study guide, cheat sheets, a glossary, and a full timed mock exam drawn from a 191-question bank — all on the current (April 2026) objective domains.
Exam readiness
Where you stand today.
Tick objectives, drill domains, and sit the timed mock — it all rolls into one readiness score that saves to this browser. Pick up wherever you left off below.
40–60 questions·700 / 1000 to pass·120 min exam·$165 USD·Free yearly renewal
Jump in
Pick a session — every answer feeds your readiness score
Skills measured April 2026
1
Prepare infrastructure for devices
25–30%
Entra join types and device groups; enrollment (Windows automatic, Apple ADE, Android Enterprise modes); Intune RBAC; compliance policies + Conditional Access; Windows Hello for Business; Windows LAPS; local group membership.
2
Manage and maintain devices
30–35%
Autopilot vs provisioning packages; ESP; Windows 11 upgrades and Cloud PC; configuration profiles and ADMX; filters; Intune Suite add-ons (EPM, Remote Help, Cloud PKI, Advanced Analytics, Tunnel for MAM); remote actions including KQL device query.
3
Manage applications
15–20%
Win32 (.intunewin) packaging and deployment; Microsoft 365 Apps with ODT/OCT; store apps; app protection policies (MAM) with Conditional Access; app configuration policies.
4
Protect devices
15–20%
Endpoint security policies (antivirus, disk encryption, firewall, ASR); security baselines; Microsoft Defender for Endpoint integration; update rings, feature/quality updates and Delivery Optimization.
Know the format. MD-102 is a single associate-level exam — multiple choice and multiple response, build-list / drag-and-drop, hot-area, active-screen, and case studies (you cannot return to a case-study question once you move past it). You may browse learn.microsoft.com during the exam, but the clock keeps running.
After MD-102
SC-300 — Identity and Access AdministratorThe Entra deep-dive: Conditional Access, MFA/passwordless, Identity Protection, PIM, and entitlement management.
MS-102 — Microsoft 365 AdministratorThe tenant-wide counterpart — identity, Defender XDR, Purview — pairs with MD-102 toward the Administrator Expert track.
AZ-800 / AZ-801 — Windows Server HybridThe on-prem and hybrid side Intune does not cover — AD DS, GPO, hybrid identity, and failover clustering.
Tick each skill as you master it — progress saves to this browser and feeds your readiness score.
MD-102 mastery tracker
Prepare infrastructure for devices (25–30%)
Manage and maintain devices (30–35%)
Manage applications (15–20%)
Protect devices (15–20%)
Tap a card to flip it. Mark cards ✓ Know it or ⟳ Review — your review pile and known count save to this browser and feed your readiness score. Filter by domain or shuffle.
The exam-relevant essentials, by domain.
Prepare infrastructure for devices
Three Entra join states: registered (BYOD/personal — SSO + Conditional Access only), joined (corporate, cloud-only), hybrid joined (corporate, also on-prem AD via Entra Connect).
Groups: assigned (static membership) vs dynamic (membership rule, e.g. device.deviceOSType -eq "Windows", recalculated automatically). You can't assign Intune/Entra roles to a dynamic group.
Windows automatic enrollment needs the MDM user scope set in Entra mobility settings plus Entra ID P1; it triggers on Entra join.
Apple: an Apple MDM push certificate (APNs) is mandatory before any Apple device enrolls and renews yearly. Zero-touch corporate enrollment = Automated Device Enrollment (ADE) via Apple Business Manager.
Android Enterprise modes: personally-owned work profile (BYOD), corporate-owned work profile (COPE), fully managed, and dedicated (kiosk); enrollment binds through managed Google Play.
Enrollment restrictions block platforms, OS versions, or personal devices; the device limit defaults to 5 (max 15).
Compliance evaluates posture (BitLocker, OS version, password, jailbreak/root). Actions for noncompliance can notify, then mark noncompliant after a grace period.
Tenant default: "Mark devices with no compliance policy assigned as" defaults to Compliant — set it to Not compliant for Zero Trust. Conditional Access "Require device to be marked as compliant" ties compliance to access.
Windows LAPS rotates and escrows the local admin password to Entra ID or AD. Windows Hello for Business replaces passwords with a PIN/biometric bound to an asymmetric key (cloud Kerberos trust is the modern model).
Manage and maintain devices
Autopilot cloud-transforms the existing OEM image during OOBE — it never images the OS. Choose provisioning packages for quick offline/local config without an Intune dependency.
Devices register by hardware hash CSV or OEM/partner. A device name template applies a pattern such as CONTOSO-%SERIAL% (max 15 chars).
The Enrollment Status Page (ESP) blocks device use until tracked apps, policies and certs apply during provisioning.
Windows Configuration Designer builds .ppkg files. Windows 365 = persistent per-user Cloud PC via a provisioning policy; AVD multi-session uses dedicated multi-session profiles.
Configuration profile types: Templates, Settings catalog (most flexible), and Administrative Templates (import custom ADMX/ADML). Filters include/exclude by device property at assignment time — prefer them over many groups.
Intune Suite add-ons: EPM (per-app elevation for standard users), Remote Help (RBAC remote assistance), Cloud PKI (cloud CA replacing AD CS + NDES/SCEP), Advanced Analytics (device query + anomaly/battery/resource), and Microsoft Tunnel for MAM.
Remote actions: Sync, Restart, Retire (removes company data, leaves personal), Wipe (factory reset), Fresh Start, Autopilot Reset, Collect diagnostics, Rotate BitLocker keys; bulk actions act on many devices at once.
Device query runs KQL against a single device's live inventory in real time (an Advanced Analytics capability).
Manage applications
Win32 apps are packaged as .intunewin with the Microsoft Win32 Content Prep Tool; they support detection rules, dependencies, supersedence and install order.
App intents: Required (auto-install), Available (Company Portal opt-in), Uninstall.
Microsoft 365 Apps deploy as a built-in app type (channel, bitness, languages). For Autopilot, the Office Deployment Tool (ODT) and Office Customization Tool (OCT) generate the configuration XML.
App protection policies (MAM) enforce PIN, encryption, copy/paste and save-as controls at the app level — and work on unenrolled (MAM-only) devices, the core BYOD pattern. Pair with Conditional Access app-protection grants.
App configuration policies push settings to apps in two scopes: managed devices (enrolled) and managed apps (MAM, enrollment-agnostic).
Store apps deploy through Microsoft Store integration (winget) and the Company Portal.
Protect devices
Endpoint security policies: antivirus (Microsoft Defender AV), disk encryption (BitLocker / FileVault — recovery keys escrow to Entra/Intune), firewall, and Attack Surface Reduction.
ASR rules block common malware behaviors (e.g. credential theft from LSASS); each rule runs in Block, Audit, or Warn mode.
Security baselines are Microsoft-recommended, versioned groups of settings (Windows, Defender for Endpoint, Edge) you deploy and upgrade.
Intune ↔ Defender for Endpoint: the connector lets MDE machine-risk feed device compliance, and devices onboard via an EDR/onboarding policy.
Update rings set deferral, deadline, grace period and restart behavior; feature update policies pin the target Windows version; quality updates ship monthly and can be expedited for zero-days.
Delivery Optimization cuts bandwidth via peer caching. Apple updates use managed/DDM update policies; Android uses configuration profiles or firmware-over-the-air (FOTA).
Exam-day strategy
Case studies come in a sealed section — read the requirements tab first and answer in order; you cannot go back once you leave the case study.
You can browse learn.microsoft.com during the exam, but the timer never pauses — use it only to confirm a specific value, not to learn a topic.
Watch the Retire vs Wipe trap: Retire = remove company data (keep personal); Wipe = factory reset.
"Cloud-only, no on-prem AD" → Entra joined; "personal/BYOD" → Entra registered; "syncs from on-prem AD" → hybrid joined.
"No user at setup / kiosk" → Autopilot self-deploying (needs TPM 2.0).
"Protect data without enrolling the device" → app protection policy (MAM), not a compliance policy.
"Apply to some devices in a group without new groups" → assignment filter.
"Standard user must run one app elevated" → Endpoint Privilege Management.
"Make MDE risk affect compliance" → enable the Defender for Endpoint connector.
Flag uncertain questions and use the remaining time to revisit them before submitting the mock.
Deferral, deadline, grace period and restart behavior for quality/feature updates
Feature update policy
Pin the fleet to a target Windows version
Quality update policy
Expedite a specific monthly update (e.g. zero-day)
Driver update policy
Approve/decline driver and firmware updates
Delivery Optimization
Reduce bandwidth via peer-to-peer caching
The acronyms that show up on MD-102.
ABMApple Business Manager
Apple portal for ADE, VPP app licensing and Managed Apple Accounts.
ADEAutomated Device Enrollment
Apple zero-touch corporate enrollment via ABM (formerly DEP).
ADMXAdministrative Template
Group Policy template format; importable into Intune for custom policies.
APNsApple Push Notification service
The MDM push certificate required before any Apple device can enroll.
ASRAttack Surface Reduction
Defender rules that block common malware behaviors (Block/Audit/Warn).
BYODBring Your Own Device
Personal devices — typically Entra registered and protected with MAM.
CAConditional Access
Entra policy that gates access on signals like device compliance.
COPECorporate-Owned, Personally Enabled
Android Enterprise corporate device with a work profile.
CSPConfiguration Service Provider
The device-side interface MDM settings map to.
DDMDeclarative Device Management
Apple's modern desired-state protocol, incl. managed software updates.
DODelivery Optimization
Peer-to-peer caching that reduces update bandwidth.
EPMEndpoint Privilege Management
Intune Suite add-on for per-app elevation without local admin rights.
ESPEnrollment Status Page
Blocks device use until tracked apps/policies apply during Autopilot.
FOTAFirmware Over-The-Air
OEM firmware/OS updates for Android (e.g. Samsung, Zebra).
LAPSLocal Administrator Password Solution
Rotates/escrows the Windows local admin password to Entra or AD.
LOBLine-Of-Business
Custom in-house app deployed via Intune.
MAMMobile Application Management
App-level data protection (app protection policies), with or without enrollment.
MDEMicrosoft Defender for Endpoint
EDR that integrates with Intune to feed machine risk into compliance.
MDMMobile Device Management
The enrollment/management channel Intune uses for whole-device control.
NDESNetwork Device Enrollment Service
On-prem SCEP connector — replaced by Microsoft Cloud PKI.
OCTOffice Customization Tool
Generates Microsoft 365 Apps configuration XML.
ODTOffice Deployment Tool
Deploys/configures Microsoft 365 Apps from a config XML (Autopilot).
OOBEOut-Of-Box Experience
First-boot setup that Autopilot customizes.
PPKGProvisioning Package
Offline .ppkg built with Windows Configuration Designer.
RBACRole-Based Access Control
Intune roles scoped by scope tags and assignment groups.
SCEPSimple Certificate Enrollment Protocol
Certificate delivery method (NDES or Cloud PKI).
VPPVolume Purchase Program
Apps & Books licensing through Apple Business Manager.
WHfBWindows Hello for Business
Passwordless PIN/biometric bound to an asymmetric key.
WUfBWindows Update for Business
Cloud update control via update rings and feature/quality policies.
Cloud PKIMicrosoft Cloud PKI
Intune Suite cloud certificate authority replacing AD CS + NDES.
FilterAssignment filter
Includes/excludes devices by property at assignment time.
Scope tagRBAC scope tag
Limits which objects a role can see/manage.
Three ways to drill: quick practice, a single-domain drill, or a full mock exam — 50 questions weighted like the real exam, a 120-minute timer, flag-for-review, and a scored report with per-domain breakdown. Your best mock score feeds your readiness.
Decision Tools · Wizard
Which migration path into Intune?
Coming from Jamf, ConfigMgr, another MDM, or on-prem GPO — each migration into Intune has a different bridge. Answer a few questions and land on the right path and its first move.
Coming from ConfigMgr, Jamf, another MDM, or on-prem Group Policy, the right migration path into Intune depends on your current tooling and what you're managing. Answer four questions and you'll land on the correct bridge, your first real move, and a guide to follow.
Why migration paths diverge
There is no single "migrate to Intune" playbook because each source platform has a fundamentally different trust model. ConfigMgr and Intune share an Azure AD identity fabric, so co-management is a workload-by-workload handoff rather than a hard cut-over. Jamf's Apple Business Manager tie-in means supervised devices can re-enroll without a wipe — a huge operational difference from unmanaged hardware. Android Enterprise's architecture enforces one MDM per enrollment mode, so every Android migration involves unenrollment and a clean re-enroll. GPO has no MDM equivalent for roughly 25-35% of its settings, which is why Group Policy Analytics exists — it surfaces that gap before you commit. For a full picture of how these paths fit a broader cloud-first architecture, see the migrating to Intune architecture overview.
Decision Tools · Wizard
Which enrollment method?
Enrollment is the foundation — it decides your management ceiling for the life of the device. Answer three questions and land on the right method, with the guide to execute it.
Why enrollment is the decision that sticks
Every later choice — which restrictions apply, whether you can wipe selectively, how much the device trusts you — is bounded by how it enrolled. A BYOD phone enrolled with App Protection can never be force-restricted like a supervised corporate device, and a retail Mac outside ABM can never be made truly zero-touch after the fact without a wipe. Get this right first; the rest of the stack builds on it.
Decision Tools · Wizard
Which device identity and join model?
Entra joined, hybrid joined, or Entra registered — the identity foundation that decides what management you can even do. Answer a few questions and land on the right join type.
Device identity is the foundation of everything in Intune. The join type you pick determines which management channels are available, whether on-prem Group Policy still applies, and how much friction your users will feel on day one. Get this wrong and you're re-enrolling devices six months later. Answer four questions and this tool will land you on the right model — along with an honest warning if hybrid join is in your future.
Why join type is a foundation decision, not a detail
Every other Intune capability — Conditional Access enforcement, compliance policy targeting, Windows Hello for Business, Autopilot, co-management workload sliders — either requires or is constrained by the device's identity model. Entra Join is the cloud-native target for corporate Windows and enables the fastest evaluation of device state in Conditional Access. Hybrid Entra Join is a legitimate bridge for organizations with real on-prem AD dependencies, but it adds infrastructure (the Intune Connector for AD, DC line-of-sight requirements) and troubleshooting surface that you will eventually want to eliminate. Entra Registration is appropriate for BYOD on any platform and for non-Windows corporate devices, and pairs naturally with App Protection Policies to protect data without asserting control over the personal OS. See the full comparison at Entra Join and Hybrid →.
Decision Tools · Wizard
Which configuration surface?
Intune gives you several places to author the same setting — and picking the wrong one means a brittle profile, a setting that won't apply, or a conflict with another policy. There's a clear order of preference. Answer a few questions and land on where this setting actually belongs.
The order of preference, and why
There's a deliberate hierarchy here. Settings Catalog first — it's the modern, flat, searchable surface and Microsoft is steadily moving everything into it. Reach for a Template profile when the thing you're configuring is a whole scenario (VPN, Wi-Fi, certificates, email, kiosk, endpoint protection) that wires up interdependent values you shouldn't hand-assemble. Use Administrative Templates / imported ADMX for classic Group Policy settings that haven't made it into the catalog yet. And treat Custom (OMA-URI / .mobileconfig) as the genuine last resort — only when the setting exists in no friendlier surface at all.
The one rule that survives every surface: one home per setting. A given setting should be authored in exactly one profile. The fastest way to a "why won't this apply?" ticket is configuring the same value in a Catalog profile and a template (or a custom OMA-URI) at once — Intune reports a conflict and neither side wins cleanly. Pick the right surface, put the setting there, and don't set it anywhere else.
Decision Tools · Comparison
MDM vs MAM
Manage the whole device, or just protect the data inside the apps? The decision that defines your BYOD strategy.
MDM (Mobile Device Management) enrolls and manages the entire device — restrictions, configuration, compliance, the works. MAM (Mobile Application Management), delivered through App Protection Policies, protects company data inside managed apps without enrolling or controlling the device. The split usually falls on ownership: you manage what you own, you protect data on what you don't.
Criterion
MDM (device enrollment)
MAM (App Protection)
Enrollment required
Yes — device is enrolled and managed
No — works with or without enrollment
Scope of control
Whole device — OS settings, restrictions, Wi-Fi, certs, apps
Company data within managed apps only
Best fit
Corporate-owned devices
Personal / BYOD devices
Wipe scope
Full wipe or retire the whole device
Selective wipe — only company data in the app
User privacy
Lower — IT sees device inventory, location capabilities
High — IT never sees personal data or the device
Control ceiling
High — enforce passcode, encryption, OS version, threat level
Moderate — PIN, cut/copy/paste, save-as, jailbreak block per app
Conditional Access
Require compliant device
Require app protection policy
Setup effort
Higher — enrollment program, profiles, compliance
Lower — policy targets users, no device onboarding
Choose MDM when…
The device is corporate-owned
You need device-level restrictions (kiosk, Wi-Fi/VPN/cert profiles, OS-version enforcement)
Compliance must gate access via require compliant device
You're deploying shared, frontline, or single-purpose hardware
Choose MAM when…
The device is personal / BYOD and you can't (or shouldn't) take it over
You only need to protect company data in Outlook, Teams, Edge, Office
User privacy and low onboarding friction matter
Contractors or unmanaged devices need access to specific apps
The pragmatic answer for most fleets is both: MDM for corporate-owned devices, MAM for BYOD — and on enrolled corporate devices you can layer App Protection on top for defense in depth. Not sure which a given device needs? Run the enrollment wizard.
Decision Tools · Comparison
Entra Join vs Hybrid Join
Cloud-only Entra join or hybrid Entra join with on-prem AD — the Windows identity decision that shapes everything downstream.
Every Windows deployment in Intune starts with the same identity question: do these machines live purely in the cloud, or do they stay tethered to on-premises Active Directory? Entra join (formerly Azure AD join) cuts the cord entirely — the device authenticates to Entra ID alone. Hybrid Entra join stitches both worlds together, keeping a computer account in your on-prem AD while also registering in Entra ID. The choice ripples into provisioning, policy, SSO, and long-term operational burden. See Decide: Identity Architecture → for the broader identity decision framework.
Criterion
Entra Join (cloud-only)
Hybrid Entra Join
On-prem AD dependency
None. No domain controllers, no LDAP, no VPN required for enrollment or daily auth. Machines work identically in a coffee shop or a data center.
Hard requirement. Devices must be able to reach a domain controller during initial join and for Kerberos ticket renewal. Loss of DC connectivity degrades authentication for on-prem resources.
Provisioning flow
Windows Autopilot user-driven or pre-provisioned with zero touch from IT. OOBE completes fully in the cloud; no imaging infra needed.
More moving parts. Autopilot hybrid requires the Intune Connector for Active Directory installed on a domain-joined server, plus line-of-sight to a DC during the device ESP phase. Connectivity failures during OOBE leave machines in a broken state.
Group Policy (GPO) support
No GPO. Policy is delivered exclusively through Intune (Settings Catalog, ADMX ingestion, PowerShell scripts). ADMX-backed policies cover most GPO surface area, but some legacy settings have no cloud equivalent yet.
Full GPO. Devices process GPO from AD and Intune policy simultaneously. Useful as a bridge, but dual-policy management is a long-term maintenance burden and conflict source.
Complexity and failure points
Low. Single identity plane. No connector servers, no hybrid infrastructure to maintain. Troubleshooting is contained to Entra ID and Intune — both surfaced in the same admin center.
High. Requires healthy AD replication, a working Intune Connector, ADSI permissions on the OU, and DC reachability during Autopilot. Each layer is an independent failure domain with its own logs (ODJConnectorSvc, Entra hybrid join event logs, dsregcmd).
SSO to on-prem resources
Supported via PRT + SSSO, but Kerberos to classic file shares and on-prem apps requires either Entra Kerberos (for cloud-trusted tickets) or a VPN with traditional Kerberos. Works well for modern apps; needs extra config for legacy Kerberos consumers.
Native Kerberos SSO. Device holds a TGT from on-prem AD. Traditional file shares, print servers, and legacy intranet apps get seamless SSO without additional configuration — the main reason enterprises cling to hybrid join.
Future direction
Microsoft's stated direction. Entra join is the target state for cloud-native Windows. Entra Private Access, Entra Kerberos, and native LAPS in Intune all assume Entra-joined devices as the primary audience. Investment is accelerating.
Maintained, not grown. Microsoft supports hybrid join and has no announced deprecation, but new capabilities (passwordless, passkeys, device-bound credentials) land on Entra join first and sometimes hybrid join never.
Identity management (LAPS, conditional access)
Full Entra LAPS via Devices > Local admin password solution in Intune. Conditional Access device compliance is evaluated against Entra ID records directly — fastest, most reliable signal.
Entra LAPS works on hybrid-joined devices too, but you may also be running legacy LAPS for AD, creating dual credential stores. Compliance state in Conditional Access depends on the Entra record staying current — a sync lag between AD and Entra ID can cause transient access failures.
Recommended for new deployments
Yes — strongly. Any greenfield fleet or hardware refresh should target Entra join unless a specific blocker exists.
Only when forced. Hybrid join is a migration bridge or a concession to legacy infrastructure — not a destination architecture.
Choose Entra Join when…
You have no on-prem AD, or you are actively retiring it
Your devices are remote-first or globally distributed
You are deploying net-new hardware and want zero-touch Autopilot without connector servers
Your application portfolio is predominantly SaaS or modern-auth — Microsoft 365, Azure-hosted apps, SAML/OIDC intranet
You want the lowest operational complexity for your IT team
You are targeting passwordless authentication (Windows Hello for Business cloud trust or passkeys)
Choose Hybrid Entra Join when…
You have applications that require native Kerberos tickets and cannot be migrated to modern auth in the near term — classic file shares, legacy intranet, or SQL Integrated Security
Your organization has a hard GPO dependency that has no Intune Settings Catalog equivalent and rewriting those policies is not on the roadmap
You are mid-migration: existing machines are domain-joined and you need a stepping stone before a full Entra-join refresh
Regulatory or audit requirements mandate an on-prem computer account for every managed workstation
In practice, most mature Intune deployments run both in parallel during a transition: new hardware gets Entra-joined via Autopilot while existing domain-joined machines stay hybrid until they are replaced or re-imaged. The practical split is straightforward — use Entra join as your default for every device you touch going forward, and let hybrid join age out with the hardware. For the full step-by-step on standing up cloud-native Windows, see the Cloud-Native Windows Blueprint →. For a deep dive on the join types themselves, the Entra Join and Hybrid Join guide → covers dsregcmd /status output, Autopilot connector setup, and troubleshooting hybrid join failures end to end.
Decision Tools · Comparison
Settings Catalog vs Templates
Two ways to author device configuration — across Windows, iOS/iPadOS, macOS, and Android. One is the modern default; the other still owns a handful of scenarios you can't build anywhere else.
The Settings Catalog is a flat, searchable list of CSP-backed settings — you pick exactly what you want, named the way the CSP names it, and nothing else comes along. Classic Template profiles (Device restrictions, Endpoint protection, and the rest) are curated, grouped bundles Microsoft hand-built before the catalog existed. The catalog is where Microsoft is investing and where new work should start; templates linger because some scenarios — VPN, Wi-Fi, certificates, email — still only ship as a template. Most of this lives behind the Settings Catalog & CSPs surface.
Criterion
Settings Catalog
Template profiles
Setting coverage
Broadest — thousands of CSP settings, updated as new ones ship
Fixed set — only what the template author curated
Discoverability / search
Searchable — type the setting name and add it
Browse fixed categories; no cross-template search
Naming
CSP / ADMX names — maps straight to docs and reports
Friendly labels — easier to read, harder to trace to a CSP
Report granularity
Per-setting status in the configuration report
Coarser — per-profile, less per-setting detail
Scenario templates (VPN / Wi-Fi / cert / email)
Gaps — these aren't fully in the catalog yet
Only home — these scenarios still exist only as templates
Conflict behavior
Setting-level — two profiles touching one setting conflict cleanly
Profile-level overlap is easy to create by accident
Future direction
Where Microsoft is investing — new settings land here first
Maintenance mode — no new template categories coming
Learning curve
Steeper at first — you must know the setting you want
Gentler — grouped, labeled, discoverable by browsing
Choose the Settings Catalog when…
You're authoring new configuration — make it your default surface
You want per-setting reporting and clean conflict resolution
The setting maps to a known CSP and you can search for it by name
You're consolidating sprawl — one home per setting, no overlapping profiles
Choose a Template when…
The scenario only exists as a template — VPN, Wi-Fi, certificates, email profiles
You're maintaining an existing template profile that already works
You want a grouped, labeled starting point while you learn the CSP names
You need Endpoint protection / Device restrictions areas not yet mirrored in the catalog
The pragmatic rule: catalog-first, templates where you have no choice. Build all new baseline configuration in the Settings Catalog, and reach for a template only when the scenario — a VPN, a Wi-Fi network, a SCEP/PKCS certificate — simply isn't available anywhere else. Don't migrate working template profiles for the sake of it; do stop creating new ones. When in doubt, search the catalog first — if the setting is there, that's its home.
Decision Tools · Scorecard
Cloud-native endpoint readiness
Tick what is true in your tenant today and get a cloud-native readiness score plus the highest-impact gaps to close next.
"Cloud-native" is not a switch you flip - it is a posture you build up across identity, devices, and access. Tick what is genuinely true in your tenant today (not what is on the roadmap) and this scorecard returns a weighted readiness score, your strongest area, and the highest-impact gaps to close next. It saves to this browser, so you can revisit as you make progress.
Read the gaps, not just the number
The score is a conversation-starter; the gaps are the plan. They are ranked by weight, so the first item is the highest-leverage thing you can change. Cloud-native maturity is won at the identity layer first - an Entra-first estate with passwordless sign-in and compliance-gated access unlocks everything downstream. If you are stuck in the hybrid band, the fastest path up is almost always cutting an on-prem AD dependency, not adding another policy. Compare the join models to see what it takes to go cloud-only.
Decision Tools · Calculator
Licensing and seat cost estimator
Estimate monthly and annual cost for the Microsoft licensing that backs your Intune deployment, by seat count and SKU.
Plug in your seat count and SKU to get a ballpark monthly and annual cost for the Microsoft licensing that underpins your Intune deployment. Prices are US list rates as of mid-2025 and are illustrative only — your actual cost will depend on EA/CSP discounts, true-up timing, and any bundled agreements. Always confirm current pricing with your Microsoft licensing contact or the Microsoft pricing page before budgeting.
Select a base SKU, choose whether to add the Intune Suite add-on, enter your seat count, and read off the monthly and annual totals below.
How to interpret these numbers
The figures above reflect US list pricing only. Most organizations with more than a few hundred seats buy through an Enterprise Agreement (EA) or a Cloud Solution Provider (CSP), which typically yields 15–30% off list depending on volume and negotiated terms. The Intune Suite add-on (~$10/user/month list) unlocks Advanced Endpoint Analytics, Endpoint Privilege Management, Microsoft Tunnel for MAM, and the rest of the premium capabilities — see the Intune Suite overview for a full capability breakdown before deciding whether the add-on is justified for your environment. If you are evaluating which SKU to lead with, the Licensing and editions guide walks through what each tier actually includes so you can avoid over-purchasing M365 E5 when EMS E3 covers your real requirements.
Decision Tools · Calculator
Fleet rollout pace planner
How long to migrate or provision the fleet at a realistic daily pace — the planning number that sets expectations with the business.
Paste your fleet size and daily provisioning pace to see how long the rollout will take. Run the pilot batch first — the numbers below assume you have already validated your build in pilot before scaling. Daily capacity is the only lever that moves the timeline; if the week count lands in the red, raise perDay before committing to a business deadline.
Why capacity is the only real lever
Calendar duration is a direct function of two numbers: fleet size (fixed) and daily throughput (variable). Pilot percentage affects the first wave only — running a 10% pilot on 500 devices costs 50 device-days before broad rollout begins. Once the pilot validates your Autopilot or co-management build, the broad rollout pace is entirely a staffing and logistics problem. Adding provisioning stations, technician shifts, or region-parallel waves are the only moves that compress the calendar. See the migration architecture guide for wave planning patterns and the go-live checklist for the gates to clear before each wave starts.
Decision Tools · Matrix
Enrollment method capability matrix
Filter by platform to compare what every enrollment path actually gives you — supervision, affinity, zero-touch, wipe scope, and BYOD fit.
Every enrollment path lands you at a different management ceiling - and the differences are easy to forget when you are deep in one platform. Filter by platform and read across: which methods give you supervision and full control, which respect BYOD privacy with a selective wipe, and which support true zero-touch. The right enrollment method is the one whose row matches the device's ownership and job.
Match the row to the device's job
Read this matrix as a fit test, not a ranking. A frontline scanner wants the supervised, zero-touch, no-affinity rows; a personal phone wants the selective-wipe, BYOD-friendly rows and nothing more. The mistake that costs a re-enrollment is reaching for supervision on a personal device, or settling for a BYOD method on hardware you actually own. When you are unsure which row a given device belongs in, the enrollment wizard walks you there in three questions.
Decision Tools · Matrix
Platform capability matrix
Filter by capability area to see which management features exist on iOS, Android, Windows, and macOS — and where the real platform gaps are.
Every Intune platform looks similar in the console until you need a capability that only exists on one of them. This matrix cuts through the marketing and shows exactly what you can and cannot do on iOS, Android, Windows, and macOS — filtered by capability area so you can spot gaps before your design is locked in.
Cell values: ✓ = fully supported, partial = supported with constraints (see row notes), — = not available. Honest about the gaps.
Why platform gaps bite you late
Most Intune designs start with a policy and assume all platforms will comply. The gaps in this matrix — MAM on macOS, DFCI on Windows only, true multi-user on iOS only, disk encryption key escrow absent on iOS — tend to surface in UAT or, worse, in a security audit. Use this matrix early in your design phase to identify which requirements need platform-specific workarounds and which simply cannot be met without changing the device type. The Compliance policies guide and the Conditional Access guide are the natural next stops once you know which platforms you're committing to.
"Partial" cells are not failures — they are engineering decisions. Shared iPad is a real solution for shared iOS workflows; Shared PC mode is solid for Windows frontline workers. Know what partial means for each row before you write the requirement.
Decision Tools · Wizard
Which Apple enrollment path?
Apple has more enrollment paths than any other platform — ADE, account-driven user and device enrollment, web, and Configurator. Answer a few questions and land on the right one for iPhone, iPad, or Mac.
Apple has more enrollment paths than any other platform — ADE, Account-Driven User Enrollment, Account-Driven Device Enrollment, web-based enrollment, and Apple Configurator. The right one hinges on device type, ownership model, whether you're in Apple Business Manager (or Apple School Manager), and whether you need full supervision. Answer five questions to land on the path that matches your environment.
Why Apple enrollment is more complex than Windows
Apple's enrollment model is trust-layered: supervision state determines what MDM can control, ABM membership determines how that supervision is established, and ownership model determines what privacy guarantees apply. ADE via ABM is the only remote path to supervision — without it, you're always unsupervised and the user can theoretically remove the MDM profile. Account-Driven User Enrollment is Apple's architectural answer to BYOD privacy regulation; it deliberately withholds hardware identifiers from the MDM server by design, not by policy. Understanding these layers before you deploy saves you from re-enrolling a fleet later.
Work profile, fully managed, COPE, dedicated, or AOSP — the Android mode you pick at enrollment defines the whole device experience. Answer a few questions and land on the right mode.
Android Enterprise gives you five distinct management modes, and the one you pick at enrollment is largely permanent — re-enrolling to change mode is disruptive and often avoided. The questions below walk you through the two decisions that actually drive the choice: who owns the device and what it will be used for.
This wizard covers Personally-Owned Work Profile (BYOD), Fully Managed / COBO, Corporate-Owned Work Profile (COPE), Dedicated (COSU / kiosk / frontline), and AOSP for devices without Google Mobile Services. Around 2–4 questions depending on your path.
Why the mode decision is permanent
Android Enterprise encodes the management mode into the device’s DPC (Device Policy Controller) binding set at factory reset and first boot. Switching from, say, Fully Managed to COPE requires a full factory reset and re-enrollment — a process users notice and operations teams dread. Getting the mode right before rollout is worth the 10-minute planning conversation. If your fleet is mixed (some BYOD, some corporate kiosk), you’ll run parallel enrollment profiles and separate Intune device groups per mode. See the Android management mode overview for the full capability comparison across all five modes.
One common first-timer mistake: treating COPE like a stricter BYOD. COPE requires corporate procurement and a corporate-owned enrollment profile — you cannot convert a BYOD work-profile device to COPE without wiping it. If your pilot group is employees’ own phones, Personally-Owned Work Profile is your only supported option regardless of how locked-down you configure it.
Decision Tools · Comparison
ADE vs Account-Driven Enrollment
Automated Device Enrollment for corporate Apple hardware, or account-driven enrollment for BYOD — the Apple corporate-vs-personal split.
Apple gives admins two fundamentally different enrollment paths. Automated Device Enrollment (ADE) — formerly DEP — is built for corporate-owned hardware purchased through Apple Business Manager or Apple School Manager. Account-Driven User Enrollment is the modern BYOD story: the employee signs in with their Managed Apple ID and only the work partition is ever visible to Intune. Getting the choice wrong costs you either over-reach on employee devices or under-control on company assets. See the full picture in the Apple Enrollment Method Picker.
Criterion
ADE (Corporate)
Account-Driven Enrollment (BYOD)
Supervision
Full supervision — unlocked automatically at first boot; required for ~180 MDM commands including per-app VPN, software update enforcement, and lost mode.
Unsupervised — the managed partition is controlled, but the device is never supervised. Supervision-only restrictions simply don't apply.
ABM / ASM requirement
Required — device serial must be assigned to your ABM/ASM tenant and then synced to Intune before enrollment. Ghost hardware or personal purchases cannot use ADE.
Not required — any personally owned iPhone or iPad running iOS 15+ (or macOS 13+ for ADME) can enroll via the Settings app Managed Apple ID flow.
User privacy and data separation
Limited — Intune has visibility into the full device inventory, installed apps, and can wipe everything. Employees cannot be told the device is private.
Strong — iOS creates a cryptographically separate managed data volume. Personal apps, photos, and iCloud data are invisible to Intune by design; Apple enforces the boundary in the OS.
MDM restriction ceiling
Maximum — supervision unlocks every restriction key, including disabling App Store, USB accessories, AirDrop, and screen capture. Policy enforcement is immediate.
Reduced — only restrictions affecting work data apply. You cannot disable the App Store for personal apps, enforce screen time, or push global Wi-Fi profiles that cover personal traffic.
App deployment
Forced install supported — required apps deploy silently in Setup Assistant; VPP apps install without user prompt. No Apple ID required on the device if purchased through ABM Volume Purchase.
User consent required — work apps install into the managed partition but the employee must approve each install. Personal Apple ID remains separate; Managed Apple ID handles work purchases.
Wipe scope
Full device wipe — Retire or Wipe in Intune nukes the entire device back to factory state, including all personal data. This is appropriate (and expected) for corporate assets.
Selective wipe only — Retire removes only the managed partition and work data; personal photos, accounts, and apps are untouched. Employees trust this before enrolling.
Certificate and VPN scope
Device-wide — SCEP/PKCS certs and VPN profiles apply globally. Per-app VPN requires supervision (available here). Works for all corporate traffic regardless of app.
Work partition only — certificates and VPN profiles are scoped to managed apps. Personal browsing, personal FaceTime, and third-party personal apps never tunnel through corporate VPN.
Enrollment user experience
IT-controlled — Setup Assistant steps are skipped or shown per policy; zero-touch with Await Final Configuration. But the employee gets a locked-down corporate device from first boot, with no opt-out.
Employee-initiated — user goes to Settings → General → VPN & Device Management → Sign in with work or school, authenticates with Managed Apple ID. Clear opt-in; suits BYOD programs with a stipend model.
Choose ADE when…
The device is corporate-owned and purchased through ABM or ASM.
You need full supervision — software update enforcement, lost mode, per-app VPN, or any restriction that requires supervised mode.
Silent, zero-touch provisioning is a business requirement (kiosk, shared device, frontline worker).
You must guarantee a factory wipe on offboarding with no data residue.
The device will never hold personal data — it is purely a work tool.
Choose Account-Driven Enrollment when…
The device is employee-owned (BYOD) and you have a stipend or bring-your-own program.
Privacy regulations or HR policy prohibit full device visibility on personal hardware.
You only need to protect work data (email, Teams, managed apps) — not lock down the whole device.
Selective wipe on offboarding is the legally correct and politically defensible choice.
Your Managed Apple IDs are federated through Apple Business Manager to Azure AD / Entra ID.
Many enterprise environments run both in parallel: ADE for every device the company purchases, Account-Driven Enrollment for the BYOD pool. The natural split is ownership, not platform — an iPhone can be either depending on who bought it. Configure ADE in Devices → Enrollment → Apple → ADE Tokens and account-driven profiles in Devices → Enrollment → Apple → Enrollment Types. For a step-by-step path, start with the Apple Enrollment Method Picker, then follow the dedicated walkthroughs for Automated Device Enrollment or Account-Driven User Enrollment.
Decision Tools · Comparison
Autopilot vs Autopilot Device Preparation
Classic hardware-hash Autopilot or the newer group-based Device Preparation — Microsoft’s two provisioning models, compared honestly.
Windows Autopilot (classic) and Autopilot Device Preparation (ADP) are both zero-touch provisioning paths, but they solve the enrollment problem differently. Classic Autopilot ties provisioning to a hardware hash registered before deployment; Device Preparation skips that step entirely and uses dynamic Azure AD group membership to drive policy. Neither is strictly "better" — the right call depends on your identity architecture, your registration workflow, and how much tolerance you have for a newer, evolving feature. If you are still deciding which enrollment model to use, start with Autopilot User-Driven Mode.
Criterion
Classic Autopilot
Autopilot Device Preparation (ADP)
Hardware hash required
Yes — every device must be registered via hash before it leaves staging or a 4K hash CSV from the OEM/reseller.
No — no hardware hash, no pre-registration step at all.
Who registers devices
OEM, reseller (via MPC/CSP partner), or IT using Get-WindowsAutoPilotInfo and the Devices > Enrollment > Windows > Autopilot Devices blade. Registration can take up to 24 hours to propagate.
No registration. The device authenticates with Entra ID during OOBE; group membership is assigned at that point. IT only manages the Device Preparation policy and its assignment.
Targeting / assignment model
Autopilot profiles are assigned to dynamic or static device groups built from hardware attributes (order ID, purchase order, group tag). Fine-grained, but depends on clean registration data.
Policy is assigned to a security group. Any Entra ID-joined device that authenticates gets the policy — no registration dependency.
Provisioning speed and reliability
Reliable in steady state, but first-boot provisioning must resolve all Autopilot profile assignments and ESP phases. ESP tracking is granular but can stall on app or policy failures.
Designed to be faster end-to-end. ADP limits pre-provisioning to 10 required apps (enforced) and pushes remaining config post-OOBE, reducing blocking time on the setup screen.
Hybrid Azure AD join support
Supported — Autopilot for Hybrid Azure AD Join routes the device through an on-premises DC, requires the Intune Connector for Active Directory, and is a documented, production-supported path.
Not supported — ADP requires cloud-native (Entra ID join only). If you have an on-premises AD dependency, ADP is not an option today.
Self-Deploying / pre-provisioning (White Glove)
Both self-deploying mode (kiosk, shared) and White Glove pre-provisioning are supported and GA.
Self-deploying and White Glove are not available in ADP. ADP is user-driven only.
Feature maturity and supportability
GA since 2018. Extensive field history, large community knowledge base, full Microsoft support documentation, and broad ISV/OEM ecosystem alignment.
GA as of 2024, but still accumulating field history. Some behaviors are still evolving. Track the What's new in Intune feed actively if you deploy ADP at scale.
Troubleshooting experience
Rich tooling: MDMDiagReport, Autopilot event logs (Microsoft-Windows-ModernDeployment-Diagnostics-Provider), ESP per-phase status in Intune, and the Autopilot Deployment report under Devices > Monitor > Autopilot deployments.
Diagnostic parity is improving. Device Preparation deployments surface in Devices > Monitor > Device Preparation deployments, but log detail and community tooling is thinner than classic Autopilot today.
Choose Classic Autopilot when…
You have an on-premises Active Directory and need Hybrid Azure AD Join.
You need self-deploying mode for kiosks, shared PCs, or user-less deployments.
You rely on White Glove pre-provisioning to stage devices before user delivery.
Your OEM or reseller already injects hashes at the factory via MPC — registration is free.
Your support team depends on mature MDMDiag tooling and the existing Autopilot log corpus.
You need a feature that ADP simply does not support today (device grouping by hardware attribute, pre-assigned user, etc.).
Choose Autopilot Device Preparation when…
Your environment is fully cloud-native — Entra ID join only, no on-premises AD dependency.
You want to eliminate the hardware hash registration step and its 24-hour propagation window.
You are issuing devices directly from OEM to employee and have no staging facility.
You want a shorter blocking provisioning window — ADP's cap of 10 required apps keeps OOBE time predictable.
You are building a greenfield tenant and can adopt the newer model without migration debt.
You are comfortable running a feature that is still maturing and can absorb occasional behavior changes.
Many organizations end up running both in parallel: classic Autopilot for the hybrid-joined or kiosk fleet, ADP for the cloud-native employee fleet. That split is a legitimate long-term architecture, not a stopgap. Before committing either path to production, walk through the full registration and policy requirements in Register Devices for Autopilot, then validate your Device Preparation policy against Autopilot Device Preparation setup.
Decision Tools · Comparison
COPE vs Fully Managed
Two corporate-owned Android modes: Corporate-Owned Work Profile keeps a private personal space; Fully Managed takes the whole device. The split is personal-use policy.
Android Enterprise gives you two corporate-owned tracks that look similar on paper — both enroll through zero-touch or QR code, both land in Devices › Android › Android devices, both support app deployment and compliance policy. The split is one question: does the employee get any personal space on the device? COPE (Corporate-Owned Work Profile) carves out a managed work profile alongside a personal side the user controls. Fully Managed takes the whole device under IT's thumb — no personal profile, no side door. Get this choice wrong and you'll either blow up your enrollment redesign or trigger a union grievance over privacy. See also: Choose Your Android Mode →
Criterion
COPE — Corporate-Owned Work Profile
Fully Managed (COBO)
Personal space for the user
Yes — a separate personal profile that the user manages; IT cannot see, wipe, or restrict apps on the personal side.
No personal profile. The entire device is the work profile. Users cannot install personal apps unless IT explicitly allows it via Managed Google Play.
IT visibility into personal activity
None by design. Intune cannot inventory personal-side apps or see personal browsing. This is a privacy guarantee, not a configuration choice.
Full device scope, but IT still cannot read message content. IT can see all installed apps, device hardware state, and enforce any restriction policy.
Restriction scope
Restrictions apply only inside the work profile. Personal-side camera, browser, and app stores remain under user control unless the device-wide policy is explicitly scoped (e.g., screen timeout, encryption).
Whole-device restrictions. Disable the camera globally, block USB, enforce a specific launcher, lock to kiosk mode — all available in Configuration profiles › Device restrictions (Android Enterprise › Fully managed).
Typical user population
Knowledge workers, hybrid employees, anyone who also uses the device for personal calls or apps. Think sales reps, corporate professionals, executives who want one phone.
Dedicated / task-worker scenarios: warehouse scanners, frontline kiosk devices, shared shift phones. Also strong for high-security environments where personal use is prohibited by policy.
Kiosk / single-app lockdown
Not supported. The personal profile prevents true kiosk lockdown — users can always exit to the personal side. Use Fully Managed Dedicated (COSU) for kiosk.
Supported. Configure Device restrictions › Dedicated device › Kiosk mode to lock to a single app or a curated multi-app launcher.
App deployment surface
Managed Google Play apps push into the work profile. Personal-side app installs are user-controlled. You cannot push a personal-side app — nor should you.
Full device app control. Every app on the device comes from Managed Google Play or your approved corporate store. No sideloading without explicit IT permission.
Enrollment method support
Zero-touch, QR code, NFC bump. Requires Android 8.0+. Device must be factory reset and enrolled as corporate-owned — COPE is not the same as a BYOD work profile.
Zero-touch, QR code, NFC bump. Also factory-reset enrollment. Same OS floor (8.0+). Dedicated device sub-mode requires Android 6.0+ but realistically target 9.0+ for stability.
Selective vs full wipe
Selective wipe removes the work profile and all its data; the personal profile and personal data survive intact. Full wipe resets the whole device.
Selective wipe = full wipe in practice — there is no personal partition to preserve. Retire in Intune removes management but leaves device data; Wipe factory-resets.
Choose COPE when…
Employees will use the device for personal calls, texts, or apps — and your privacy policy or legal team requires that IT cannot see that activity.
The role is a knowledge worker or hybrid professional who needs one corporate-issued phone for everything.
You want to avoid a "two phone" culture while still maintaining a strong work-profile security posture.
Your HR or legal team has flagged that monitoring personal device use creates liability.
Choose Fully Managed when…
The device is shared, a kiosk, or a dedicated task device (scanner, POS terminal, frontline shift phone).
Security policy explicitly prohibits personal use — regulated industries (financial, government, healthcare) where personal apps are a data-loss vector.
You need whole-device restrictions: lock down the camera globally, enforce a specific launcher, or run in single-app kiosk mode.
The device never leaves the building, or leaving it does is a security incident in itself.
In most enterprise deployments you'll run both modes in parallel — COPE for the knowledge-worker population, Fully Managed (often Dedicated sub-mode) for frontline and kiosk hardware. Scope each with its own compliance policy and conditional access so the right restrictions land on the right devices automatically. See Personal Work Profile vs Fully Managed if you're also weighing BYOD, and revisit Choose Your Android Mode to confirm the full decision tree before you commit your enrollment profiles.
Decision Tools · Comparison
Work Profile vs Fully Managed
Two Android Enterprise modes that look similar in the console and behave nothing alike on the device. The split is ownership.
Personally-owned work profile is the BYOD container: Android carves a managed work area onto a user's personal phone, and IT manages only what's inside it. Fully managed (corporate-owned, COBO) takes the whole device — every app, every restriction, no personal side at all. The decision is almost always about who owns the hardware. Start from choosing a management mode if you're not sure which scenarios you're even solving for.
Criterion
Work profile (BYOD)
Fully managed (COBO)
Ownership
Personal device — user owns the hardware
Corporate device — the org owns it
Scope of control
Work container only — personal side is untouched
Whole device — every app and setting
Personal-data privacy
High — IT can't see or touch personal apps or data
User-driven from the personal device via Company Portal
Provisioned at setup — QR / NFC / zero-touch / token
Choose Work Profile when…
The phone is employee-owned and you can't take the whole device
Personal-data privacy is a hard requirement
You only need work apps and a managed container, not device-wide control
You want a selective wipe that leaves the user's personal side intact
Choose Fully Managed when…
The device is corporate-owned and there is no personal use
You need device-wide restrictions, hardware control, or kiosk lockdown
You're deploying frontline, shared, or single-purpose Android hardware
A full wipe on offboarding is acceptable — and expected
The pragmatic answer maps to ownership: protect what you don't own, control what you do. Work profile for BYOD, fully managed for issued corporate devices. There's also a middle ground — corporate-owned work profile (COPE) — a corporate device that still carves out a private work profile, giving the user a personal side on hardware the org owns. And on personal devices where even a work profile is too much, you can drop to App Protection Policies (MAM) and protect data inside the apps without enrolling the device at all.
Decision Tools · Scorecard
Apple Business Manager onboarding readiness
Before you turn on Apple management, check you have every ABM and connector prerequisite in place — missing one strands your whole Apple rollout.
Apple Business Manager is the foundation for every supervised iOS and macOS deployment. This scorecard walks through the four prerequisite areas — ABM org setup, Intune connectors, device and app assignments, and operational hygiene — so you can spot gaps before they strand your rollout. Tick every item that is true today, not what you plan to finish next week.
Why every item on this list is a hard dependency
ABM onboarding fails in a predictable order: orgs skip D-U-N-S verification and discover weeks later their account is still pending; a single APNs certificate lives under one departing employee's Apple ID and the cert can't be renewed without it; devices ship before the ABM enrollment token is uploaded to Intune, so ADE never triggers. This scorecard forces those dependencies to the surface before the first device is unboxed. The APNs push certificate and the ABM token are the two non-negotiable blockers — everything else in the list adds resilience and operational safety.
Federation with Entra ID (Managed Apple Accounts) is weighted highly because it eliminates the consumer-Apple-ID problem at scale: users get a corporate-owned Apple identity that IT can reset, and App Store sign-in no longer competes with personal iCloud. If your org defers federation, revisit it before you exceed roughly 50 devices — retrofitting it later requires re-enrollment. See the ABM setup guide for the federation step-by-step.
Decision Tools · Scorecard
Autopilot readiness scorecard
Check the tenant and process prerequisites before you hand Autopilot to the business — the missing items are exactly what makes first pilots fail.
Before you hand Windows Autopilot to the business, the prerequisites have to be airtight — a missing MDM scope or a bloated ESP block list will crater your first pilot and shake stakeholder confidence for months. Tick everything that is genuinely true in your tenant today. The score tells you whether you're ready to cut a pilot group loose or whether you should fix foundations first.
Weights reflect real-world impact: a 3 means the deployment fails without it, a 2 means it degrades badly, a 1 is hygiene that matters at scale.
Why these prerequisites matter
Autopilot depends on a chain of services — Entra ID automatic enrollment, Intune device registration, ESP app delivery, and CA policy — and each link has to be healthy before the device reaches the end user. The items weighted 3 are binary: skip automatic MDM enrollment and the device never checks in; skip hardware hash registration and the Autopilot profile never applies. The 2-weight items (ESP timeout, BitLocker escrow, break-glass CA exclusions) are the ones that create outage-level incidents when discovered in production rather than in a pilot. The ESP configuration guide covers the most common pilot-killing mistakes in detail.
The Security & rollback group is frequently skipped by teams in a hurry — don't. A compliance policy that blocks access the moment enrollment completes (before the pilot is validated) can lock out the entire pilot cohort simultaneously. Define your pilot ring, start compliance in report-only, and you give yourself a safe abort path. Once the pilot is clean, tighten enforcement ring by ring.
Decision Tools · Matrix
Android management mode matrix
Compare Android Enterprise modes side by side — ownership, personal space, control scope, and the use case each one fits.
Android Enterprise offers five distinct management modes — each built for a different ownership model and control scope. Pick the wrong one and you'll either over-restrict personal devices or under-control corporate hardware. Use the filter to narrow by ownership, then read across the columns to confirm the mode fits your use case before you build out the enrollment profile in Intune > Devices > Android > Android enrollment.
Choosing the right mode matters more than any single policy setting
Each mode draws a hard boundary around what Intune can and cannot touch. Work profile is the only mode that legally and technically separates corporate data from personal apps — Intune never sees the personal side. COPE extends that same work profile container to corporate-owned hardware, but IT retains full device control outside the personal space (blocking the camera device-wide, for example). Fully managed COBO eliminates the personal space entirely, making it the right call for shared task-worker phones or high-compliance roles. Dedicated COSU locks the device to one or a few apps — ideal for kiosks, digital signage, and scan guns — but has no concept of a named user. AOSP breaks the dependency on Google Mobile Services entirely, which matters for restricted government networks or ruggedized hardware that ships without GMS. See the Android enrollment types guide for full Intune console walkthroughs of each path.
Decision Tools · Blueprint
Corporate Windows knowledge worker
A complete, ordered starter stack: from a boxed laptop to a hardened, compliant, app-ready Windows device — every component linked to the guide that builds it.
🪟 The stack
Platform: Windows 11 · Ownership: Corporate · Identity: Entra join · Effort: ~1 day to pilot
Register devices to Autopilot & deploy a user-driven profile
Get hardware hashes into Autopilot (OEM, reseller, or manual import) and create a user-driven deployment profile with an Enrollment Status Page that blocks until critical apps land. Autopilot user-driven →
Set the configuration baseline with the Settings Catalog
Author your org's device configuration in the Settings Catalog — the modern CSP-backed surface. Keep one home per setting. Settings Catalog & CSPs →
Apply the Microsoft security baseline
Deploy the Security Baseline for Windows 10 and later in audit-mindset first, then ring it out. This is your hardening floor. Security baselines →
A compliance policy (encryption, Secure Boot, threat level, min OS) makes the posture real; Conditional Access then requires a compliant device for corporate resources. Windows compliance policies →
Manage updates with Update rings
Pilot and broad Windows Update for Business rings with deferrals and deadlines — controlled patching, not surprise reboots. Update for Business →
Ship the app set
Microsoft 365 Apps, Edge, and the Company Portal as required; Win32 packaging for everything else with proper detection and requirement rules. Win32 app packaging →
What this gets you
Zero-touch provisioning — ship the laptop straight to the user
A hardened, audited, compliant baseline from day one
Conditional Access that trusts the device because it's actually compliant
Controlled patching and a clean app catalog
Common first-timer traps
Assigning the security baseline and a Catalog profile to the same setting → conflict
An ESP that blocks on an app that never installs → stuck OOBE
Skating past the pilot ring straight to the whole fleet
Compliance policy with no Conditional Access — posture set but never enforced
Want to practice this end-to-end with zero risk? Build the whole stack in the Intune Simulator first.
Decision Tools · Blueprint
Corporate Mac knowledge worker
A complete, ordered starter stack for company-owned Macs: from ABM zero-touch to an encrypted, SSO-enabled, compliant Mac — every component linked to the guide that builds it.
💻 The stack
Platform: macOS · Ownership: Corporate · Enrollment: ADE (supervised) · Effort: ~1 day to pilot
Enroll zero-touch with Automated Device Enrollment
Tie the Mac to your tenant through Apple Business Manager and an ADE profile, so it enrolls supervised straight out of Setup Assistant — no hands on the device. ADE for macOS →
Encrypt the disk with FileVault and escrow the key
Enforce FileVault and escrow the personal recovery key to Intune so an encrypted Mac is never an unrecoverable Mac. FileVault with escrow →
Give users seamless identity with Platform SSO
Platform SSO ties the local account to Entra ID, so a single sign-in unlocks the Mac and the cloud — the modern Mac identity story. Platform SSO →
Set the hardening baseline (CIS / mSCP)
Microsoft ships no Mac security baseline — generate an auditable one from the CIS Apple macOS Benchmark via the macOS Security Compliance Project and deploy it as profiles + scripts. CIS Benchmarks & mSCP →
Turn on the security stack
Confirm Gatekeeper/XProtect posture and layer endpoint security (Microsoft Defender or your EDR) on top of the baseline. Endpoint security for Mac →
Define compliance and gate access
A compliance policy (FileVault on, OS floor, Gatekeeper, jailbreak-free) makes the posture real; Conditional Access then requires a compliant Mac for corporate resources. Mac compliance policies → · Conditional Access →
Manage updates with DDM
Declarative software-update policies enforce a target macOS version by a deadline, with the OS handling the nag — controlled patching, not pestering. DDM software updates →
Ship the app set
Microsoft 365 and first-party apps as required; everything else through the Installomator pattern for clean, repeatable DMG/PKG delivery. Installomator cookbook →
What this gets you
Zero-touch ADE provisioning — ship the Mac straight to the user
Encrypted disks with escrowed recovery keys
Single Entra identity for device and cloud via Platform SSO
An auditable CIS/mSCP baseline and compliance-gated access
Common first-timer traps
Forgetting the bootstrap token — deep operations (DDM, some account flows) silently fail
Expecting a Microsoft "Mac security baseline" — there isn't one; CIS + mSCP is the path
FileVault enforced but the recovery key not escrowed → unrecoverable Macs
Compliance policy with no Conditional Access — posture set but never enforced
Want to practice this end-to-end with zero risk? Build the whole stack in the Intune Simulator first.
Decision Tools · Blueprint
BYOD iPhone with App Protection
A complete, ordered starter stack for personal iPhones touching corporate data: protect the data inside the apps, not the whole device — every component linked to the guide that builds it.
📱 The stack
Platform: iOS/iPadOS · Ownership: Personal · Identity: Entra · Effort: ~half a day to pilot
Pick your enrollment posture: light enrollment or enrollment-free
Either enroll the device with Account-Driven User Enrollment for a managed APFS data volume and per-app management, or stay enrollment-free and let App Protection do all the work on unenrolled devices. For BYOD, enrollment-free MAM is the lower-friction default; reach for AdUE only when you need managed app config or a managed identity on the device. Account-Driven User Enrollment →
Create an App Protection Policy for iOS
This is the heart of BYOD. Require a PIN (or biometric) to open managed apps, enforce app-level encryption, and clamp the data exits: block save-as to personal locations, restrict cut/copy/paste to managed apps, and disable backup of org data. The container is what you wipe — never the personal device. App Protection Policies →
Layer App Configuration onto the managed apps
Where applicable, push App Configuration to Outlook and other managed apps to pre-set the account, block adding personal accounts to the managed app, and steer links and attachments back into the managed set. Configuration plus protection is what makes the experience feel intentional rather than punitive. App Protection & configuration →
Gate access with Conditional Access requiring app protection
Build a Conditional Access policy that requires an approved client app with an App Protection Policy for the mobile platform — not a compliant device. This is the lever that makes the whole thing real: corporate mail and files only open inside the protected, policy-bound apps. Conditional Access →
Deploy the managed app set
Make Outlook, Teams, and Edge available through the Company Portal as the sanctioned way in. These are the apps your App Protection and App Configuration target, so users land in the protected experience by simply installing what you offer. Managed app set →
Send the user comms before you flip Conditional Access
Tell users exactly what changes: which apps to install, that personal data and the rest of the phone stay untouched, and what "company access removed" means if they leave. Clear comms is the difference between a quiet rollout and a helpdesk queue. Conditional Access rollout →
What this gets you
Corporate data protected inside the apps with zero device enrollment required
A selective wipe that removes org data and leaves the personal phone alone
Conditional Access that admits only approved, policy-protected apps
A low-friction BYOD experience users will actually accept
Common first-timer traps
Requiring a compliant device in Conditional Access — wrong for BYOD; require an app protection policy instead
Over-restricting a personal device until users route around you with personal apps
Forgetting to set a minimum OS version, so old, unpatched phones sail through
Shipping the App Protection Policy without a matching Conditional Access policy — protection set but never enforced
Want to practice this end-to-end with zero risk? Build the whole stack in the Intune Simulator first.
Decision Tools · Blueprint
BYOD Android work profile
A complete, ordered starter stack for personal Android phones touching corporate data — a cryptographically separated work profile, every component linked to the guide that builds it.
Before you can enroll a single Android device, your tenant needs an enterprise binding to Google. In the Intune admin center go to Devices → Android → Android enrollment → Managed Google Play, click I agree, then Launch Google to connect now and sign in with a dedicated Google account (not a personal Gmail — use a service account or a non-user mailbox). The binding takes 2–5 minutes to propagate. You must do this before app assignments or work-profile enrollment will function. Android enrollment guide →
Create and scope a Work Profile enrollment profile
Go to Devices → Android → Android enrollment → Personally-owned work profile and confirm the toggle is set to Allow. No explicit profile object is required for work-profile — Android Enterprise work-profile enrollment is available by default once Managed Google Play is connected, but you should create an Enrollment Restriction that limits Android enrollment to work-profile (BYOD) and blocks device administrator enrollment. Under Devices → Enrollment restrictions create a new Android restriction, allow Personally-owned Work Profile, and block Android device administrator. Scope it to your BYOD user group so corporate-owned flows use a separate restriction. Work-profile enrollment guide →
Assign Managed Google Play apps to the work profile
Go to Apps → Android and add each app via Managed Google Play app type. Approve the apps in the Managed Google Play iFrame, then sync and assign to your BYOD group as Required (for IT-mandated tools like Authenticator or Company Portal) or Available for enrolled devices (for optional productivity apps). Apps appear only inside the work profile badge — personal-side apps are invisible to Intune. Add Microsoft Authenticator, Outlook, Teams, and Edge as a baseline required set; add Intune Company Portal as Required so users can access compliance status. App protection policies guide →
Apply App Configuration policies to managed apps
For each managed app that supports it (Outlook, Edge, Teams), create an App Configuration Policy under Apps → App configuration policies → Add → Managed devices. Target the policy at the same BYOD group. Key configs for Outlook: set com.microsoft.outlook.EmailProfile.AccountType to ModernAuth and pre-populate EmailAddress with the UPN device attribute — this removes the manual sign-in prompt. For Edge, push com.microsoft.intune.mam.managedbrowser.bookmarks with intranet links. App config reduces user setup friction and enforces baseline behavior without MDM-level control over the personal side. App configuration guide →
Layer App Protection Policies (MAM) on managed apps
App Protection Policies (APP) are the second enforcement layer: they control copy/paste, screen capture, PIN, and data-transfer rules at the app level regardless of device enrollment state. Under Apps → App protection policies → Create policy → Android, target your managed apps (Outlook, Teams, Edge, OneDrive) and your BYOD group. Set Send org data to other apps to Policy managed apps only, Receive data from other apps to Policy managed apps only, require PIN after 5 minutes, and enable Encrypt org data. For BYOD work-profile devices, APP and MDM policy stack — APP controls data movement while MDM compliance controls device access. App protection policies guide →
Set cross-profile restrictions in the device configuration profile
Go to Devices → Configuration → Create → Android Enterprise → Fully Managed, Dedicated, and Corporate-Owned Work Profile — wait, for BYOD the correct template is Personally-owned work profile restrictions. Create a Device restrictions profile targeting Android Enterprise → Personally-owned work profile. Key settings: disable Copy and paste between work and personal profiles, disable Work profile notifications while device is locked, block Add and remove accounts within the work profile, and disable Screen capture. Leave contact sharing and Bluetooth off unless your org has a business need — these settings reduce data leakage across the cryptographic boundary Google maintains between profiles. Assign to your BYOD group. Baseline configuration guide →
Build a compliance policy and wire it to Conditional Access
Under Devices → Compliance → Create policy → Android Enterprise → Personally-owned work profile, require: minimum OS version (Android 10+ recommended), Require the device to be at or under the machine risk score set to Low if you have Defender for Endpoint integrated, Require app protection policy enabled, and Require device to have no threats. Set the noncompliance grace period to 3 days for initial rollout. Then in Microsoft Entra ID → Security → Conditional Access, create a policy targeting your BYOD group and corporate apps (Exchange Online, SharePoint, Teams), and under Grant select Require app protection policy OR Require compliant device — using OR lets enrolled-compliant devices pass, and also lets MAM-only users on personal devices pass if they have APP. Using AND would block anyone not both enrolled and compliant, which is too strict for BYOD. Conditional Access guide →
Write and distribute user enrollment comms
Work-profile enrollment is a user-initiated flow: the user downloads Intune Company Portal from the public Google Play Store, signs in with their work account, and taps through the profile creation wizard — about 5 minutes on a supported device. Send users a one-pager or short video covering: what the work profile is (IT sees only the badged apps, never personal apps or photos), how to find work apps (badged icons), and who to call if enrollment fails. Set expectations: IT can wipe only the work profile, not the entire device. Users who understand the privacy boundary are far more likely to complete enrollment without IT escalation. Link your helpdesk to the Company Portal enrollment troubleshooter at Troubleshooting + support → Troubleshoot in the Intune admin center. Enrollment guide →
What this stack gets you
Cryptographic separation between personal and work data — Google enforces the boundary at the OS level, not just in policy.
Selective wipe: IT retires only the work profile, leaving the employee's personal apps and photos untouched.
Managed Google Play keeps corporate apps invisible outside the work profile, so sideloaded personal apps cannot access work data.
App Protection Policies block copy/paste and screen capture even in apps the user also uses personally (if they also enroll personal Outlook, for example).
Conditional Access with app-protection grant means even a user who skips enrollment but uses Outlook with APP still gets gated, not locked out.
Common first-timer traps
Using a personal Google account for the Managed Google Play binding — when that employee leaves, the binding breaks. Use a service account or shared mailbox.
Setting Conditional Access Grant to AND (require compliant device AND require app protection) — this locks out every BYOD user who is compliant but not yet assigned the APP, and vice versa. Start with OR.
Forgetting to sync Managed Google Play after approving apps — apps sit in limbo until you hit Sync in the Intune admin center; assignments do nothing until the sync completes.
Applying device-owner (fully managed) restriction profiles to personally-owned work-profile devices — the profile silently doesn't apply, and there's no error; always verify the enrollment type on a test device first.
Skipping user comms and calling enrollment "self-service" — without the privacy explanation, users assume IT can see their personal photos and refuse to enroll. The one-pager pays for itself in helpdesk tickets avoided.
Start with a pilot group of 10–20 volunteers before broad rollout — confirm compliance reporting, CA grant behavior, and app sync end-to-end. Then try the full configuration flow in the Intune Simulator before touching production.
Decision Tools · Blueprint
Android frontline / dedicated devices
A complete, ordered starter stack for shared, single-purpose Android hardware — kiosks, scanners, and frontline tablets that belong to the org, not a person — every component linked to the guide that builds it.
🤖 The stack
Platform: Android · Ownership: Corporate · Mode: Dedicated (COSU) · Effort: ~1 day to pilot
Connect Managed Google Play
Bind your tenant to Managed Google Play with an enterprise-owned account — this is the foundation for every Android Enterprise mode and the only sanctioned app source for dedicated devices. Do this once; everything below depends on it. Dedicated device enrollment →
Create a Dedicated (COSU) enrollment profile with a token / QR
Build a corporate-owned dedicated enrollment profile and generate its enrollment token and QR code. Devices factory-reset, scan the QR (or use NFC/zero-touch), and provision as headless, userless, fully-managed kiosks bound to that profile. Dedicated device enrollment →
Choose single-app kiosk vs multi-app managed launcher
Decide the experience now, because it shapes everything downstream: lock the device to one pinned app for true single-purpose use, or run the Managed Home Screen launcher with a curated grid of apps. Most frontline fleets want the multi-app launcher. Dedicated device modes →
Lock it down with a device restriction profile
Author an Android Enterprise device-restriction profile to disable the camera, factory reset, USB transfer, and unknown sources; control power and volume buttons; and set the kiosk behaviour. This is what turns a tablet into appliance-grade hardware. Device Restrictions →
Assign apps via Managed Google Play and configure them
Approve and assign your apps — including the Managed Home Screen — as required through Managed Google Play, then push App Configuration to pre-wire each app and the launcher so devices come up ready, with no manual sign-in or setup on the floor. App Configuration Policies →
Define compliance and wire Play Integrity attestation
Create a compliance policy that requires Google Play Integrity (SafetyNet's successor) attestation, blocks rooted or tampered devices, and sets a minimum OS — then make sure that compliance state actually feeds your access decisions, not just a report. Compliance Policies →
Enroll at scale with zero-touch or QR
For volume, register hardware in Android zero-touch (or the OEM equivalent like Samsung Knox) so devices auto-provision to your dedicated profile straight out of the box; fall back to QR for ad-hoc batches. Pilot a handful, then roll the floor. Enrollment at scale →
What this gets you
Userless, appliance-grade devices that boot straight into the job
A locked, single-purpose surface no one can wander off of
Apps and launcher pre-configured — zero touch on the floor
Tamper detection that actually gates the device, not just a dashboard
Common first-timer traps
Forgetting to configure the Managed Home Screen — devices land on a blank or broken launcher
No managed auto-update window, so apps update mid-shift and interrupt frontline work
Wiring Play Integrity attestation into the profile but never feeding it into compliance — tampered devices stay trusted
Skipping the pilot batch and reflashing the whole fleet to fix one profile mistake
Want to practice this end-to-end with zero risk? Build the whole stack in the Intune Simulator first.
Decision Tools · Blueprint
Shared iPad frontline / clinical
A complete, ordered starter stack for pooled iPads that rotate across a shift — clinical carts, retail floor, field crews — every component linked to the guide that builds it.
The stack
Platform: iOS / iPadOS (Shared iPad mode) · Ownership: Corporate, device-licensed · Effort: 1–2 days for a pilot batch; half-day if ABM is already wired
Enroll your org in Apple Business Manager and federate with Entra ID
Shared iPad requires Managed Apple Accounts (MAAs); without federation every account is a manual import. In ABM go to Settings › Account › Identity Provider, connect your Azure AD tenant, and turn on Auto-create Managed Apple IDs. Once the federation trust is live, every user whose UPN matches an ABM-linked domain gets an MAA provisioned automatically — no CSV, no per-user ticket. What is Shared iPad →
Add your MDM server to ABM and assign devices
In ABM go to Settings › MDM Servers, add your Intune instance (use the Intune enrollment token found at Devices › Enrollment › Apple › Apple devices). Then assign the physical device serial numbers — or a reseller order — to that MDM server. Devices that ship directly from Apple or an authorized reseller land in ABM automatically if the customer number is linked; devices already in the field need the Apple Configurator 2 "Add to ABM" flow to join retroactively.
Create an ADE enrollment profile with Shared iPad enabled
In Intune go to Devices › Enrollment › Apple › Apple devices › Enrollment program tokens, select your token, and create a new profile. Set Shared iPad to Yes — this is only configurable at first activation; you cannot toggle it on an already-activated device without erasing it. Set Require shared device temporary session to No unless you want guest-only kiosks, set the Maximum cached users count to match your shift overlap (4–8 is typical for clinical carts), and leave Setup Assistant panes suppressed so staff never see a setup screen. Configure Shared iPad →
License and push apps via Apple Business Manager VPP (device assignment)
Buy or claim free app licenses in ABM under Apps and Books, then sync them to Intune via Tenant administration › Connectors and tokens › Apple VPP tokens. In Intune assign every frontline app as Required with assignment type Device — never user-licensed on Shared iPad, because the logged-out state has no user context to activate a user license. Apps install silently during the login window and persist across user sessions because they are pinned to the device, not the cache partition. Apps and Books / VPP guide →
Deploy Enterprise SSO plug-in so each shift login is one tap
Create an iOS Device Features configuration profile and add the Single Sign-On app extension payload. Set type to Microsoft Entra ID, extension ID com.microsoft.azureauthenticator.ssoextension, team ID SGGM6D27TK, and enable Shared device mode. With this in place the Microsoft Authenticator app (also pushed as Required) handles token acquisition silently after the MAA login — staff open Epic, Workday, or any MSAL app and are already authenticated. Global sign-out on checkout also clears all MSAL tokens in one call so the next user starts clean. Enterprise SSO baseline →
Tune session cache and storage quotas
In the ADE profile (or a separate Device Restrictions profile scoped to the same device group) set Maximum seconds of inactivity until user session logs out — 300 seconds (5 min) is a safe clinical default; retail can go to 600. Set per-user storage quota under Configure Shared iPad in the enrollment profile: 5 GB covers most EHR thin-client and productivity workloads; bump to 10 GB only if users sync offline content. Keep Maximum cached users at the minimum your shift model needs — fewer cached partitions means more usable storage per user.
Apply a Restrictions profile and a naming convention
Create an iOS Restrictions configuration profile targeting your Shared iPad device group. Lock down App Store installs, iCloud Photo Library, AirDrop, and screen capture — none of these belong on a pooled clinical or retail device. For naming, use a Device Name profile (Device Features payload) with a token string like Cart-{{SERIAL}} or Floor-{{DEVICENAME}} so the name printed on the charge cart matches what shows in Intune and in your helpdesk queue. Consistent names cut mean-time-to-locate during incidents from minutes to seconds.
What this gets you
Any credentialed employee picks up any iPad and is fully authenticated in under 30 seconds — no PIN sharing, no generic accounts
Apps, policies, and SSO tokens are scoped to the device, so checkout clears the session completely without touching app data on the device partition
ABM federation means new-hire MAAs are ready on day one with no IT ticket
Device-licensed VPP means app seats are never stranded in a departed user's Apple ID
Serial-based naming makes physical asset tracking and remote wipe requests unambiguous
Common first-timer traps
Assigning apps as user-licensed — they will not install on the login window and will prompt every user for an Apple ID sign-in
Enrolling the device before setting Shared iPad in the ADE profile — the device activates in standard mode and must be fully erased to correct it
Setting Maximum cached users too high — each extra partition reserves storage; on a 64 GB device, 10 cached users leaves almost nothing for apps
Forgetting to push Microsoft Authenticator as Required before SSO goes live — the SSO extension has no fallback if the app is absent
Not federating ABM with Entra ID before piloting — manually created MAAs do not support Entra Conditional Access policies
Leaving AirDrop open — pooled devices on a clinical floor will see patient-adjacent staff devices; restrict it to Contacts Only at minimum or Off
Once the pilot batch is healthy in Intune, validate session cleanup with a test login/logout cycle and confirm token clearance via Authenticator logs before rolling to the full fleet. Practice the enrollment flow end-to-end in the Intune Simulator.
Decision Tools · Blueprint
Windows kiosk / digital signage
A complete, ordered starter stack for single-purpose Windows devices — lobby kiosks, signage, shop-floor terminals — every component linked to the guide that builds it.
The stack
Platform: Windows 10/11 (Pro, Enterprise, Education) · Ownership: Corporate, Autopilot pre-registered · Effort: 4–6 hours initial build; ~30 min per profile change
Pre-register devices in Autopilot with device-type grouping tag
Collect hardware hashes via the OEM, a reseller upload, or Get-WindowsAutopilotInfo run on-site, then import them into Intune under Devices › Windows › Windows enrollment › Devices. Tag every kiosk hash with an OrderID or group tag (e.g., Kiosk-Lobby) so a dynamic Azure AD group can filter device.devicePhysicalIds any(_ -eq "[OrderID]:Kiosk-Lobby"). That group becomes the assignment target for every policy in this stack. Autopilot pre-provisioning guide →
Create a self-deploying Autopilot deployment profile (no user affinity)
In Devices › Windows › Windows enrollment › Deployment profiles, create a new profile and set Deployment mode to Self-deploying. This uses the device's TPM 2.0 to authenticate to Azure AD — no technician credential required, no user affinity. Set Convert all targeted devices to Autopilot: Yes so re-imaged units are caught automatically. Assign the profile to your kiosk dynamic group. Self-deploying mode skips the user OOBE entirely and drops straight into the desktop, which is exactly where Assigned Access takes over. Autopilot pre-provisioning guide →
Configure a local kiosk auto-logon account
Assigned Access requires a local account that signs in automatically at boot — it cannot use a domain or Azure AD identity in single-app mode. Use a Settings catalog policy (Devices › Windows › Configuration › + Create › Settings catalog) and search for Autologon under the Authentication category. Set DefaultUserName (e.g., KioskUser), DefaultPassword, and AutoAdminLogon = 1. This account must already exist on the device; the fastest path is an Intune Win32 app or a PowerShell script policy (Devices › Scripts) that calls net user KioskUser /add early in provisioning. Single-app kiosk setup →
Apply Assigned Access — single-app or multi-app kiosk XML
Navigate to Devices › Windows › Configuration › + Create › Templates › Kiosk. For a single-app kiosk (one UWP or Edge browser window, no taskbar), choose Single app, full-screen kiosk and point it at the local auto-logon account. For shop-floor terminals that need a handful of approved apps plus a taskbar, choose Multi-app kiosk and supply the Assigned Access XML — the XML lists every allowed AppUserModelID and file-type associations. Assign to the kiosk group. On first post-Autopilot sign-in, Windows reads the MDM payload and locks the shell before the user ever sees Explorer. What is Assigned Access? → · Single-app kiosk setup →
Configure Edge in kiosk mode for signage or public browsing
If the kiosk surface is a browser — lobby signage, a product catalog, a self-service portal — deploy Microsoft Edge in kiosk mode rather than a generic browser shortcut. In Devices › Windows › Configuration › Settings catalog, add the Microsoft Edge category and set Configure kiosk mode (KioskModeType) to 1 (Digital Signage / single URL, no address bar, no navigation) or 2 (Public browsing, address bar visible but scoped). Set Configure kiosk reset after idle timeout to 5–15 minutes for public terminals. Pair with Homepage URL and New tab page URL policies so Edge always opens to your content. Single-app kiosk setup →
Lock down device behavior with restrictions and a Update ring scoped to a maintenance window
Layer a Settings catalog profile for kiosk-specific hardening: disable Allow Cortana, Allow Manual MDM Unenrollment, Allow Add Provisioning Package, and any hardware ports not needed (Bluetooth, removable storage). For updates, create a dedicated Windows Update for Business ring (Devices › Windows › Update rings for Windows 10 and later) with Active hours start/end set to your business hours and Quality update deferral of 7–14 days. Set Automatic update behavior to Auto install and restart at a scheduled time so reboots happen at 2 a.m., not mid-lobby. Kiosk Assigned Access deep dive →
Plan and test remote recovery
Kiosk devices are unattended, so break-glass must be baked in before deployment. Enable Remote lock and Retire / Wipe from the device detail blade so helpdesk can act without physical access. For interactive recovery, assign a Local Administrators Password Solution (LAPS) policy so a tech can log in as a local admin, escape Assigned Access, and troubleshoot. Validate the Ctrl+Alt+Del escape (Assigned Access blocks most shortcuts but not CAD on single-app) and confirm you can reach the device via Quick Assist or your remote-support tool before you ship the first unit to a site. What is Assigned Access? →
What this gets you
Zero-touch provisioning — devices image, enroll, and lock themselves from the box
A tightly scoped shell where users literally cannot reach Explorer, Task Manager, or Settings
Edge kiosk mode with automatic session reset, so public terminals always start clean
Updates that land overnight in your maintenance window without interrupting the kiosk surface
Remote lock, wipe, and LAPS-based local access so helpdesk can recover any unit without a site visit
Common first-timer traps
Using an Azure AD account for auto-logon — Assigned Access single-app requires a local account; Azure AD sign-in breaks the kiosk shell entirely
Forgetting TPM 2.0 validation — self-deploying Autopilot will fail on hardware with TPM 1.2 or a disabled TPM; check BIOS before shipping
Deploying the Kiosk template profile to a user group — Assigned Access configuration must be assigned to device groups, not user groups; it configures the device shell, not a per-user session
No maintenance window on the update ring — without active hours or a scheduled restart time, Windows will reboot the kiosk whenever it finishes updating, which may be mid-business-day
Omitting LAPS or a break-glass account — once Assigned Access locks the shell you cannot reach Settings or Task Manager; without a local admin credential you must wipe and re-provision to recover
Run through the full provisioning flow in a VM before your first physical rollout — Autopilot self-deploying mode and Assigned Access interact in ways that only surface at first boot. Practice the configuration in the Intune Simulator to validate your profile ordering before touching hardware.
Decision Tools · Blueprint
Jamf to Intune Mac migration
A complete, ordered migration path for moving a Mac fleet from Jamf to Intune without stranding devices — every step linked to the guide that builds it.
The stack
Platform: macOS · Ownership: Corporate (ABM-registered) · Effort: High — plan 8–16 weeks for a fleet over 500 Macs
Inventory and parity audit
Before touching a single Mac, export your entire Jamf configuration: all configuration profiles (signed and unsigned), scripts, extension attributes, smart groups, and patch policies. Map every Jamf payload to its Intune equivalent. Pay special attention to PPPC (Privacy Preferences Policy Control) payloads, FileVault escrow, Kerberos SSO, and any Wi-Fi/VPN profiles using certificate chains — these are the payloads that routinely break during migration. Anything Jamf delivers via script that has no Settings Catalog equivalent needs an engineering decision (ship as a shell script via Intune, replace with a native payload, or accept a gap). Document every gap explicitly. Migration deep-dive guide →
Stand up Apple Business Manager + Intune connectors
In Apple Business Manager (ABM), navigate to MDM Servers and add Microsoft Intune as a server. In the Intune admin center under Devices › macOS › Enrollment › Apple MDM Push Certificate, upload a fresh APNs certificate tied to a non-personal Apple ID — this ID must be renewed annually and must not be a personal account. Then go to Devices › macOS › Enrollment › Enrollment Program Tokens and upload the ABM token you downloaded. Sync immediately and verify that your existing ABM-registered Macs appear in the Intune device list as Not enrolled. If they appear as owned by Jamf, you must release them in ABM or wait for the existing Jamf MDM assignment to be removed before Intune can claim them. ADE setup guide →
Rebuild profiles in Intune (PPPC, FileVault, Platform SSO)
Work through your parity audit list top-to-bottom, building Intune equivalents. For PPPC payloads, create Configuration profiles › Templates › Custom profiles using the same signed mobileconfig XML Jamf used — Intune delivers them identically. For FileVault, use Endpoint security › Disk encryption › FileVault policy and choose Escrow to Azure AD for the recovery key; do not rely on the old Jamf escrow once you migrate. For Platform SSO, go to Devices › macOS › Configuration profiles › Settings Catalog and search for Platform Single Sign-On — set Authentication Method to Password or UserSecureEnclaveKey and point the Extension Identifier at com.apple.AppSSOKerberos.KerberosExtension or your IdP's SSO extension. Build all profiles but leave them unassigned until your pilot group is ready. Platform SSO guide →
Run a pilot cohort (dual-managed risk window)
Pick 10–20 volunteer Macs that are already in ABM. Assign your rebuilt Intune profiles to a pilot Azure AD group, then leave Jamf management in place temporarily. This dual-managed state lets you verify profile delivery, FileVault escrow, and app availability before committing to full cutover. The risk: conflicting payloads from both MDMs will fight each other — especially PPPC, Firewall, and FileVault. Contain this by scoping Intune profiles narrowly to the pilot group and temporarily removing the same payloads from the Jamf scope for those devices. Validate that every profile in your audit checklist shows Succeeded in Intune's device configuration state before moving on. Do not stay dual-managed longer than two weeks. Compare migration approaches →
Unenroll from Jamf and re-enroll via ADE (or Configurator)
For devices already in ABM: in the ABM portal, reassign the device's MDM server from Jamf to Intune, then in Jamf Pro issue a Remove MDM Profile command. The Mac will lose its Jamf management frame and, at next check-in or user-triggered enrollment, will pick up the Intune ADE enrollment profile automatically — no wipe required. For older Macs not in ABM (pre-2022 Intel, or any device registered under a different Apple ID): use Apple Configurator 2 to add them to ABM via Add to Organization, assign them to Intune in ABM, then remote-wipe and let them re-enroll clean. This is the only reliable path for non-ABM hardware. Never attempt to manually install an Intune enrollment profile on top of an active Jamf frame — that produces an unsupported dual-MDM state that only a wipe resolves. ADE enrollment guide →
Re-deliver apps via Intune (Installomator as a bridge)
Jamf's Self Service catalog does not transfer. In the Intune admin center go to Apps › macOS and add apps as macOS app (DMG) or Microsoft 365 Apps for Office. For the long tail of community-maintained apps, wrap Installomator as an Intune Shell Script under Devices › macOS › Shell scripts — one script per label, scoped to the same device group. This is the fastest way to re-deliver 40+ apps without packaging every DMG yourself. Verify delivery status in the Device install status report for each app before clearing a device from the migration queue. Required apps must show Installed, not Pending. App migration section →
Decommission Jamf
Once your last device shows no Jamf MDM profile (confirm in System Settings › Privacy & Security › Profiles) and all required Intune policies show Succeeded, you can safely retire Jamf Pro. In ABM, delete the Jamf MDM server entry only after you have confirmed zero devices are still assigned to it — ABM will warn you if any remain. Revoke the Jamf APNs certificate in Apple's Push Certificates portal. Archive your Jamf configuration export (the one from step 1) for a minimum of 90 days in case a compliance audit needs it. Cancel the Jamf license on its renewal date, not mid-cycle, to avoid pro-rata penalties. Full decommission checklist →
What this gets you
A single pane of glass for Windows and Mac policy — one console, one compliance baseline, one conditional access policy set.
Native Azure AD / Entra ID device records with hardware-bound certificates, enabling passwordless and FIDO2 sign-in on Mac.
FileVault recovery keys escrowed to Intune and rotatable from the admin center without touching the device.
Platform SSO eliminating the separate Jamf Connect or NoMAD dependency and its per-seat licensing cost.
Conditional Access enforcing real-time compliance (disk encryption on, OS current, no high-severity EDR alerts) before granting access to M365 and third-party SAML apps.
Common first-timer traps
Skipping the bootstrap token. If you unenroll Jamf before escrowing the bootstrap token to Intune, you lose the ability to enable FileVault silently on Apple Silicon. Escrow the bootstrap token to Intune first — verify it landed under Devices › [device] › Hardware before removing Jamf.
Letting dual-MDM run too long. Two MDMs sending conflicting PPPC or Firewall payloads creates a race condition that produces intermittent policy application. The dual-managed window is for validation only — never a steady state.
Assuming recovery key continuity. The FileVault personal recovery key Jamf holds is not migrated automatically. Rotate FileVault on each device post-migration so Intune holds the current key. Do this before decommissioning Jamf.
Forgetting non-ABM hardware. Devices not registered in ABM cannot receive an ADE enrollment profile. Audit your fleet in ABM before planning timelines — surprise non-ABM Macs require Configurator and a wipe window.
Using managed Apple IDs for APNs. The Apple ID tied to your Intune APNs certificate must be renewed every year by the same account. Use a shared IT mailbox account, never a personal Apple ID, or you will lose push capability when that employee leaves.
Work through every step in order — skipping the parity audit or rushing the pilot is the most common cause of a failed cutover. When you're ready to test profile delivery in a safe sandbox, try the Intune Simulator before pushing to production devices.
Decision Tools · Calculator
Enrollment Status Page timeout budget
Size your Enrollment Status Page timeout from your blocking app set, so first boot never hits the wall.
The Enrollment Status Page (ESP) blocks first sign-in until your required apps install. Set the timeout too low and users hit a wall mid-provisioning; leave the default 60 minutes with a heavy blocking set and you still gamble on slow Wi-Fi. This calculator turns your blocking app count and a realistic per-app install time into a defensible timeout — and tells you when the honest fix is a leaner blocking set, not a longer clock.
Why the blocking set, not the clock, is the real lever
The instinct when first boot stalls is to raise the timeout. Resist it. Every app in the blocking list is a serial dependency the user waits on before they can touch the device - and the slowest, largest, or flakiest one sets the pace. The durable fix is a lean blocking set: block only what the device genuinely needs at first sign-in (security agent, VPN, the one line-of-business app), and deliver everything else as available or non-blocking required after the user is already working. A 90-minute ESP is a smell, not a setting. See configuring the ESP for the full walkthrough.
Decision Tools · Calculator
Shared iPad storage and cache sizing
Work out how many cached users a Shared iPad can hold given its storage, your app footprint, and per-user data — before the carts fill up in the field.
Shared iPad assigns a fixed slice of storage to each cached user account. Get this wrong and iPads start evicting users mid-shift — or arrive in the cart already full. Plug in your storage tier, app footprint, and expected per-user data below to see how many accounts will actually fit before you deploy.
Note: temporary sessions (used for anonymous or guest workflows) do not consume a cached-user slot, so they don't factor into this count. If your fleet runs primarily temporary sessions, cached-user capacity matters less than raw usable storage. On 64 GB devices, the math gets painful fast — Apple recommends at least 5 cached users for classroom use, and you'll struggle to hit that with any real app footprint.
How the math works — and where Apple sets the floor
Apple allocates storage for each cached user as a fixed quota set at enrollment. Intune surfaces this as the Maximum cached users value in your Shared iPad device configuration profile (Devices → iOS/iPadOS → Configuration profiles → Shared iPad). If the device doesn't have enough storage to honor that quota for every slot, iPadOS will reduce the number of cached accounts silently — which is why pre-calculating this before you push profiles beats discovering it in the field. The 64 GB tier is the common pain point: after iOS, reserve headroom, and even a modest app footprint, you're frequently left with fewer than 5 usable slots.
For tuning guidance and profile settings that control eviction behavior and temporary session access, see the Shared iPad tuning guide. For the full enrollment and configuration walkthrough, see Configure Shared iPad in Intune.
Decision Tools · Troubleshooter
Autopilot or the ESP is stuck
A Windows device is hanging in OOBE or the Enrollment Status Page. Pick what you are seeing and get the likely cause and fix.
A device stalled in Windows OOBE or on the Enrollment Status Page almost always has one specific root cause — profile assignment, network reach, a bad app, or a platform requirement that isn't met. Work through the questions below to pinpoint it. Each result names the real Intune control and the concrete next step.
If the device is completely unresponsive (no progress bar movement, no spinner) for more than 30 minutes, hard-reset and re-attempt before troubleshooting — transient network drops during provisioning produce false hangs that disappear on retry.
Why Autopilot stalls: the short version
Every Autopilot hang maps to one of six failure classes: the device was never registered (missing hash), a profile was never assigned, the ESP is waiting on an app that cannot install, the timeout expired before apps finished, the device has no domain-controller line-of-sight for Hybrid join, or a TPM or network prerequisite is not met before OOBE begins. The Autopilot & ESP failure reference catalogs every known error code with its remediation — bookmark it for provisioning war rooms. The ESP configuration guide covers the timeout, tracking, and assignment settings that most directly control whether the ESP passes or blocks.
Decision Tools · Wizard
Which app deployment type?
Intune doesn't deploy "an app" — it deploys a specific app type, and the right one depends on the platform and how the software is packaged. Pick wrong and you fight detection rules, broken updates, or a missing licence. Answer two questions and land on the exact type to create.
Why the type matters more than the app
Two engineers can "deploy Chrome" and end up with completely different reliability because one chose a Win32 wrapper with solid detection and the other fought the store catalog. The app type decides how installs are detected, whether updates are automatic or manual, whether licensing flows through VPP, and what config you can layer on. Match the type to the package — installer complexity, source, and licensing — and most of the pain disappears before you assign anything. When you genuinely can't make a simpler type work on Windows, Win32 is the capable fallback that can model almost anything.
Decision Tools · Wizard
How should I deliver this Mac app?
VPP, a signed PKG/DMG upload, Installomator, or a shell script — Mac app delivery has no single right answer. Answer a few questions and land on the right method for this app.
Mac app delivery in Intune has five distinct methods, and picking the wrong one means either chasing stale versions forever or wrapping a perfectly good App Store app in unnecessary packaging overhead. Answer four questions and this tool lands you on the right method — with the exact Intune controls to use.
Why Mac app delivery is more nuanced than Windows
macOS doesn't have a Win32-style universal deployment container. Instead, Intune offers five distinct delivery mechanisms — each optimized for a different source, update cadence, and scale. The Mac App Store path (VPP) is the lowest friction when apps are available there and ABM is configured, but it's a non-starter without Apple Business Manager. Microsoft first-party types cover the obvious Office and security tooling. For everything else, the PKG/DMG upload vs. Installomator choice really comes down to how often the vendor ships and how many Macs you're managing — re-uploading a 400 MB Zoom PKG monthly is workable at 30 devices, painful at 3,000. See Mac app deployment options for a full side-by-side of all five types.
Decision Tools · Wizard
Which certificate delivery method?
SCEP, PKCS, imported PFX, or just a trusted root — Intune has four certificate surfaces and they are not interchangeable. Answer a few questions and land on the right one.
Intune supports four distinct certificate delivery surfaces: Trusted certificate profiles (root/intermediate CA distribution), SCEP (device-identity certs via NDES), PKCS (per-user certs pulled from your AD CA via the PKCS connector), and Imported PFX (pre-issued certs, typically for S/MIME). Each has hard infrastructure requirements. Answer 3–4 questions and land on the right one.
Why certificate delivery method matters
The four Intune certificate surfaces are not interchangeable: Trusted certificate profiles handle CA trust distribution only; SCEP keeps private keys on the device and scales without bound, but demands NDES infrastructure; PKCS is simpler to stand up but routes private keys through the connector and is user-scoped rather than device-scoped; Imported PFX is the only path for pre-issued certs (S/MIME, third-party-issued identities). Picking the wrong surface typically surfaces as policy errors in Devices > Monitor > Device configuration or as 0x80090016/SCARD_E_NO_KEY_CONTAINER errors on Windows. See Configure certificate profiles for the full connector prerequisites before you commit to an architecture.
Decision Tools · Wizard
Which security baseline approach?
Microsoft security baseline, your own Settings Catalog baseline, or a CIS/mSCP-derived one — the right hardening approach depends on platform and audit needs. Answer a few questions.
Microsoft ships three distinct hardening approaches, and picking the wrong one costs you either an audit finding or weeks of rework. This tool walks through platform, regulatory exposure, and team maturity to land you on the right baseline strategy — and, sometimes, the right combination of them.
Why baseline strategy depends on more than just platform
The Microsoft Security Baseline template is a curated, opinionated default that ships with version-locked settings — it is excellent for getting Windows hardened quickly and staying current as Microsoft revises it. The tradeoff is you cannot choose individual settings or produce a clean line-item audit trail tied to a control framework. A custom Settings Catalog baseline takes more upfront effort but gives you full control, a filterable settings inventory, and the ability to annotate descriptions with CIS recommendation IDs or STIG SRGIDs that auditors can follow. On macOS, the mSCP project closes the gap that Microsoft has not: it ships Intune-ready payloads with NIST and CIS traceability baked in. See the macOS CIS and mSCP guide for the full deployment workflow.
Decision Tools · Blueprint
Microsoft 365 Apps rollout
A complete, ordered recipe for deploying and governing Microsoft 365 Apps across Windows and Mac — channels, config, and updates — every component linked to the guide that builds it.
The stack
Platform: Windows & macOS · Ownership: Intune-managed, Azure AD-joined or Hybrid · Effort: 2–4 days for a structured pilot, 2–3 weeks to full production
Pick your update channel — and commit to it
Monthly Enterprise Channel (MEC) is the right default for almost every organization: two quality updates per month, one feature update per month, predictable release cadence, and full compatibility with Microsoft's servicing tooling. Semi-Annual Enterprise Channel (SAEC) is appropriate only when a specific line-of-business add-in requires it and has been tested to break on MEC. Set channel in your configuration XML (Channel="MonthlyEnterprise") and enforce it with an Intune update policy — do not let users or existing MSI installers override it. M365 Apps deployment guide →
Build your Office Customization Tool (OCT) XML — once, per architecture
Use the Microsoft 365 Apps admin center to build your configuration XML. Decide x64 vs x32 (x64 is the correct answer for all net-new deployments), which apps to include (exclude Publisher, Access, Skype for Business, and any app your org does not license), and set FORCEAPPSHUTDOWN="TRUE" so installs do not silently fail on machines with Office open. Produce one XML per arch; do not maintain per-department variants — use Cloud Policy for per-group app-level settings instead. M365 Apps deployment guide →
Deploy the M365 Apps app type in Intune — Windows
In the Intune console go to Apps > Windows > Add and select Microsoft 365 Apps for Windows 10 and later. Paste your OCT XML into the configuration XML field on the Configure tab. Set the deployment suite (Apps for enterprise), confirm channel matches your XML, and assign to your Pilot device group as Required. Do not use an MSI or Win32-wrapped installer alongside this app type — double-delivery is the number-one rollout failure mode. M365 Apps deployment guide →
Deploy Microsoft 365 Apps on macOS — separately, via DMG/PKG
macOS does not use the Windows app type. In Intune go to Apps > macOS > Add and select Microsoft 365 Apps (macOS) — this is the suite app type that installs Word, Excel, PowerPoint, Outlook, OneNote, and Teams via Microsoft AutoUpdate (MAU). Assign it as Required to your macOS Pilot group. Suppress MAU prompts with a configuration profile setting HowToCheck = AutomaticDownload so Intune owns the update timing. Manage per-app preferences via a Preference file (macOS) configuration profile targeting com.microsoft.office. macOS Microsoft Apps guide →
Configure OneDrive KFM and silent sign-in before cutover
Deploy a Settings catalog or ADMX-backed configuration profile for the OneDrive sync client. Enable Silently sign in users to the OneDrive sync app with their Windows credentials (PreSignInSettingsEnabled + SilentAccountConfig) and Silently move Windows known folders to OneDrive (KFMSilentOptIn set to your tenant ID). Target the OneDrive KFM policy at your Pilot group before you retire mapped drives or redirect any folder — KFM must be confirmed working and not showing error toasts before you cut over file server access. On macOS, configure KFM via a preference file profile targeting com.microsoft.OneDrive. OneDrive & KFM guide →
Deploy Microsoft Edge alongside the suite
Add the Microsoft Edge app type (Windows) or the Edge macOS app from Intune Apps. Assign as Required to all device groups — Edge is the supported browser for M365 web apps and the default PDF handler. Push an Edge configuration profile (Settings catalog: Microsoft Edge category) to set your home page, configure enterprise new tab page, and enable Sign in to Edge with Entra ID silently (BrowserSignin = 1, NonRemovableProfileEnabled = true). This prevents the org experience from degrading to a consumer Microsoft account context.
Govern updates with a Servicing Profile (or update policy)
Once the suite is deployed, open the Microsoft 365 Apps admin center and configure a Servicing profile for Windows — this gives you rollout waves, pause controls, device health signals, and per-wave deadlines in one pane. If you are on MEC (you should be), the servicing profile is the right governance tool. For macOS, use a macOS update policy in Intune or MAU configuration profile to set the update deadline. Do not rely on users clicking Update — enforce a deadline and set FORCEAPPSHUTDOWN so the update actually completes.
Run a structured pilot ring before broad deployment
Create three Entra ID dynamic device groups: Ring0-Pilot (IT and power users, ~1–2% of fleet), Ring1-Early (~10%), and Ring2-Broad (remainder). Assign Required to Ring0 first; wait one full monthly update cycle and validate channel compliance in the M365 Apps admin center under Inventory. Confirm KFM health, Edge sign-in state, and OneDrive sync status in Intune Device compliance before expanding. Move Ring1, then Ring2 on two-week intervals. If any channel drift shows in Inventory, check for pre-existing MSI or C2R installs that the Intune app type did not remove — see the Common traps below. M365 Apps deployment guide →
What this gets you
A single, authoritative source of truth for channel, app selection, and update governance — no per-department XML sprawl
OneDrive KFM protecting user data before any file server migration or device replacement
Edge deployed with org identity baked in, eliminating the consumer-account sign-in prompt at first launch
Update compliance visible in the M365 Apps admin center Inventory view with per-device channel and build data
A repeatable pilot ring model you can reuse for future suite updates or config changes
Common first-timer traps
Double-delivery: deploying both the Intune M365 Apps app type and a legacy MSI or GPO-driven C2R install. The Intune app type will not remove an existing MSI automatically — you need a Win32 uninstaller or the Office removal tool deployed first.
Channel drift: assigning Monthly Enterprise in the Intune app type but leaving an existing SAEC channel registry key or GPO. The registry wins; Intune reports compliant while the device sits on the wrong channel. Audit with Inventory before claiming success.
KFM after cutover: enabling the Known Folder Move policy the same week you retire mapped drives. Users with sync errors will lose access to files. Validate KFM green in Intune reports for at least one week before any infrastructure change.
Separate macOS installs: deploying the macOS suite app type and also pushing individual app PKGs (Word, Excel) as separate Intune apps. You end up with duplicate apps and conflicting MAU update paths. Use only the suite app type.
Ignoring MAU on macOS: the macOS suite app type does not enforce update deadlines by itself — if you do not configure a MAU preference profile with HowToCheck = AutomaticDownload and a deadline, users stay on whatever build launched at enrollment.
This blueprint gives you a deployable, governed M365 Apps environment in one pass — no retrofit required. Once Ring2 is complete, practice config changes and channel governance hands-on in the Intune Simulator.
Decision Tools · Comparison
FileVault vs BitLocker
Apple’s FileVault and Windows BitLocker both encrypt the disk and escrow keys to Intune — but the mechanics, recovery, and gotchas differ in ways that bite at recovery time.
Both FileVault (macOS) and BitLocker (Windows) encrypt the full disk and escrow recovery keys to Intune — but that surface similarity hides real differences in how they activate, how keys land in the cloud, and what happens when a user can't log in. If you manage both platforms from a single Intune tenant, understanding those gaps before your first recovery call saves a lot of pain. See also the platform-specific setup guides: FileVault configuration → and BitLocker & Disk Encryption →.
Criterion
FileVault (macOS)
BitLocker (Windows)
Enablement model
Deferred login — Intune pushes the policy, but encryption does not start until the next user logout/login cycle. A user prompt is required; there is no fully silent path on a user-owned machine.
Silent enablement — on Intune-enrolled, Azure AD-joined hardware that meets TPM 2.0 requirements, BitLocker encrypts silently in the background with zero user interaction via the Disk Encryption profile or the endpoint security policy.
Key type escrowed to Intune
Personal Recovery Key (PRK) — a 24-character alphanumeric string generated on the device. Intune can rotate it on each unlock. The key is visible in the Devices blade under Recovery keys only after successful escrow.
BitLocker Recovery Password (48-digit numeric) — generated per volume, stored under the device's recovery-keys entry in Intune. Multiple keys may be listed if the drive has been re-keyed or if there are multiple fixed volumes.
Escrow timing & the not-escrowed trap
High risk — FileVault can report enabled in compliance while the PRK has never reached Intune (machine never logged out after policy applied, or was offline). Always verify: Devices → <Mac> → Recovery keys shows a non-empty PRK.
Moderate risk — silent encryption completes before the key is confirmed escrowed if the device goes offline mid-encryption. Check Devices → <Windows device> → Recovery keys; an empty list means escrow failed. Trigger re-escrow via a fresh compliance check or the manage-bde -protectors PowerShell script.
Recovery workflow
Retrieve the PRK from Intune → Devices → <Mac> → Recovery keys → Show recovery key. Type it at the macOS pre-boot recovery screen. Intune auto-rotates the PRK after use if the Rotate personal recovery key after use toggle is enabled. Full walkthrough: FileVault recovery →
Retrieve the 48-digit key from Intune → Devices → <Windows device> → Recovery keys. Enter it at the BitLocker pre-boot prompt or Windows Recovery Environment. Key is not automatically rotated post-use — plan a rotation policy. Full walkthrough: BitLocker recovery & escrow →
Compliance integration
Native — the macOS compliance policy has a built-in Require encryption of data storage on device toggle. FileVault status feeds directly into the compliance state; a non-encrypted Mac can be blocked from conditional access immediately.
Native — Windows compliance policy includes Require BitLocker. Works alongside the endpoint security Disk Encryption profile. Note: compliance reads the OS encryption state, not Intune's escrow confirmation, so a device can be compliant with no key in Intune.
Multi-user / shared device behavior
Complex — FileVault is per-account enabled. When a second local user is added after encryption, they must be explicitly enabled for FileVault unlock or they cannot start the machine from a cold boot. The Intune deferred-login flow only enables the account that logs out/in after policy applies.
Simpler — BitLocker encrypts the volume, not per-user. Any user who knows the password can boot; the recovery key is volume-level. Shared-PC mode with BitLocker still requires one Intune-managed escrow path, but there is no per-user unlock enrollment step.
Hardware dependency
T2 / Apple Silicon recommended — on Apple Silicon and T2 Macs, FileVault is hardware-accelerated and the volume key is wrapped by the Secure Enclave. On older Intel Macs without T2, software encryption applies. Intune does not differentiate policy by chip, but recovery behavior differs.
TPM 2.0 required for silent — silent BitLocker enablement requires TPM 2.0. Without it, Intune falls back to prompting for a startup PIN, or the device reports encryption failure. Verify TPM version in Intune → Devices → Hardware before deploying silent policy at scale.
Key rotation
Automated — configure Number of times allowed to bypass before requiring FileVault sign-in and Rotate personal recovery key in the FileVault profile. Rotation happens at next login after use. Frequency is policy-driven.
Manual or scripted — Intune has no built-in scheduled rotation UI for BitLocker. You must deploy a PowerShell script (manage-bde -protectors -adbackup or via a proactive remediation) to rotate and re-escrow on a schedule.
FileVault is your primary concern when…
You have a mixed-account Mac fleet where admins add local users post-enrollment — audit who is actually enabled for unlock.
A Mac reports FileVault enabled in compliance but the recovery key blade is empty — that's your most common recovery-day disaster; fix escrow first, not after.
You are onboarding BYOD or personally enrolled Macs, where the deferred-login requirement means keys may lag days behind policy application.
You need per-use key rotation baked into policy without scripting — FileVault's built-in rotation is the simpler path.
BitLocker demands extra attention when…
Your Windows estate includes pre-2018 hardware that may lack TPM 2.0 — silent encryption will fail silently, and you won't know until recovery day.
You need deterministic, zero-touch encryption at enrollment — BitLocker's silent path on modern hardware beats FileVault's deferred-login model for hands-off deployments.
You run shared-PC or kiosk workloads where per-user unlock enrollment is impractical — BitLocker's volume-level model fits.
You haven't built a BitLocker key-rotation remediation script yet — that gap will catch you; schedule it before rollout.
In a mixed-OS org, you will run both — that's the normal answer. The operational split that works in practice: treat FileVault escrow verification as a Day 1 enrollment check (script a proactive remediation that alerts if the PRK is absent after 48 hours), and treat BitLocker rotation as a quarterly scheduled remediation. Both recovery flows land in the same Intune console blade, so train your helpdesk on FileVault recovery and BitLocker recovery together — the lookup steps are nearly identical even if the underlying technology isn't.
Decision Tools · Comparison
Windows LAPS vs Endpoint Privilege Management
Rotate the local admin password with Windows LAPS, or remove standing admin entirely with Endpoint Privilege Management — two answers to the local-admin problem.
Both Windows LAPS and Endpoint Privilege Management (EPM) address the local-admin problem on Windows endpoints — but they solve different halves of it. Windows LAPS eliminates credential reuse by rotating the built-in local Administrator password on a schedule; EPM eliminates standing admin rights entirely by letting standard users elevate specific processes on demand. You need to pick the right tool for the right job — and in mature environments, both run together.
Criterion
Windows LAPS
Endpoint Privilege Management
Core problem solved
Credential reuse & lateral movement — a unique, rotated password per device means a stolen local-admin credential is worthless on every other machine.
Standing admin rights — users run as standard accounts; specific apps are elevated only when policy allows, reducing attack surface continuously.
Standing admin rights on the endpoint
Not addressed. LAPS secures the password for the local Administrator account but does not prevent that account — or any other local admin — from existing and being used.
Eliminated. EPM lets you deprive end-users of local-admin membership entirely and still satisfy legitimate elevation needs through policy-approved, audited rules.
Licensing requirement
Included in Microsoft Intune Plan 1 (any M365 E3/E5, EMS E3/E5, or standalone Intune). No add-on needed.
Requires the Intune Suite add-on (or the standalone Endpoint Privilege Management add-on, currently ~$3/user/month). Not available in base Intune Plan 1.
Configuration surface in Intune
Intune admin center → Endpoint security > Account protection > Windows LAPS. One policy type; straightforward settings for backup directory, rotation age, and password complexity.
Intune admin center → Endpoint security > Endpoint Privilege Management. Requires an elevation rules policy plus an elevation settings policy; file-hash or certificate conditions add operational overhead.
Audit & forensics
Password retrieval is logged in Entra audit logs (who retrieved which device's password and when). No visibility into what was done with elevated rights after retrieval.
Full elevation audit trail in Intune reports (Reports > Endpoint Privilege Management > Elevation report): each approved or denied elevation is logged with user, device, file hash, and timestamp.
End-user experience
Transparent. Users never interact with LAPS directly. IT staff or helpdesk retrieve the password from the Intune device blade or via Graph API when they need local-admin access.
Visible, but low-friction when tuned well. Users see an elevation prompt for approved apps; unapproved requests can trigger a support-approval workflow. Requires policy tuning to avoid over-prompting.
Scope of protection
Protects the credential of the local Administrator account (built-in or a custom account you designate). Does not control what a logged-in admin can do.
Controls who can run what with elevated rights, enforced at process level. Covers the gap where a local admin could silently install malware, modify security settings, or tamper with MDM enrollment.
Implementation complexity
Low. Enable the LAPS policy, point backup to Azure AD / Entra, set a rotation interval. Most shops are live in under an hour.
Medium-to-high. Inventory every legitimate elevation use case, build file-hash or publisher rules per app, pilot with a ring, then refine. Expect several weeks of rule iteration before broad rollout.
Choose Windows LAPS when…
You need immediate credential hygiene without budget for an add-on license.
Your primary concern is lateral movement via credential reuse — classic pass-the-hash or password-spray scenarios targeting the local admin account.
You need helpdesk to have a safe, auditable break-glass path to local admin on any managed device.
You are starting from scratch and want a quick, high-impact security win that ships in a single afternoon.
Choose Endpoint Privilege Management when…
Your security posture requires zero standing local admin rights — e.g., CIS Level 2, NIST 800-53 IA controls, or cyber insurance mandates.
You have legacy apps or line-of-business tools that require elevation and you currently solve this by handing out admin rights to whole teams.
You need an auditable record of every elevated process for compliance or incident response.
You have the Intune Suite licensed (or can justify the add-on cost against the risk reduction).
In practice, most security-mature shops run both: Windows LAPS as the always-on credential hygiene layer (zero incremental cost, immediate lateral-movement defense), and Endpoint Privilege Management as the policy-enforcement layer that eliminates standing admin rights for end-users. The split is clean — LAPS owns the break-glass credential; EPM owns the day-to-day privilege surface. Neither tool makes the other redundant.
Decision Tools · Comparison
Platform SSO vs Kerberos SSO Extension
Two Mac single-sign-on extensions that look similar and solve different problems: Platform SSO ties the Mac login to Entra; the Kerberos extension keeps on-prem AD passwords in sync.
Both extensions live in the same Intune profile path (Devices → Configuration → macOS → Device Features → Single sign-on app extension) and both carry the "Microsoft Azure AD" payload, but they solve fundamentally different problems. Platform SSO binds the macOS local account to an Entra ID identity so that the Mac login window itself becomes an SSO boundary. The Kerberos SSO Extension keeps the user's on-prem Active Directory Kerberos ticket current so file shares, internal web apps, and legacy services that demand real AD tickets keep working without a VPN prompt. In many hybrid shops you need both — see the Platform SSO guide and the Kerberos SSO Extension guide for full deployment steps.
Criterion
Platform SSO
Kerberos SSO Extension
Identity source
Entra ID (cloud) — authenticates against Entra; supports password, smart card, and Secure Enclave–backed key credential flows.
On-prem AD / KDC — fetches a Kerberos TGT from your on-premises domain controller; Entra ID is not in the auth path.
What it actually unlocks
Local account binding + Entra SSO — maps the macOS local user to an Entra identity; enables password sync to the login window and passwordless unlock via Touch ID or Secure Enclave.
Kerberos tickets for internal resources — silently renews TGTs so the user gets seamless access to SMB shares, NTLM-guarded intranet sites, and any Kerberized service without entering AD credentials.
Prerequisites
macOS 13+ (Ventura); Entra ID P1 or P2; device must be Entra-joined or registered; Company Portal 5.2312.0+. Secure Enclave flow additionally requires APFS-encrypted disk and a supported T-chip Mac.
macOS 10.15+; any Intune license; network line-of-sight to a DC (or SSOE on-prem connector); no Entra premium required. Works on both supervised and user-enrolled devices.
Entra ID required
Yes — the entire auth flow is cloud-first; Entra Conditional Access policies apply.
No — purely AD/KDC-based; Entra is irrelevant to ticket issuance, though the device can still be Entra-joined.
Covers cloud SaaS apps (M365, Azure)
Yes — once bound, the Entra token flows through the SSO extension to all MSAL-based apps and Safari without re-prompt.
No — Kerberos tickets are useless to Entra-protected resources; users still need a separate Entra auth for M365.
Covers on-prem SMB shares and legacy intranet
No — Platform SSO does not issue AD Kerberos tickets; if users need \\server\share access, this gap must be filled by the Kerberos extension or a VPN.
Yes — the whole point; the extension auto-renews TGTs before they expire, eliminating password prompts on corporate Wi-Fi or split-tunnel VPN.
Login window integration
Yes — can replace the macOS password prompt with an Entra credential; supports passwordless unlock using a Secure Enclave key bound to the device.
No — operates post-login only; cannot change the macOS login window behavior.
Can coexist in the same Intune profile
Yes — but in separate profiles. Apple permits only one SSO extension payload per configuration profile, so deploy Platform SSO and the Kerberos extension as two distinct Device Features profiles. Both extensions register their respective credential providers and do not conflict at runtime.
Operational complexity
Medium — requires Entra tenant config, device trust, and a first-login activation step (the user is prompted once to authenticate and bind the account).
Low — push the profile, done; no user-facing setup; ticket renewal is silent. The main gotcha is DC reachability on public Wi-Fi.
Choose Platform SSO when…
Your Macs are cloud-only or hybrid Entra-joined and you want the login window tied to Entra credentials (including passwordless).
You need Conditional Access to gate the Mac as a compliant device before users can access M365 or Azure resources.
You are retiring on-prem AD for Mac authentication and want a single identity plane in Entra.
Users complain about repeated MFA prompts across MSAL apps — Platform SSO's shared credential eliminates per-app token fetches.
Choose Kerberos SSO Extension when…
Users access on-prem SMB file shares, SharePoint (on-prem), or Kerberos-guarded intranet sites and you cannot replace those services with cloud alternatives yet.
Your environment has no Entra ID P1/P2 budget or the Macs cannot meet Platform SSO's macOS 13 minimum.
You need AD password expiry notifications pushed to the Mac menu bar — the Kerberos extension does this natively via the PasswordChangeURL key.
You want a zero-user-interaction deployment with no first-login binding step required.
In a hybrid environment the right answer is almost always both: deploy Platform SSO to anchor the Mac to Entra and cover cloud SaaS, then layer the Kerberos SSO Extension in a second profile to keep on-prem ticket renewal silent. Create two separate macOS Device Features configuration profiles in Intune → Devices → Configuration → Create → macOS → Device Features, assign both to the same device group, and let them coexist. Start with the Platform SSO deployment guide for the Entra binding steps, then follow the Kerberos SSO Extension guide for the on-prem ticket configuration.
Decision Tools · Matrix
App deployment type matrix
Filter by platform to see every Intune app type — its source, whether it auto-updates, how licensing flows, and when to use it.
Every Intune app deployment type in one place. Use the platform filter to narrow the list, then compare source, update behavior, licensing, and the right use case before you commit to a deployment method. Getting this decision wrong early costs hours of re-packaging work later.
The app type you select at creation time is permanent — you cannot change a Win32 app into a Store app after the fact. Win32 gives you full control over install behavior but requires manual packaging with the Microsoft Win32 Content Prep Tool and manual supersedence to push updates. Store apps (new model, via Apps > Windows > Add > Microsoft Store app (new)) eliminate packaging entirely and keep themselves current, but you're at the mercy of the publisher's Store listing. On Apple platforms, always prefer VPP device licensing over user licensing for corporate-owned devices — it removes the personal Apple ID dependency entirely. On Android Enterprise, every public app must come from Managed Google Play; direct APK sideloading is only for private-track uploads through the Play Console. See the App deployment wizard to walk through a guided recommendation for your specific scenario.
Decision Tools · Scorecard
Endpoint security posture scorecard
A quick cross-platform read on your endpoint security baseline — encryption, hardening, threat defense, and the access controls that make them real.
Work through the checklist honestly — tick only what is fully deployed and enforced today, not what's planned or partially rolled out. The score reflects your real blast radius if an endpoint is compromised right now.
Four domains matter most: disk encryption with tested recovery, OS hardening, an active threat-defense stack, and the access controls that make the rest enforceable. Miss any one and the others lose much of their value.
Why these four domains, in this order
Encryption without tested recovery is theater — an escrowed key no one has ever retrieved will fail the moment a real helpdesk ticket arrives. Hardening without local-admin control is equally fragile: a security baseline means little if any user can disable Defender or install a root kit with local rights. Threat defense without attestation gives you telemetry but not policy leverage — Play Integrity and Windows health attestation are what let you act on that signal in Conditional Access. Finally, updates tie the whole stack together: a fully hardened, attested, Defender-enrolled endpoint running a 14-month-old OS is still a known-CVE liability. See Compliance Baseline Decision → to match the right baseline depth to your org's risk tolerance.
The weight-3 items — disk encryption and the security baseline — are foundational because every other control assumes the OS and storage layer hasn't already been compromised. If your score is Early, fix those two before anything else.
Decision Tools · Wizard
Which Conditional Access posture?
Conditional Access is where compliance becomes enforcement. The right grant control depends on device ownership and what you actually manage. Answer a few questions and land on the right policy shape.
Conditional Access is where compliance becomes enforcement — but the right grant control depends entirely on how the device is managed and who owns it. A policy that works perfectly for a corporate-enrolled Windows laptop will break productivity for a contractor's personal iPhone. Answer 4 questions to land on the right policy shape, plus a reminder about report-only rollout and break-glass accounts.
Why the grant control choice is non-negotiable
Conditional Access grant controls are enforced at token issuance — once a policy is wrong or missing a break-glass exclusion, it locks out users or admins instantly. The Require compliant device grant only works when Intune has a compliance state for the device, which requires enrollment. The Require app protection policy grant is specifically for scenarios where you cannot enroll the device (contractors, personal phones) and need DLP controls scoped to managed apps instead. Running every new policy in Report-only mode and reviewing sign-in logs under Entra ID > Monitoring > Sign-in logs before switching to On is the single most important operational habit — it surfaces misconfigured exclusions and unexpected app compatibility issues before they become outages. See the full CA + compliance guide for rollout sequencing.
Decision Tools · Blueprint
Zero-trust Conditional Access baseline
A complete, ordered starter set of Conditional Access policies that establishes a zero-trust access floor across every platform — every policy linked to the guide that builds it.
The stack
Platform: All (Windows, iOS, Android, macOS) · Ownership: Identity/Security team · Effort: 2–4 hours initial, 1 hour tuning
Block legacy authentication (CA001)
Create a Conditional Access policy targeting all users, all cloud apps, with grant control set to Block. Under Conditions → Client apps, select Exchange ActiveSync clients and Other clients. Legacy protocols (SMTP AUTH, IMAP, POP, MAPI over HTTP) do not support modern MFA challenges; leaving them open is the single most exploited gap in Entra tenants. Exclude your break-glass accounts. Deploy in report-only for 48 hours, verify no critical service accounts hit the filter, then enforce. Conditional Access guide →
Require MFA for all users (CA002)
Policy targeting all users, all cloud apps. Under Access controls → Grant, require Require multifactor authentication. Exclude your break-glass group and any true service accounts that cannot use MFA. This is your broadest policy and the one most likely to break overlooked scripts — report-only for at least one full business week before enforcing. Authentication strength defaults to any MFA method; you will tighten this for admins in CA004. Conditional Access guide →
Require compliant device for Windows and macOS (CA003-W)
Target all users, all cloud apps, filter Conditions → Device platforms to Windows and macOS. Grant: require Require device to be marked as compliant. Before enforcing, confirm your compliance policies are published and have had time to evaluate — a device that has never checked in reports as Not evaluated, which fails the compliant check and will lock users out. Pair with the Windows Conditional Access guide → to pre-stage compliance policies. Use report-only until your Intune enrollment coverage is above 90%.
Require app protection policy for iOS and Android (CA003-M)
Target all users, all cloud apps, filter Device platforms to iOS and Android. Grant: require Require app protection policy (not device compliance). This allows unmanaged personal devices to access corporate data through Intune-protected apps without full enrollment — the right posture for BYOD. App Protection Policies must already be assigned to the user group before this policy enforces; publish them first. App Protection Policy guide →
Require phishing-resistant MFA for all admins (CA004)
Target your privileged role directory role group (Global Admin, Security Admin, Exchange Admin, etc.) plus any custom privileged roles. Grant: require Authentication strength → Phishing-resistant MFA (FIDO2 keys or Windows Hello for Business). This blocks adversary-in-the-middle token theft, which is the dominant technique used against MFA-enrolled admin accounts. Issue FIDO2 hardware keys before enforcing — enforce date-locked: set enforcement to start the week after key distribution. Conditional Access guide →
Apply sign-in risk policy — medium and high (CA005)
Requires Microsoft Entra ID P2. Target all users, all cloud apps. Conditions → Sign-in risk → Medium and above. Grant: require Require multifactor authentication. This lets Identity Protection's real-time risk signals (atypical travel, anonymizer IP, token anomalies) demand a fresh MFA step-up at authentication time. Pair with a user risk policy (high risk → require password change) as CA006. Test in report-only and review the Identity Protection sign-in risk report before enforcing to gauge true positive rate in your tenant. Conditional Access guide →
Validate your break-glass posture (standing requirement)
Every policy above must explicitly exclude a dedicated break-glass group containing two or more cloud-only, non-federated accounts with no MFA registration and strong 20+ character randomized passwords stored offline. Without verified break-glass exclusions, a mis-configured policy can lock every admin out of the tenant simultaneously. Test break-glass access monthly. Check your score against the full zero-trust readiness baseline at Zero-Trust Readiness Score →.
Move all policies from report-only to enabled (staged rollout)
Run each policy in Report-only mode before enabling. Use Entra's built-in What If tool (Conditional Access → Policies → What If) to simulate specific user/app/device combinations before commit. Monitor the Sign-ins log filtered by CA policy and result Would be blocked daily during the report-only window. Promote CA001 first (lowest user impact), then CA002, then CA003-W/M together, then CA004, then CA005. Full enforcement typically takes 2–4 weeks in a mid-size org. Conditional Access guide →
What this gets you
Legacy auth blocked at the network layer — password spray and credential stuffing attacks lose their primary entry point
Every interactive sign-in requires MFA regardless of network location or device trust
Corporate data on personal mobile devices flows only through MAM-protected apps, not native Mail or browser downloads
Admin accounts protected against token theft via phishing-resistant authenticators
Anomalous sign-ins trigger real-time MFA step-up without a help-desk call
Break-glass accounts verified and tested, preventing total lockout scenarios
Common first-timer traps
Skipping report-only — enforcing CA001 or CA002 on day one without a report-only window will break shared mailboxes, service accounts, and any app using basic auth; you will get calls within minutes
Forgetting the break-glass exclusion group — adding it after the fact to an already-enforced block policy requires another Global Admin who isn't locked out; create the group before you create the policy
Requiring device compliance before enrollment is complete — devices that have never enrolled report Not evaluated, which fails the compliant check; this is indistinguishable from a non-compliant device from the policy's perspective
Assigning CA003-M before App Protection Policies exist — users hit a grant failure with no actionable error if no APP is assigned to them; publish and verify APPs first
Using user group exclusions instead of a named exclusion group — exclusions scattered across individual policies become unmanageable; maintain one canonical CA-Exclusions group and govern its membership with access reviews
Not testing What If for service principals — non-interactive sign-ins from Azure automation, Power Automate, and third-party SaaS connectors are affected by all-cloud-app policies; check them before CA002 enforcement
This stack covers the CISA SCuBA baseline and Microsoft's own recommended Conditional Access starting point. Run the Zero-Trust Readiness Score before and after deployment to quantify your posture improvement, and practice policy logic in the Intune Simulator before touching a production tenant.
Decision Tools · Comparison
Compliant Device vs App Protection in CA
Two Conditional Access grant controls that gate access very differently: require a compliant (managed) device, or require an app protection policy on the app.
Conditional Access gives you two fundamentally different grant controls for protecting Microsoft 365 and other cloud apps: Require compliant device and Require app protection policy. Compliant device trusts the hardware — it only grants access when Intune has enrolled and evaluated the device against a compliance policy. App protection policy trusts the app and the identity — it gates access on whether the client app is bound to an Intune App Protection Policy (APP), no enrollment required. Picking the wrong control is the most common CA misconfiguration in hybrid environments. See also MDM vs MAM and CA grant control picker.
Criterion
Compliant Device
App Protection Policy
Enrollment required?
Yes — mandatory. The device must be enrolled in Intune (or co-managed) before CA can evaluate a compliance state. Zero compliance record = blocked.
No enrollment needed. The app registers its protection status directly through the Intune SDK / MAM channel. The device never touches MDM.
What is trusted?
The device itself: OS version, encryption, passcode, Defender health, disk encryption — all evaluated by the platform compliance engine and surfaced to Azure AD as a device attribute.
The app + identity pair: Intune verifies the client app supports APP, is running under a protected profile, and that the signed-in user has an applicable policy. Device posture is not assessed.
Ownership fit
Corporate-owned devices (Windows, macOS, iOS, Android). Full management is expected and enrollment friction is acceptable or invisible (Autopilot, ADE, zero-touch).
BYOD / personal devices. Employees keep personal data separate, IT never touches the device, and enrollment is not asked for — significantly reducing legal and privacy exposure.
Privacy & personal data exposure
Higher. MDM enrollment grants Intune visibility into device inventory, installed apps, location (if configured), and remote wipe of the whole device. Many employees and works councils object on personal hardware.
Lower. MAM scope is limited to managed app data. IT can wipe corporate content from the app without touching personal photos, messages, or non-managed apps.
Control ceiling
Highest. Full MDM policy surface: certificate deployment, Wi-Fi/VPN profiles, disk encryption enforcement, kernel extension approval, LAPS, Windows Update rings, and conditional launch tied to real device health signals.
App-layer only. Rich DLP controls (cut/copy/paste restrictions, save-to locations, PIN, biometric, jailbreak/root detection) but no ability to push config outside the managed app boundary. No device certificates.
Supported platforms in CA
Windows, macOS, iOS/iPadOS, Android (all enrollment flavors). Compliance policy and the Require compliant device grant must be in place for every OS you target.
iOS/iPadOS and Android only (as of 2025). Windows MAM (preview) covers Edge/Office on unmanaged Windows but the CA grant is not yet GA for all Windows apps. macOS is not supported for APP-based CA grant.
Typical CA policy pairing
Pair with Require MFA for defense in depth. Often scoped to all cloud apps or specific high-value apps (Exchange, SharePoint). Grant: Require compliant device OR hybrid Azure AD join for co-managed fleets.
Pair with Require approved client app (legacy) or use APP grant alone on modern auth apps. Always target the specific apps (Outlook, Teams, Edge) — not all cloud apps, since many don't support APP.
Rollout complexity
Higher. Requires enrollment pipeline (Autopilot / ADE / COPE), compliance policy authoring per platform, graceful handling of the enrollment gap for new devices, and break-glass accounts.
Lower initial lift. Deploy APP to users, configure the CA grant, and protect targeted apps within days. No imaging, no enrollment workflow, no device certificate PKI.
Data loss prevention depth
Protects at the device layer (encryption, screen lock) but relies on separate DLP policies (Purview, sensitivity labels) for app-level data controls.
Built-in app DLP. Copy-paste restrictions, open-in controls, screenshot block (Android), and per-app PIN are enforced by the APP framework — no additional DLP product needed for basic controls.
Choose Compliant Device when…
The device is corporate-owned and will be enrolled via Autopilot, Apple ADE, or Android zero-touch
You need to enforce OS version, disk encryption, or Defender ATP signals as access conditions
Users access apps from macOS or Windows and you need full policy control beyond Office apps
Regulatory requirements (FedRAMP, HIPAA BAA, PCI) demand device-level attestation, not just app-layer controls
You are deploying certificates, VPN profiles, or Windows Update rings alongside access control
Choose App Protection Policy when…
The device is personally owned (BYOD) and enrollment is politically or legally off the table
You need rapid protection for Exchange and Teams on iOS/Android without an enrollment project
Your main risk is corporate data leaking out of Office apps (copy-paste to personal apps, open-in)
Workers councils, privacy regulations (GDPR), or union agreements prohibit MDM on personal devices
You are in a contractor or partner scenario where you cannot manage the endpoint at all
In most mature environments the right answer is both, split by ownership: a CA policy requiring compliant device scoped to corporate-owned profiles, and a separate CA policy requiring app protection policy scoped to BYOD users on iOS and Android. Use CA grant control picker to model the split for your tenant, and review MDM vs MAM for the enrollment-layer decision that feeds directly into which grant control applies.
Decision Tools · Scorecard
Zero-trust posture scorecard
Assess your endpoint zero-trust posture across identity, device, access, and data — and see where the weakest links are.
Zero trust is not a product — it is a posture. This scorecard measures how thoroughly your Intune environment enforces verify explicitly, use least privilege, assume breach across four domains: who logs in, what devices they use, how access is granted, and what happens to the data. Tick every statement that is fully true in production today — not planned, not piloted on a handful of machines.
A score below 55 almost always means identity controls are incomplete; fix those first before tuning device or data policy.
Why these weights?
The weight-3 items — universal MFA, phishing-resistant admin MFA, all-corp devices enrolled and compliant, and a CA policy requiring compliant device or app protection — are the load-bearing controls. Microsoft's own breach data consistently shows that MFA alone blocks over 99% of automated credential attacks, and a noncompliant device reaching Microsoft 365 data is an assumed-breach scenario waiting to happen. Every other control in this scorecard is a depth-defense layer that contains a breach that the weight-3 controls failed to prevent.
If your score is high but you have unchecked weight-3 items, revisit your answers — it is common to conflate "we have a CA policy" with "that policy is enforced for all users on all apps." Check the CA policy's Users scope and Grant setting directly in Entra ID → Protection → Conditional Access before claiming those items. The zero-trust CA blueprint walks through a safe rollout sequence that avoids locking out break-glass accounts.
Decision Tools · Wizard
Which Windows update strategy?
Update rings, Autopatch, or hands-on feature management — the right model depends on fleet size and how much you want to own. Answer a few questions and land on a patching strategy.
Windows patching in Intune is not one-size-fits-all. Update rings give you granular DIY control. Windows Autopatch hands the ring math to Microsoft. Feature update profiles let you pin a specific Windows version independently of quality-update cadence. Driver update policies add a fourth layer that most shops under-configure. Answer four questions and this tool lands you on the right combination — and flags any prerequisites you need to clear first.
Why update strategy depends on more than fleet size
The biggest mistake Intune admins make is treating patch management as a single policy decision. In practice you have four independent control planes — quality update deferrals (update rings), annual feature upgrade gating (feature update profile), driver/firmware sequencing (driver update policy), and optional Microsoft-managed ring automation (Autopatch). Getting the wrong combination means either over-investing in ring operations you don't need, or shipping drivers and OS upgrades in the same wave and spending days isolating regressions. The questions in this tool surface which planes matter for your specific environment. For a deeper look at ring design and deferral math, see the WUfB Update Rings guide.
Decision Tools · Comparison
Windows Update for Business vs Autopatch
Own your update rings with Windows Update for Business, or hand them to Windows Autopatch — the patching ownership decision.
Both Windows Update for Business (WUfB) and Windows Autopatch deliver Windows quality and feature updates via the same underlying Windows Update pipeline — the difference is who designs the rings, watches the telemetry, and makes the call to pause. WUfB puts that work in your hands; Autopatch puts it in Microsoft's. Neither is universally superior; the right answer usually depends on how much engineering capacity you have and how much variance in update timing your business can tolerate. See also: Which Windows update strategy is right for me? →
Criterion
Windows Update for Business
Windows Autopatch
Who designs and manages update rings
You own every ring — define deferral days, pause windows, and ring membership yourself via Update Rings policies in Devices → Windows → Update rings for Windows 10 and later.
Microsoft owns the ring design — four built-in rings (Test, First, Fast, Broad) with Microsoft-set deferral schedules. You can move devices between rings but cannot redefine the schedule cadence.
Licensing prerequisite
Included with any Intune license (or even with Azure AD P1 + co-management). No premium SKU required.
Requires Windows 10/11 Enterprise E3 or E5, Microsoft 365 E3/E5, or A3/A5. The Autopatch service itself is included in those SKUs — but if you're on Business Premium or Intune standalone only, you're blocked.
Control granularity
Maximum control — set separate deferrals for quality vs. feature updates, configure deadline and grace period per ring, target by Azure AD group, and layer Feature Update policies for specific version pinning (Devices → Windows → Feature updates for Windows 10 and later).
Coarse control — ring assignment is the main lever. Microsoft controls deferral days within each ring. You can exclude devices, exclude updates (via the Autopatch exceptions workflow), or request a pause; you cannot set arbitrary deferral counts.
Driver and firmware updates
Full control via Windows Driver Update Management (Devices → Windows → Driver updates for Windows 10 and later) — approve or decline specific driver offers, set review periods.
Autopatch manages driver updates automatically on supported hardware (Surface, select OEMs). Granular approve/decline per driver requires exiting the Autopatch driver management and falling back to WUfB policies.
Reporting and update compliance visibility
Windows Update compliance reports in Reports → Windows updates show per-device status, but you build your own alerting — no built-in SLA tracking or anomaly detection.
Purpose-built reporting — Autopatch provides a dedicated Windows Autopatch blade with quality update compliance reports, deployment health, and Microsoft-initiated pause notifications. Anomaly detection is handled by Microsoft.
Rollback and pause capability
Manual safeguard holds — you apply a pause (up to 35 days per update category) yourself, or pin feature update versions. No automated rollback; uninstall via DISM or Windows Update uninstall window only.
Microsoft can initiate a global pause on your tenant if telemetry signals a bad update. You can also pause manually per ring from the Autopatch blade. Same underlying platform limits apply — no true automated rollback either.
Operational effort (steady-state)
High ongoing effort — you monitor patch Tuesday results, validate ring progression, respond to quality issues, and tune deferrals each month. Requires a dedicated engineer or regular calendar time.
Low ongoing effort — Microsoft monitors release health and handles ring progression. Your team responds to exceptions and validates business-critical apps; Microsoft handles the patching cadence.
Applicability to non-Windows endpoints
Microsoft 365 Apps updates can be managed alongside WUfB using Update Rings for Microsoft 365 Apps. Complementary coverage.
Autopatch also covers Microsoft 365 Apps, Microsoft Edge, and Microsoft Teams in addition to Windows — broader product scope out of the box, but only for supported products. No macOS or iOS patching.
Choose Windows Update for Business when…
You don't have Windows Enterprise E3/E5 licensing and Autopatch is simply unavailable.
You have complex ring requirements — regulated validation gates, change-freeze windows, or per-OU deferral schedules that don't map to Autopatch's four-ring model.
Your change-management process requires engineer sign-off before each ring advances.
You need granular driver approval workflows (approve/decline per driver per device model).
You're already running a mature, staffed patch-management function and the overhead is acceptable.
Choose Windows Autopatch when…
You have qualifying Enterprise licensing and want to offload the month-to-month patching workload.
Your IT team is lean and can't commit engineering hours to ring management every Patch Tuesday.
You want Microsoft to absorb the "is this update safe to release?" decision and initiate pauses on your behalf.
You need coverage beyond Windows — Microsoft 365 Apps, Edge, and Teams update management included at no additional effort.
Your device estate is relatively homogeneous and fits cleanly into the four-ring progression model.
In practice, many mature environments run both: Autopatch for the broad corporate fleet (low-touch, Microsoft-managed cadence) and WUfB Feature Update policies layered on top for specific version pinning or for device populations that need longer hold windows. Start with the update strategy decision guide, then deep-dive into the mechanics at Windows Update for Business → or Windows Autopatch →.
Decision Tools · Calculator
Update ring rollout timeline
Turn your deferral and deadline settings into a real calendar: when a patch reaches the pilot ring, the broad ring, and full coverage.
Paste in your Windows Update for Business deferral and deadline settings and this calculator tells you the exact day each ring sees a patch — and the last possible day a device installs it before the user loses control. Deferral days delay when the device sees the update; deadline plus grace period is what actually forces the reboot. Deferral alone never forces anything.
Adjust the four inputs to match your current ring policy, then read the band to see whether your full-coverage day is brisk or needs tightening.
How the timeline math works
Each ring's "offered" day is simply its deferral value — the moment Windows Update for Business releases the update to that ring's devices. From that point, devices download and install opportunistically. The forced-restart clock doesn't start until the deadline fires (configured in the Update rings policy under Devices > Windows > Update rings for Windows 10 and later). After the deadline, users get one last buffer — the grace period — to snooze the restart. Full coverage day is therefore broadDefer + deadline + gracePeriod: the absolute latest a broad-ring device can still be unpatched. The pilot ring has no forced-restart calculation here because its purpose is validation, not speed — watch the pilot ring for 24–48 hours of telemetry before accepting that the broad ring is safe to proceed. See the Windows Update for Business guide for policy path details and the rollout capacity calculator to estimate concurrent device load.
Decision Tools · Troubleshooter
An app will not install
Pick the platform and the failure shape and get the most likely cause and the next thing to check.
Walk through six targeted questions — platform, then failure shape — to surface the most likely cause and the exact Intune console location to check next. Covers Win32, LOB, Microsoft Store, iOS/iPadOS VPP, Android Managed Google Play, and macOS PKG/DMG deployments.
If you want a deeper dive after identifying the cause, the App install failures reference covers all platforms in one place.
How this troubleshooter is structured
The tree branches first on platform because the delivery stack is completely different per OS — Win32 apps use IME and the Intune CDN, iOS/iPadOS use APNs and VPP, Android uses the Managed Google Play DPC, and macOS uses the Intune MDM agent with its own PKG pipeline. Getting the platform right up front eliminates entire families of irrelevant causes. Within each platform the second branch targets the observable failure shape (stuck pending, error code, detection loop, policy/token error) because that maps most directly to a specific subsystem. For a comprehensive error-code reference across all platforms see the App install failures reference.
Decision Tools · Troubleshooter
A device shows non-compliant
A device is blocked or flagged non-compliant and you need to know why. Pick the platform and symptom to get the likely cause.
A non-compliant badge can mean a dozen different things: the device genuinely failed a policy check, or Intune hasn't had a chance to evaluate it yet, or Conditional Access fired before compliance was ever assessed. Work through the questions below — platform first, then the specific symptom — to land on the most likely cause and the right place to look in the Intune console.
Most non-compliant states clear themselves once you identify whether the problem is a policy gap, a reporting lag, or a CA ordering issue. The tool covers all three.
Why non-compliant is rarely one thing
Intune compliance is a signal, not a wall. The actual enforcement happens in Conditional Access — which means a device can be non-compliant in Intune without anyone being blocked, or blocked by CA before Intune has even evaluated the device. The two systems talk through Azure AD device objects, not in real time, so ordering and sync timing matter as much as the policy settings themselves. When you are diagnosing a non-compliant state, always confirm both the Intune per-setting status and the CA sign-in logs (Azure AD → Sign-in logs → filter by user → Conditional Access tab) — they tell different parts of the story. See Compliance policies and Conditional Access for the full setup guidance.
Decision Tools · Troubleshooter
Enrollment is failing
Walk the symptom to the likely cause to the fix. Pick the platform and what you are seeing, and get the specific thing to check next.
Something broke during enrollment — start with the symptom you are actually seeing, not a guess at the cause. This tree branches first on platform, then on what the device or console is showing you, and lands on the specific Intune control or log to check next.
If you are seeing multiple errors, work the most blocking symptom first. Most enrollment failures fall into five buckets: sign-in / authentication, MDM authority or device cap, ADE/DEP token problems, APNs certificate expiry, or an enrollment restriction silently blocking the device.
Why enrollment fails in predictable patterns
The vast majority of enrollment failures are not bugs — they are configuration mismatches that become visible only when a real device hits the enrollment flow. ADE tokens and APNs certificates expire annually on a fixed schedule; building a Tenant administration > Connectors and tokens review into your monthly maintenance cadence prevents the two most disruptive failure modes. For restriction and device-cap blocks, the Troubleshoot blade is your fastest diagnostic: it shows exactly which policy evaluated, which priority won, and what the outcome was for a specific user — far faster than reading logs. See Enrollment error codes reference for a full list of numeric codes and their remediation steps.
Decision Tools · Troubleshooter
A policy or profile is not applying
A configuration profile shows not-applied, errored, or simply has no effect. Pick the symptom and get the most likely cause.
A configuration profile or policy that shows Not applicable, Error, or just plain has no effect on a device is one of the most common Intune support tickets. The cause is almost always one of five things: a conflicting policy fight, a bad assignment or filter, a device that hasn't checked in, a platform/supervision requirement the device doesn't meet, or a typo in a custom OMA-URI. Work through the branches below to zero in on the most likely culprit — then follow the linked guide to fix it.
Before you start: open Devices > Configuration, click the profile, then click Device and user check-in status. Note exactly what status is shown for the device — Succeeded, Error, Conflict, Not applicable, or nothing at all. That single field drives every branch below.
Why policies silently fail to apply
Intune's policy engine is layered: the Intune service computes what should apply, the MDM channel on the device writes the values, and then the OS enforces them. A failure at any layer produces a different symptom — Conflict, Error, Not applicable, or the deceptive Succeeded-but-no-effect. The most common root cause in production is assignment scope: a profile is assigned to a group that either doesn't contain the device, or whose dynamic membership query hasn't yet evaluated. The second most common is a GPO or Security Baseline collision that nobody noticed because the profiles were created independently. See Policy conflicts and GPO overlap for the full conflict-resolution decision matrix, and Settings Catalog fundamentals for how to author conflict-free profiles from the start.
Decision Tools · Wizard
How should I target this assignment?
Assigned group, dynamic group, or assignment filter — pick the cleanest way to scope this policy to exactly the right devices.
Targeting is where Intune estates quietly rot. Every "just make a group for it" decision compounds until you are staring at four thousand near-identical Entra groups, nobody remembers which rule drives which one, and membership recalculation lags so badly that freshly enrolled devices miss their first policy pass. The mechanism you reach for here is an architecture decision, not a clerical one.
Three controls do the work, and they are not interchangeable. Assigned (static) groups are hand-picked membership. Dynamic groups are Entra groups whose membership is a saved query over user or device attributes, recalculated by Entra. Assignment filters are reusable rules evaluated by Intune at device check-in, layered onto an existing assignment in include or exclude mode — no new group object at all. The rule of thumb a staff engineer ships with: a small number of broad groups, narrowed by filters, beats a sprawl of tiny groups every time. Answer a few questions and land on the right one.
The rule of thumb worth tattooing
Reach for the mechanism in this order: filter on a broad group first, dynamic group when the scope is reused outside Intune or needs logic a filter can't express, and a static group only when membership is a deliberate hand-picked list. Don't rebuild "All users" or "All devices" yourself — Intune's virtual groups cost nothing to evaluate. And never use a dynamic device group as an exclusion in a latency-sensitive path: the exclude membership can lag behind enrollment and the policy lands before the device is carved out. That's exactly what filters were built to fix.
Decision Tools · Wizard
Which RBAC & scope-tag model?
Delegate Intune administration without handing out global power — land on the right built-in role, custom role, and scope-tag design.
The fastest way to wreck a tenant is to solve a delegation problem with an Entra directory role. Someone asks "the service desk needs to remote-wipe lost phones" and three clicks later they hold Intune Administrator — an unscoped superset that can also touch Conditional Access, app protection, and every device in every region. Intune has its own RBAC layer that is finer-grained and, critically, scopable. Reach for the directory role only when the human genuinely needs power in other services too.
Get the mental model right before you click anything. A role is just a bag of permissions (read/create/delete/wipe on each resource). A role assignment is what makes it real, and it has three independent legs: members (the admins, as a security group), the scope (groups) of devices/users those admins are allowed to manage, and the scope tags that gate which policy and app objects they can even see. Permissions decide what they can do; scope decides to whom and to which objects. Hold those apart and the rest of this is easy.
The rule of thumb
Default to the narrowest built-in Intune role, assigned to a group, with Default scope tag — then only widen when a real requirement forces your hand: a missing verb pushes you to a custom role, a partitioning requirement pushes you to scope tags, and a genuine cross-service need pushes you to the Entra role (and that one goes through PIM, eligible, time-boxed). Every step away from that default is a step you should be able to justify in an audit. If you can't, walk it back.
Decision Tools · Comparison
Dynamic vs Assigned groups
Membership rules that maintain themselves versus hand-picked members — and where assignment filters change the math.
Both are just Entra security groups you point an Intune assignment at — the difference is who decides who's in. A Dynamic group computes membership from a rule evaluated against Entra attributes; an Assigned group holds members you (or an automation) put there explicitly. The decision turns on one axis: do you want membership to track a changing fleet attribute on its own, or do you want a frozen, auditable list you control by hand?
Get the membership-rule mechanics right before you commit. Dynamic device rules run on attributes like deviceOSType, deviceOSVersion, enrollmentProfileName, devicePhysicalIds (where Autopilot group tags live as [OrderID]), deviceManagementAppId, and extensionAttribute1-15. There is a memberOf operator for device rules, but it's limited — it can only reference assigned (not dynamic) groups and can't be nested, so it's a poor way to build a dynamic group that means "everyone in Group X." Lean on attributes, not group references.
Criterion
Dynamic group
Assigned group
Membership maintenance
Self-maintaining — the rule re-evaluates as attributes change; a reimaged device with a new enrollmentProfileName falls in or out with zero ops touch
Manual — someone or some script adds and removes every member; drift is permanent until a human fixes it
Latency
Eval lag — membership is not instant; on a large tenant a full re-evaluation can take minutes to hours after an attribute flips or a rule edit, which delays first policy delivery
Instant — add a member and it's effective immediately; the device picks up the assignment on its next check-in
Predictability & audit
Can surprise — correct rules still produce non-obvious membership; one flipped attribute (an OS upgrade, a re-enrollment) silently moves a device between rings
Explicit — the member list is the audit trail; for change-controlled pilots and break-glass exclusions you can prove exactly who was targeted
Licensing
Needs Entra ID P1 — dynamic membership requires a P1 (or higher) license; no P1, no dynamic groups
No extra license — assigned groups work on any tenant tier
Nesting
Group references are limited — a dynamic device rule can reference an assigned group via memberOf, but not another dynamic group, and the reference can't be nested; composing by widening the rule stays simpler and more predictable
Nesting works, with care — Intune resolves an assigned group's nested members for assignment targeting, but a dynamic group can't be a child that a rule reaches into; keep nesting shallow to stay debuggable
Scale
Built for fleets — attribute-based rules scale to tens of thousands of devices without per-device upkeep; this is the default for OS-wide or profile-wide baselines
Fine when small — great for a fixed pilot ring or a known exclusion list; becomes a maintenance tax the moment the list should move on its own
Cost of change
Edit once, wait — change the rule and the whole population converges automatically, but you absorb re-eval latency and must regression-test the new rule against today's attribute values
Edit forever — every population change is another manual edit or another scheduled job to maintain; cheap once, expensive ongoing
Assignment filters are the third lever — and not a group type
A filter isn't membership; it's a device/app rule applied at assignment time that narrows (include) or carves out (exclude) which targeted objects actually receive a profile. You build broad dynamic groups, then attach a filter on properties like operatingSystemVersion, deviceOwnership, enrollmentProfileName, or model per assignment. The win: one group serves many policies, each scoped differently, so you stop minting a near-duplicate dynamic group for every variation. The pattern that ages well in production is broad dynamic group + assignment filter — it cuts group sprawl, keeps the targeting logic next to the policy where reviewers can see it, and filters evaluate at check-in so they sidestep the dynamic re-eval lag. See the dynamic groups & filters reference for rule syntax.
Choose Dynamic when…
The population is defined by an attribute — all Windows, a specific Autopilot profile, a corporate-owned ownership type — and should self-correct as devices change
You're targeting a large or churning fleet where manual upkeep would be a standing ops cost
You have Entra ID P1 and can tolerate eval latency on first delivery
You'll pair it with assignment filters instead of cloning groups per variation
Choose Assigned when…
You need an explicit, change-controlled list — a named pilot ring, a break-glass exclusion, an early-validation cohort
Membership must take effect instantly with no re-eval window
There's no clean attribute that captures the set, or the set is small and stable
You're on a tier without Entra ID P1
The verdict
Default to broad dynamic groups plus assignment filters for anything attribute-shaped and fleet-sized — it's the only model that doesn't accrue manual debt. Reserve assigned groups for the handful of cases where an explicit, auditable, instantly-effective list is the actual requirement: pilots, exclusions, and break-glass. Mixing both is normal and correct; the mistake is using assigned groups for populations that should maintain themselves, or spinning up a new dynamic group every time a filter would have done the job. When you're unsure which lever a specific assignment wants, walk it through How should I target this assignment?
Decision Tools · Blueprint
Day-0 tenant foundation
Stand up a brand-new Intune tenant the right way: the guardrails, identity, and delegation you set before the first device ever enrolls.
A greenfield tenant is the only time you get a clean slate. Every object you create afterward inherits whatever defaults were in place when it was born — scope tags, compliance state, CA exposure. Retrofitting those onto thousands of live devices is the kind of weekend-eating project that gets architects fired. The order below is deliberate: identity and restrictions go in before enrollment, so the first device that checks in lands in a tenant that is already safe-by-default and auditable.
Budget roughly a focused day to reach a pilot-ready state for one platform. Do not let anyone enroll "just a test device" before step 2 is done — that device will skip your restrictions and you'll be cleaning it up later.
🏢 The foundation
Platform: All · Ownership: Corporate & BYOD · Effort: ~1 day to pilot
Licensing, MDM authority & automatic enrollment
Confirm every targeted user has an Intune-bearing license (EMS E3/E5, M365 E3/E5, or standalone). In Entra ID > Mobility (MDM and MAM) > Microsoft Intune, set the MDM user scope — Some (scoped to a pilot group) for a controlled rollout, not All on day one. The MAM user scope governs unenrolled app protection. Then customize Company Portal under Tenant administration > Customization: org name, support contact, theme color, and privacy statement so the first enrollment screen looks like you, not a default. Guide →
Enrollment restrictions — build the walls first
Under Devices > Enrollment > Device platform restrictions (and Device limit restrictions), block the platforms and OS versions you do not support, block Personally owned where corporate-only is required, and drop the per-user device limit from the default 15 to a number you'll actually defend. This must exist before any device enrolls — restrictions are evaluated at enrollment time and do nothing retroactively. Which restrictions? →
Identity guardrails & break-glass
Create at least two cloud-only emergency access (break-glass) accounts, exclude them from all Conditional Access policies, give them long passphrases in a vault, and alert on their sign-in. Turn off Security Defaults so CA can take over, define your named locations (trusted egress IPs, country blocks), and decide your MFA posture before you write a single CA policy. Skipping break-glass is how a bad CA policy locks every admin out of the tenant permanently. Microsoft Learn →
RBAC & scope tags — tag from birth
Define your Intune roles and scope tags under Tenant administration > Roles before any policy or app exists. Assign the Default scope tag deliberately and create tags for each business unit, region, or support tier. Objects created without a tag plan inherit Default forever, and stamping tags onto a live estate later is pure toil. Decide least-privilege delegation now. RBAC model →
Group, filter & naming taxonomy
Stand up your device categories, a small set of dynamic groups, and the assignment filters (under Tenant administration > Filters) you'll use to slice rings. Lock a naming convention — INT-WIN-Pilot, INT-iOS-Corp — so groups stay self-documenting at 200 objects. Prefer filters over an explosion of groups for ring targeting. Targeting model →
Baseline Conditional Access in report-only
Author your require-compliant-device and require-approved-app (MAM) policies in report-only first, confirm your break-glass exclusions, and read the workbook before flipping to On. Report-only lets you see who would be blocked without breaking sign-ins on a fresh tenant. Zero Trust CA →
Default compliance policy & the "no policy" default
Create a baseline compliance policy per platform with sensible actions (notify, then mark noncompliant after a grace period). Critically, under Devices > Compliance > Compliance policy settings, set "Mark devices with no compliance policy assigned as" to Not compliant. The default of Compliant means an unmanaged or unscoped device sails through your require-compliant CA — a silent hole. Compliance actions →
Notifications, approvals & tenant attach
Configure compliance/enrollment notification templates with your branding, decide on multi-admin approvals for high-risk actions where licensed, and if you run Configuration Manager, set up tenant attach (and Co-management workload sliders) under Tenant administration > Connectors and tokens so cloud and on-prem don't fight over the same devices. Connectors & tokens →
What this gets you
A tenant that is safe-by-default: nothing enrolls outside your platform/ownership rules, and an unmanaged device reads as noncompliant.
Every object tagged and scoped from creation — clean delegation and no retroactive tagging project.
Break-glass access guaranteed, so a CA mistake never locks you out.
CA validated in report-only before it can block a single real user.
Common first-timer traps
Enrolling devices before enrollment restrictions exist — they skip the walls and need cleanup.
No break-glass accounts, then a CA policy bricks every admin.
Leaving "no compliance policy = Compliant" — a silent gap in require-compliant CA.
No scope-tag plan, forcing a painful retrofit across thousands of live objects.
Why order is the whole game
Each step closes a door before the next one opens. Restrictions before enrollment, break-glass before CA, scope tags before objects, the compliance default before require-compliant goes live. Get the sequence wrong and you're not configuring a tenant — you're remediating one. Rehearse the whole flow against a throwaway tenant in the Intune Simulator first, then check your work against Tenant configuration health → before you scale enrollment.
Decision Tools · Scorecard
Tenant configuration health
A hygiene audit of your tenant’s guardrails, targeting discipline, security defaults, and operational basics — tick what is genuinely true and see where the risk is.
Most tenants don’t fail at go-live — they rot. The pilot ships, the configs work, and then for two years nobody touches the foundation while three admins each add "just one more" static group, a CA policy gets carved out for a noisy exec, and the "devices with no compliance policy" setting quietly stays at the default. None of these are outages. All of them are debt, and the interest compounds: every missing guardrail becomes a blast radius, every static group becomes a thing someone has to remember, every blanket Intune Administrator becomes a credential an attacker would love.
This scorecard is the audit I run before touching anyone’s tenant. It is deliberately weighted — a missing break-glass exclusion (w3) will hurt you far more than a missing naming convention (w1). Score yourself honestly on what is actually configured today, not what’s on the roadmap. The bands tell you whether you’re governed, functional-with-gaps, or sitting on foundational risk.
Read the weighting, not just the number
Two tenants can both land at 60 and be in completely different shape. The one missing only w1 items (naming, device limits) is in great health with cosmetic gaps. The one missing the w3 items — no break-glass exclusion, no compliant-device CA, no-compliance-policy default left at "Compliant" — is a single bad day from a tenant-wide lockout or a fleet that silently reports healthy while being wide open. Triage by weight: fix every unchecked w3 before you touch a w1. Then come back, re-run this monthly, and treat any regression the same way you’d treat a failed deployment — because that’s exactly what config drift is.
Decision Tools · Matrix
Intune RBAC role matrix
Every built-in Intune role and what it can actually do — filter by the job you need delegated.
Intune RBAC is a deny-by-default model: a built-in (or custom) role defines a set of permissions, and you grant it by creating a role assignment that binds the role to members (an Entra security group of admins), a set of scope tags, and the groups of users/devices those admins are allowed to act on. Picking the right built-in role is step one — the assignment scoping in Which RBAC & scope-tag model? is what actually contains blast radius. You configure all of this under Tenant administration > Roles > All roles in the Intune admin center.
The matrix below maps the seven roles people reach for most against the six things teams actually need delegated. A common mistake is handing out the Entra Intune Administrator directory role because "the built-in roles felt fiddly" — that role is the unscoped superset and ignores scope tags entirely. Filter by the job, pick the narrowest role that does it, and scope it.
Reading the rows the way I deploy them in production:
Help Desk Operator is the L1/L2 workhorse: it can see almost everything and run remote tasks (sync, restart, remote lock, reset passcode, locate, rotate BitLocker keys) and assign already-published apps and policies to groups — but it can't author config or compliance, and it has no enrollment-program rights. Scope it tightly to the device groups that team supports.
Application Manager owns the app lifecycle end to end (add, edit, assign, retire) and nothing else. This is the cleanest delegation in the product — give it to your packaging team and keep them out of policy.
Policy and Profile Manager authors device configuration and compliance policies and can manage Apple enrollment-program profile assignment, but it does not manage apps. Pair it with Application Manager for a full "config team" without granting security tooling.
Endpoint Security Manager targets the Endpoint security blades — antivirus, disk encryption, firewall, EDR, ASR, account protection — and the remote security actions. It overlaps with compliance and a slice of configuration, which is why "opt" sits in the Device configuration column. This is your SecOps role, not your provisioning role.
Read Only Operator is exactly that — visibility with zero write. Perfect for auditors, NOC dashboards, or onboarding a new hire before you trust them with actions.
Intune Role Administrator is the one people misread: it manages roles and role assignments, full stop. It can delegate RBAC but cannot touch devices, apps, or policy. Treat it as a powerful meta-role and give it to very few people.
Intune Administrator is the Entra directory role, not an Intune built-in role. It is the unscoped superset — every permission, every scope tag, ignored. It's the right hat for the two or three people who own the service, and the wrong hat for everyone else.
APNs, ABM/VPP, Managed Google Play, MTD, certificate connectors — wire up only the integrations your platforms and scenarios actually require.
Connectors and tokens are the plumbing under Tenant administration > Connectors and tokens (plus a couple that install on-premises). Get them wrong and enrollment silently fails, apps never install, or compliance flips to non-compliant at 2 a.m. when a token quietly expired. The trap is over-provisioning: teams stand up an NDES box and a hybrid-join connector they never needed because a checklist told them to. The right move is to derive the list from the platforms you manage and the specific scenarios in play, then own the renewal calendar for the ones that expire.
This wizard branches by your primary platform and the scenario driving the work, then hands you the exact connector checklist for that branch with ownership and renewal notes. Run it once per platform you support — Apple, Android, and on-prem PKI each have an independent answer.
The rule of thumb
Provision connectors from your platform-and-scenario matrix, not from a generic checklist — and the day a connector goes live, the renewal date goes on a shared calendar owned by a team, not a person. The three Apple artifacts (APNs, the ABM/ADE token, the Apps & Books token) all expire at 365 days and all bind to an Apple ID, so the single most common production outage in this space is a lapsed Apple credential nobody owned. Android's Managed Google Play and the on-prem connectors don't expire, but they're infrastructure — patch and monitor them like the production dependencies they are.
Decision Tools · Wizard
Which enrollment restrictions?
Decide the guardrails that decide which devices are even allowed to enroll — platform, version, ownership, and per-user device limits.
Enrollment restrictions are the front door of your tenant. They run before compliance, before Conditional Access, before a single policy lands — they decide whether a device gets an MDM record at all. Get them wrong and you either flood the tenant with personal phones you never meant to manage, or you lock out a platform your VIPs actually use. Configure both types under Devices > Enrollment > Enrollment restrictions: Device platform restrictions (allow/block by platform, min/max OS, block personally-owned) and Device limit restrictions (1–15 devices per user).
Two mechanics worth burning into memory. First, both restriction types are prioritized and group-assigned — Intune evaluates from priority 1 down, the first policy that matches the user wins, and an un-deletable All users / Default policy at the bottom catches everyone else. Second, the personal-vs-corporate block is platform-specific: on iOS/iPadOS it leans on ADE (Setup Assistant) and corporate identifiers (serial/IMEI), on Android it uses the corporate-identifier list and which Play enrollment profile the device hit, and on Windows the "block personally-owned" toggle is the restriction itself. Walk the wizard to land your default posture.
The architect's rule of thumb
Set the Default (All-users) policies to your most restrictive sane posture — block the platforms you don't run, block personal where you mean MAM-only, and pin a reasonable device limit — then carve exceptions upward with higher-priority, group-scoped policies. It is far safer to start closed and open precise holes than to start open and try to claw it back after 4,000 personal phones have already enrolled. And whenever a shared-device scenario tempts you to crank the per-user limit to 15, stop: that's almost always a no-affinity enrollment problem wearing a device-limit costume.
Decision Tools · Wizard
Wipe, Retire, Fresh Start, or Reset?
A device needs to be reset, recovered, repurposed, or decommissioned — pick the exact remote action that does it without stranding the device or losing the data you needed.
Five buttons live on the same row in Devices > All devices > (select device) — Retire, Wipe, Delete, plus the Windows-only Autopilot Reset and Fresh Start. They look interchangeable and they are absolutely not. Pick wrong and you either leave org data on a personal phone, blow away a user's local files they expected to keep, or orphan a record that lets a live device drift unmanaged for weeks. The driver is almost never "what does the button say" — it is what outcome do you actually want, then platform, then connectivity.
Three traps run through every wrong answer below. Retire is not Wipe — Retire is a selective wipe that removes only company data and leaves the OS and personal files intact. Delete is a record-cleanup action, not a reset — it removes the Intune object and, on the device's next check-in, fires a Retire (Apple, macOS, Windows, and BYOD Android) or a Wipe (corporate-owned Android); it never factory-resets a desktop. And a factory Wipe can brick a device into a recovery loop if Activation Lock (Apple) or Factory Reset Protection (Android) kicks in and you never escrowed the bypass. Answer the questions with the end state in mind, not the verb.
The architect's rule of thumb
Name the end state before you touch a button: org data gone, device kept = Retire; back to factory = Wipe; same Windows box, new person = Autopilot Reset; same box, kill the app rot = Fresh Start; record gone, device already dead = Delete. Two disciplines keep these from biting you: escrow the unlock path (Activation Lock bypass, FRP / factory-reset-protection emails, BitLocker key) before you ever issue a destructive command, and only ever Delete after the device confirms its wipe — never as a shortcut for one. Every stranded device I've seen in production traces back to skipping one of those two.
Decision Tools · Comparison
Autopilot Reset vs Fresh Start
Two ways to recycle a Windows device in place — what each one keeps, what it wipes, and when it actually leaves you better off than a full wipe.
Both of these live under Devices > Windows > [device] > ... as remote actions, and both deliberately preserve the device's identity — the Entra join and Intune MDM enrollment survive (for Fresh Start, when you keep Retain user data on). That is the whole point: you are recycling the device without the help-desk-visit, re-image-from-USB, re-enroll dance. Where they diverge is what they tear out and whether the Autopilot provisioning sequence runs again. Get that wrong and you either hand a device to a new user with the last user's data still on it, or you needlessly blow away a working profile just to clear some app cruft.
The short version: Autopilot Reset returns the device to a clean, fully re-provisioned state — think "next user, fresh start, known-good config." Fresh Start strips user-installed and OEM-preinstalled apps (the CleanPC operation) while optionally keeping the current user's data — think "same user, get them out of app hell without losing their files." Neither is the local Settings > Recovery > Reset this PC; that is an OS-local operation with no Intune awareness.
Criterion
Autopilot Reset
Fresh Start
User accounts & profiles
Removed — all local user profiles, accounts, and personalization are deleted; the primary user is removed and the device returns to a pre-user provisioned state
Optional — the Retain user data toggle preserves the contents of the user's Home folder; choose to drop it for a clean handoff
Personal / user data
Wiped — user data does not survive; treat it as gone
Can be kept — with retain-data on, the user's Home folder contents stay in place
User-installed & traditional apps
Removed — everything not delivered by the provisioning sequence is gone; only the re-provisioned policy/app set returns
Removed — strips user-installed and OEM-preinstalled apps along with their settings; resolves app conflicts and bloatware
Entra join & Intune enrollment
Preserved — stays Entra joined and MDM enrolled throughout
Preserved with retain-data — keeps the existing join and enrollment when you retain user data; without it, the device drops to OOBE-completed state and BYOD devices are removed from Entra ID and MDM
Provisioning re-applied
Full re-provision — re-runs the Autopilot / ESP flow, re-applies the assigned Autopilot deployment profile and provisioning package, re-pulls assigned apps and policy
No re-provision — does not re-run Autopilot/ESP; the device just resumes under its existing Intune assignments after the apps are removed
Result you land on
Known-good, like-new — identical to a freshly provisioned device, ready for the next user at the lock screen
Cleaned, same context — same user can keep working; you have removed the cruft but not reset the device's identity or assignments
Network dependency
Mandatory — must reach the Autopilot service and Intune to re-provision; offline it will stall
Lighter — removes the apps locally, but still needs connectivity to re-sync policy and reinstall any managed apps
Trigger location
Devices > [device] > Autopilot reset (remote); can also be initiated locally on the lock screen with the keyboard sequence by a local administrator
Devices > [device] > Fresh Start (remote action)
Choose Autopilot Reset when…
You are reassigning the device to a new user and need every trace of the previous one gone — profiles, data, and apps.
It is a shared or classroom device you want returned to a clean baseline between cohorts.
The provisioned state itself is corrupted (broken policy, half-applied profile) and you want the full Autopilot/ESP flow to lay it all down again from the assigned profile.
You have a reliable network path to the Autopilot service — this is not the tool for a device sitting offline in a drawer.
Choose Fresh Start when…
The same user is staying on the device but is buried in app conflicts, OEM bloatware, or a flaky upgrade.
You want to keep the user productive — retain their data, strip the cruft, skip a full re-provision and the ESP wait.
You need to clear preinstalled junk a hardware vendor shipped without re-running enrollment.
A full Autopilot re-provision would be overkill and you do not need a clean identity hand-off.
The trap to avoid
Do not reach for Fresh Start as your device-handoff tool. With Retain user data on it leaves the previous user's files behind, and even with it off it does not re-run provisioning — so the next user inherits whatever drift accumulated since enrollment. For a clean reassignment, Autopilot Reset (or a full Wipe and re-Autopilot) is the right call. And remember neither of these is the local Reset this PC: that OS-local path has no concept of your Autopilot profile or Intune assignments and will happily orphan the device. If you are still deciding between these and the heavier hammers, walk the full ladder in Wipe, Retire, Fresh Start, or Reset? and the side-by-side in the Reset & wipe action matrix; the raw remote-action mechanics live under Remote actions: Wipe, Reset, Retire.
Decision Tools · Blueprint
Windows 365 Cloud PC fleet
Provision and govern a fleet of Cloud PCs end-to-end — from provisioning policy and image to network, identity, and the access gate.
A Windows 365 Enterprise Cloud PC is just a Windows endpoint that lives in Microsoft's datacenter and shows up in Intune > Devices like any physical machine. That is the whole point: you manage it with the same Settings Catalog, baselines, compliance, and apps you already ship to laptops — but it's provisioned, resized, and reprovisioned by policy instead of by a hardware refresh.
The piece that trips people up is that there are two control planes. Intune licensing/groups decide who gets a Cloud PC, but the provisioning policy (under Windows 365) is what actually stamps one out from an image onto a network. Get those two wired together and the rest is ordinary endpoint management.
☁️ The stack
Platform: Windows 365 Enterprise · Ownership: Corporate (cloud-hosted) · Effort: ~1 day to a working pilot
1. License & size the Cloud PC to the persona
Buy Windows 365 Enterprise SKUs sized to the role, not the average — vCPU/RAM/storage is fixed per license (e.g. 2vCPU/8GB/128GB for task workers, 4vCPU/16GB for knowledge workers, 8vCPU/32GB for devs). Assign licenses to an Entra group, not individuals: Windows 365 is license-based provisioning, so group membership is the trigger that mints a Cloud PC. Plan the group strategy first. Targeting →
2. Choose join type & network
Default is the Microsoft-hosted network — Entra-joined, zero infrastructure, you just pick a region. Only stand up an Azure Network Connection (ANC) if you need Hybrid Entra join or on-prem line-of-sight (legacy file shares, domain-bound apps). ANC means you own the VNet, DNS, and routing. Either way, pick the region closest to the user — wrong region is the number-one latency complaint. Windows baseline →
3. Build the image
Start from a Gallery image (Windows + Microsoft 365 Apps, patched) for the pilot — it's the fastest path and Microsoft keeps it current. Move to a custom managed image only when you need baked-in apps or settings that are painful to layer on at runtime. Keep custom images thin; let Intune apps and config do the heavy lifting so you don't fight image drift later.
4. Create the provisioning policy
This is the engine. Under Devices > Windows 365 > Provisioning policies, a policy maps your licensing group to an image + network/join type + a naming template. Saving it and adding a licensed user is what actually provisions Cloud PCs. One policy per persona/region combination keeps naming and image clean.
5. Manage it like any Windows endpoint
Now apply your normal stack: Settings Catalog config, the security baseline, compliance policy, and apps. Target a dynamic device group for Cloud PCs (or use a device filter on model -contains "Cloud PC") so the same physical-laptop policies don't drag in hardware-only settings. Skip BitLocker, driver/firmware, and power policies — they're N/A on a virtual disk and just generate noise. Settings Catalog →
6. Gate access with Conditional Access
Cloud PCs still need compliance + CA — they are not implicitly trusted. Build CA targeting the Windows 365 and Azure Virtual Desktop cloud apps requiring a compliant device and MFA. This is also the BYOD win: an unmanaged personal machine connects via the web/app to a fully compliant Windows surface, so your data never lands on the untrusted endpoint. Zero Trust CA →
7. Monitor & operate
Use Devices > Windows 365 > All Cloud PCs plus the Cloud PC utilization and connection-quality reports to right-size and catch RTT problems. Drive day-2 from remote actions: Restart, Resize (bump vCPU/RAM without rebuild), and Reprovision (clean reset to image for offboarding or a corrupted desktop). Practice the flow safely in the Intune Simulator.
What this gets you
Elastic, fully Intune-managed desktops you can resize or reprovision in minutes — no hardware lead time
A compliant Windows surface for BYOD and contractors, with corporate data confined to the Cloud PC
One policy set across physical and virtual, governed by the same baseline, compliance, and CA
Clean offboarding: reprovision or deprovision a license and the desktop is gone
Common first-timer traps
Targeting hardware-only policies (BitLocker, driver/firmware, power) at Cloud PCs — they fail or do nothing and clutter reporting
Picking a far region — RTT kills the experience; place the Cloud PC near the user, not the admin
Assuming Cloud PCs are trusted — without compliance + CA they're an open door
Fat custom images that drift; let apps/config layer at runtime instead
Assigning licenses to users instead of a group, then wondering why provisioning is unmanageable
The mental model that keeps this clean
Treat the provisioning policy as the only Windows-365-specific thing you own, and treat everything downstream as ordinary endpoint management against a device that happens to have no physical chassis. Lead with the Gallery image and the Microsoft-hosted network for the pilot, prove compliance and CA work end-to-end, then graduate to ANC or a custom image only when a concrete requirement forces it. If you also run AVD or session hosts, decide deliberately between them — see Windows 365 vs AVD → — but for a per-user managed desktop, Windows 365 is the lower-effort win.
Decision Tools · Calculator
Provisioning bandwidth planner
Will the site link survive a rollout wave? Size content download against device count, payload, and link speed before you flip the switch.
The single most common way a clean Autopilot or fresh-imaging rollout goes sideways is not a policy bug — it is the WAN. Fifty devices hitting first boot at 9:00 AM each pull their Win32 apps, configuration content, and OS payload from the cloud at the same time, and the branch link that comfortably carries email and Teams suddenly has nothing left for the business. Devices stall in the ESP, help desk tickets spike, and someone blames Intune. This planner does the arithmetic before you schedule the wave.
The math is deliberately blunt: total bytes to move = devices times per-device payload, discounted by whatever you offload to peers or a cache server, then spread across your provisioning window and compared to usable link throughput. The number that matters is the last one — link utilisation. Anything over 100% means the wave physically cannot complete in the window you gave it, and the link will be saturated for business users the entire time.
A few honest caveats on the inputs. Per-device payload is the part people lowball — a modern Windows image with the standard productivity suite, line-of-business Win32 apps, security agents, and the feature/quality update content that often lands during provisioning routinely clears 6-10 GB, and an Office (Microsoft 365 Apps) install alone is several GB before language packs. Measure it on a pilot device rather than guessing. The peer offload figures are best-case: Delivery Optimization only reaches ~50% when there is a warm local peer set on the same NAT/subnet, so the first wave at a fresh site sees almost no peer fill and behaves like the None (0%) row. A Microsoft Connected Cache or macOS Content Caching server changes the shape entirely because the second device onward pulls from the LAN, not the WAN.
Reading the number
Treat link utilisation as a traffic light, not a pass/fail. Under ~70% is comfortable, but still stagger first boots — the calculator averages load across the whole window, while real provisioning is spiky and a synchronised 9:00 AM start can momentarily hit 3-4x the average. 70-100% means the wave technically fits but leaves nothing for the business; split it into smaller batches across more hours, or schedule it overnight. Above 100% the wave simply will not finish in the window, full stop — your levers are fewer concurrent devices, a longer window, or moving bytes off the WAN with a cache server or pre-staged content. If you find yourself permanently in the warn band, the right fix is architectural, not operational: put a Connected Cache at the site, throttle background downloads through Delivery Optimization policy, and size your assignment waves to the link rather than to the calendar. When you are planning a Cloud PC fleet instead, the WAN math moves to the datacentre — see the Windows 365 blueprint for where the content actually lands.
Decision Tools · Matrix
Reset & wipe action matrix
Every remote reset, wipe, retire, and delete action side by side — what survives, what is removed, and which platforms support it.
The five buttons under Devices > All devices > (device) > ... look interchangeable and absolutely are not. Picking Retire when you meant Wipe hands a corporate device back to a leaver with all their personal data intact; picking Wipe when you meant Retire nukes a BYOD user's photos and gets you a help-desk ticket and possibly a legal one. Delete is the quiet trap — it triggers a Retire (or, on Android corporate-owned devices, a Wipe) and removes the Intune object, but it leaves the Microsoft Entra ID device record behind to orphan unless you clean it up separately. Read across before you click.
This matrix is the reference; if you are still deciding which action fits the scenario (off-boarding, repurpose, lost device, BYOD exit), run the Wipe, Retire, Fresh Start, or Reset wizard first, then come back here to confirm the blast radius. Action mechanics and admin-center paths are documented under Remote actions: Wipe, Reset & Retire.
The three traps that turn a clean reset into a re-image
Delete leaves the Entra record behind. Deleting in Intune fires a Retire (or a Wipe on Android corporate-owned devices) and removes the Intune object, but it does not remove the Microsoft Entra ID device record. That stale Entra record lingers, can affect compliance and reporting, and may keep the device showing in your tenant inventory. If you want a device fully gone, send Retire or Wipe, confirm it completes, then remove the leftover Entra record — or let stale-device cleanup rules handle it (see the stale device cleanup planner).
Hardware locks strand a wiped device. A factory Wipe on an Apple device re-arms Activation Lock, and on Android it re-arms Factory Reset Protection (FRP). If the device was not supervised via ADE/Apple Business Manager or zero-touch, or you did not capture the Activation Lock bypass code (select the device > Hardware blade > Activation Lock bypass code) before wiping, the next person hits a Google/Apple ID prompt you cannot answer and the hardware is a brick. Escrow the bypass first; for shared and kiosk fleets, supervise so the lock is suppressed.
Autopilot Reset and Fresh Start are repurpose tools, not off-boarding tools. Both keep the device Microsoft Entra joined and Intune managed — they wipe apps and (for Reset) user data but the object survives, so the device re-provisions through ESP and lands back in your tenant. That is exactly what you want for a returning loaner and exactly what you do not want for a leaver's device you are decommissioning. For that, Wipe (which removes enrolment) is the only one of the Windows actions that fully exits the tenant. Weigh the two repurpose paths in Autopilot Reset vs Fresh Start.
Decision Tools · Wizard
Script, remediation, or Win32?
You need a custom action on the endpoint — decide whether it belongs in a platform script, a proactive remediation, a Win32 app, or a configuration profile.
Every "just run this little script" request is a fork in the road. Pick the wrong vehicle and you end up with config drift no one can see, scripts that silently failed two patch cycles ago, or a PowerShell payload doing a job a CSP would have done with conflict handling and per-device reporting for free. The order of questions below is deliberate: native setting first, then run-once vs recurring, then packaging needs.
The single rule that prevents most mess: never script what a configuration profile can set. Scripts have no conflict resolution, no built-in compliance reporting, and no automatic re-evaluation when a user changes the value back. A Settings Catalog or CSP-backed profile re-asserts on every sync and shows you green/red per device.
The rule of thumb
Walk it in this order every time: profile > script > remediation > Win32, escalating only when the tier above genuinely cannot do the job. Reach for a profile by default, a run-once platform script when no setting exists, a remediation when drift returns (and the device's user holds an eligible Windows Enterprise E3/E5, Education A3/A5, or VDA license), and a Win32 app the moment install state, detection, or supersedence enters the picture. The most expensive mistake is using a run-once script for a recurring problem — it works in the demo, then quietly stops mattering the first time a user undoes it, and nothing tells you.
Decision Tools · Comparison
Remediations vs Scripts
Proactive remediations versus plain platform scripts — same PowerShell, very different scheduling, detection, and reporting story.
On Windows you can ship PowerShell two ways from Intune: as a platform script (Devices > Scripts and remediations > Platform scripts) or as a remediation (Devices > Scripts and remediations > Remediations). The PowerShell is the same; what differs is everything around it — when it runs, whether it re-runs, what it reports, and what it costs you in licensing. Pick wrong and you either get a one-shot that silently rots, or a self-healing engine you have no license for.
The deciding axis is once vs forever. A platform script is fire-and-forget: it runs one time per device and is done unless you delete and re-add it. A remediation is a detect + remediate pair that the Intune agent re-evaluates on a schedule — hourly, daily, or once — so it actively re-checks for drift and re-fixes it, with per-device proof in the reports. If you are choosing between PowerShell, a remediation, or a Win32 app from scratch, start at #/decide/custom-action; this page is the deep dive once you have narrowed it to script vs remediation.
Criterion
Platform script
Proactive remediation
Execution model
Runs once — executes a single time per device after assignment; will not re-run unless you remove and re-add it (or the device is wiped/re-enrolled)
Scheduled — runs on a recurrence you set: Hourly, Daily, or Once, evaluated by the Intune Management Extension on its cycle
Structure
Single file — one .ps1; whatever it does, it does in one pass with no built-in conditional gate
Detect + remediate pair — the remediation .ps1 only runs if the detection .ps1 exits 1 (issue found). Exit 0 means compliant and remediation is skipped
Reporting
Thin — success / failed / pending per device under the script blade, plus the error message; no structured output columns
Rich — per-device detection status, remediation status, pre- and post-remediation output (STDOUT), and first/last run times surfaced in Reports and Endpoint analytics
Recurrence & self-healing
None — no concept of drift; if a user undoes the change tomorrow, the script will never notice
Self-healing — re-detects every cycle and re-applies the fix when the device drifts back out of compliance
Licensing
Any Intune plan — included with a standard Intune Plan 1 license
Premium — requires users of the devices to hold Windows Enterprise E3/E5 (incl. Microsoft 365 F3/E3/E5), Windows Education A3/A5, or Windows Virtual Desktop Access (VDA) per user
Execution context
Same options — run as SYSTEM or in the logged-on user context, with a 64-bit PowerShell toggle; SYSTEM scripts run once at enrollment, user scripts run at logon
Same options — choose SYSTEM or logged-on user, plus the 64-bit toggle, but the choice applies every scheduled run
Typical use case
Provisioning glue — one-time setup: drop a registry seed, install a cert, lay down a config file, create a scheduled task, run a vendor bootstrap at enrollment
Ongoing compliance — keep a setting true: enforce a registry value, repair a stuck service, clear a known fault, prove a control stays applied
Choose a platform script when…
The action is genuinely one-time provisioning that runs at enrollment and never needs to repeat
You are on Intune Plan 1 with no Windows Enterprise E3/E5, Education A3/A5, or VDA entitlement and cannot license remediations
You do not need per-device output or self-healing — fire it, confirm success, move on
You want it on macOS, where the analog is a shell script and there is no remediation parity at all
Choose a remediation when…
The setting can drift and you need it re-checked and re-fixed on a schedule
An auditor or your own change control needs proof a control is applied per device, with output columns
You want to detect first and only act when there is a real problem, avoiding needless writes
You hold the Windows Enterprise E3/E5 (or A3/A5 / VDA) licensing and want the Endpoint analytics integration
The pragmatic verdict
Reach for a platform script when the work is run-once provisioning glue and you just need it to happen at enrollment. Reach for a remediation whenever the thing can drift, you need self-healing, or you need evidence it worked — that detect/remediate split plus the reporting is worth the licensing premium for any control you actually have to stand behind. A useful tell: if you find yourself wishing your platform script would "run again to make sure it stuck," you wanted a remediation. On Windows, the full editor lives under Scripts and remediations; if a setting needs to be locked down rather than merely fixed, consider whether it belongs in a configuration profile or compliance policy instead — see the compliance settings matrix.
Decision Tools · Matrix
Compliance settings matrix
Which compliance-policy settings exist on which platform — so you stop authoring a rule one OS silently ignores.
Compliance policies are platform-scoped: every policy you create in Devices > Compliance is bound to one OS, and the available settings differ wildly between them. The trap is assuming a control you rely on for Windows — Secure Boot, Code integrity, custom JSON compliance — has an equivalent on iOS or Android. It usually doesn't, and Intune won't warn you. The device just reports compliant against a policy that never evaluated the thing you cared about.
Use this matrix to confirm a setting actually exists before you build a policy around it, then mirror your real platform policies: Windows compliance, macOS compliance, and Android compliance. Filter by area to compare like-for-like across platforms.
A setting is half the control — the action is the other half
Every row above only decides what Intune evaluates. What happens when a device fails — immediate noncompliant flag, a grace period before Conditional Access blocks it, an email to the user, a remote lock — lives entirely in the Actions for noncompliance tab, not in the settings. A policy with a perfect setting list and the default single "mark noncompliant immediately" action gives you a dashboard color and nothing operational. Decide that side explicitly in Which actions for noncompliance?, and once the policies are authored, get them assigned cleanly with How should I target this assignment? so you aren't double-targeting the same device with conflicting platform policies.
Two cross-platform gaps worth calling out before you design: the Defender for Endpoint machine-risk row is exposed on Windows, iOS/iPadOS and Android — but only fires once devices are onboarded and the Microsoft Defender for Endpoint connector is toggled on under Endpoint security; macOS compliance has no machine-risk-score setting at all, so on Mac you fall back to a third-party MTD vendor connector for any threat-level signal, which is why the macOS MTD risk-level cell is "opt" rather than first-party telemetry. If those connectors aren't live, those rows evaluate as if the setting weren't configured at all — a silent non-result, not a failure.
Decision Tools · Scorecard
Conditional Access coverage
Find the holes in your Conditional Access estate — the legacy-auth gaps, missing break-glass discipline, and unprotected surfaces attackers actually use.
Conditional Access is the load-bearing wall of an Entra-managed estate, and almost every tenant I audit has the same three holes: a policy set that looks complete but leaves legacy authentication wide open, no real break-glass account excluded from everything, and a pile of policies that were flipped straight to On without a single day in report-only. CA failures aren't loud — nothing breaks, so nobody notices the gap until an attacker walks through it with an IMAP client and a leaked password.
Score yourself honestly below. Two non-negotiables anchor this scorecard. First, break-glass: at least two cloud-only emergency accounts (no MFA dependency on a single provider, long random passwords in a vault, excluded from every CA policy and monitored for sign-in). Lock yourself out of a tenant once and you'll never skip this again. Second, report-only: every policy ships in report-only first, you read the workbook (Entra ID > Conditional Access > Insights and reporting), and only then do you enforce. Tick a box only if it's true across your whole estate, not just the pilot group.
The two boxes that matter more than the rest
If you only fix two things, fix break-glass and report-only — in that order. Break-glass is the difference between a 10-minute mistake and a support ticket with Microsoft to regain tenant access; I have watched a single mistyped "require compliant device" grant control lock every admin out of a tenant simultaneously, and the only thing that saved it was an emergency account excluded from all policies. Report-only is how you avoid creating that mistake in the first place: it shows you exactly who would have been blocked, surfaced in the Insights and reporting workbook, before a single real user feels it. Treat both as policy, not preference — and once the basics hold, pair this with the Zero Trust scorecard and tighten how you gate managed versus BYOD devices.
Decision Tools · Wizard
Which actions for noncompliance?
A device falls out of compliance — design the right sequence of actions and grace periods so you nudge users before you ever block them.
Every compliance policy in Intune carries an Actions for noncompliance stage (the policy > Actions for noncompliance blade). By default it ships with a single action: Mark device noncompliant with a grace period of 0 days. That default is rarely what you want. Designed well, this stage is a ladder — email the user, push a reminder, then let Conditional Access block — that escalates pressure over days instead of slamming the door the moment a policy evaluates false.
The single most important thing to internalize: "Mark device noncompliant" is the only action that feeds Conditional Access. Every other action (email, push, lock, retire) is a side effect. If you have no CA policy with a Require device to be marked as compliant grant, your entire ladder is toothless — users get emails and nothing actually changes. Settle the CA story first, then design the nudges. Answer the questions below to land on the right ladder for this fleet.
The rule of thumb
Design the ladder around a single question — what does the user actually lose, and when? "Mark noncompliant" plus a grace period is just a timer; the loss only happens when Conditional Access enforces it. So build CA first, give corporate 1:1 devices a 7-day graduated grace, give BYOD app-based blocks and never a wipe, hold security-critical failures to grace 0, and route shared-device noncompliance to a human queue instead of an auto-retire. If you remember nothing else: never enable Retire the noncompliant device without a deliberate conversation about exactly which assets it can destroy.
Decision Tools · Comparison
Defender for Endpoint P1 vs P2
Which Microsoft Defender for Endpoint tier the Intune compliance + security stack actually needs — and what Defender for Business gets a smaller shop.
The decision here is not "which one is more secure" — both Plan 1 and Plan 2 run the same next-gen antivirus engine and the same prevention controls. The axis that actually splits them is SecOps: do you have a team (or a managed service) that will hunt, triage alerts, and respond to incidents? P1 is pure endpoint prevention plus a clean machine-risk signal you can feed into Intune compliance. P2 is everything in P1 plus EDR, advanced hunting, automated investigation & remediation, and Defender Vulnerability Management — the apparatus you need if anyone is going to operate the SOC side.
For organisations under ~300 seats there is a third door: Defender for Business (in Microsoft 365 Business Premium). It is roughly "P2-lite" — you get EDR and automated investigation, but with simplified, opinionated configuration and a 300-seat cap. Don't skip past it just because it isn't an "E5" SKU; for an SMB it is usually the right answer.
Full — next-gen AV, attack surface reduction rules, device control, web & network protection, controlled folder access, manual response actions, centralized config via Endpoint security in Intune. All of the prevention surface is here.
Full — identical prevention stack. Nothing in the preventive layer is gated behind P2.
EDR (endpoint detection & response)
None — no behavioral sensor timeline, no incident graph. You get blocks, not a forensic record of why something fired.
Yes — six-month behavioral sensor data, the device timeline, incident correlation, live response shell, and custom detection rules.
Advanced hunting (KQL)
No — there is no raw telemetry table to query.
Yes — the DeviceProcessEvents / DeviceNetworkEvents schema in advanced hunting, custom detections built on saved queries.
Automated Investigation & Remediation (AIR)
No — alerts require a human to chase down and remediate.
Add-on only — core CVE/exposure data needs the standalone Defender Vulnerability Management add-on layered on top of P1.
Included (core) — exposure score, security recommendations, software inventory, weaknesses. The full DVM premium capabilities (baselines assessment, blocked-app, browser-extension inventory) are still an add-on, but the core TVM ships with P2.
Threat intelligence (Threat Analytics, MTE)
Limited — no Threat Analytics reports, no eligibility for Microsoft Threat Experts / Defender Experts.
Yes — deep analysis / sandbox detonation of files from the device timeline.
Cross-platform coverage
Windows, macOS, Linux, iOS, Android — onboarding via the Intune Microsoft Defender for Endpoint connector under Endpoint security > Microsoft Defender for Endpoint.
Same OS coverage — but on mobile and servers the deeper EDR/AIR telemetry only materialises with P2.
Intune compliance "machine risk" signal
Works, shallow — once the MDE connector is enabled you can set Require the device to be at or under the machine risk score in your compliance policy. P1 produces a risk signal, but the depth and the auto-remediation that lowers it are thinner.
Works, full depth — richer risk scoring backed by EDR, and AIR can actively drive a device's risk back down so it returns to compliant (and regains Conditional Access) without manual touch.
Licensing
M365 E3 / A3 — P1 is bundled into E3/A3, or available standalone. Good fit when you already own E3 and don't need a SOC.
M365 E5 / A5 — P2 ships in E5/A5 (or the Security E5 add-on, or standalone). The premium SKU, priced accordingly.
Choose P1 when…
You already own M365 E3/A3 and want hardening without paying the E5 jump.
You need prevention (NGAV + ASR + device control) and a machine-risk signal to gate Conditional Access — but nobody is going to hunt or work an alert queue.
You have a separate SIEM/SOC and just want endpoints to block and report, not be the investigation surface.
You can add the Defender Vulnerability Management add-on later if exposure data becomes a requirement.
Choose P2 when…
You have an internal SOC or MDR partner that will actually use EDR, advanced hunting, and incident timelines.
You want AIR to auto-remediate low-confidence alerts and to drive device risk scores back down so compliance/CA self-heals.
Vulnerability management (exposure score, software inventory, recommendations) needs to live in the same console as the endpoints.
You're standardising on M365 E5/A5 anyway, or buying the Security E5 add-on.
Choose Defender for Business when…
You're under 300 seats and want most of P2's value (EDR + automated investigation) without E5 pricing or E5 complexity.
You're on (or moving to) Microsoft 365 Business Premium, where it's already included.
You want opinionated, simplified security config rather than a full Endpoint security blade matrix to tune.
The verdict
If your only goal is endpoint prevention plus a compliance risk signal to feed Conditional Access, P1 is enough and you almost certainly already own it inside E3 — don't over-buy. If anyone is going to operate security — work alerts, hunt in KQL, let automation remediate — then the prevention layer alone is a liability without eyes on it, and you need P2 (or a third-party MDR riding P2's telemetry). For a shop under 300 seats, Defender for Business in Business Premium is the pragmatic middle: nearly P2's capability, a fraction of the operational and licensing weight. Whichever tier you land on, wire it in the same way — enable the connector under Endpoint security > Microsoft Defender for Endpoint, then reference the machine-risk score in compliance.
Keep Chrome, Zoom, Acrobat, and the rest current on Windows — pick the patching engine that fits how the app is packaged and licensed.
There is no single "third-party patching" button in Intune. There are four real engines, and the right one is decided by how the app is published, not by how badly you want it patched. The most expensive mistake teams make is rebuilding a Win32 package every month for an app that the Enterprise App Catalog or winget would have kept current for free.
The other common trap is assuming Windows Autopatch covers your fleet's apps. It does not. Autopatch patches Microsoft first-party software only — Windows quality/feature updates, Microsoft 365 Apps, Edge, and Teams. Adobe, Chrome, Zoom, and every other vendor are on you. Answer the questions below to land on the surface and the cadence/ownership tradeoff that comes with it.
Where Autopatch and EPM actually fit
Two recurring misconceptions to put down. First: Windows Autopatch is not a third-party patching service — it orchestrates Microsoft first-party updates (Windows, M365 Apps, Edge, Teams) through managed rings, and that's it. Lean on it for the OS and Office stack, but never assume it touches Adobe or Chrome. Second: Endpoint Privilege Management patches nothing — it grants targeted elevation. It only enters this conversation when a self-updating app or installer needs admin rights on a fleet where you've stripped local admin. My rule of thumb: catalog first, Store/winget for the long tail, Win32 supersedence only when a human has to sign off on the version, and the vendor's updater for the orphans.
Decision Tools · Calculator
Stale device cleanup planner
Tune your device cleanup rules and inactivity window — see how many stale records age out, and how much your reports are inflated until they do.
Intune does not hide a device the moment it falls out of use. A machine that is wiped, re-imaged, lost, or quietly retired keeps its record — and its compliance state and last-known posture — until a device cleanup rule ages it out based on the last check-in time. Between the moment a device goes silent and the moment the rule fires, that record sits in your inventory inflating every count that matters: compliance percentages, your "managed device" total in reports and CA, and — where you use device-only licensing — your consumed device licenses.
The single knob you control is the inactivity threshold under Devices > Device cleanup rules (30–270 days). Shorter windows keep inventory honest but risk hiding devices that legitimately go dark for a few weeks (seasonal kit, spare-pool laptops, machines on extended leave) — though a hidden device simply reappears once it checks back in, so the risk is cosmetic rather than destructive. This calculator models the steady-state tail so you can pick a threshold with your eyes open. Enter your fleet, your real annual churn, and a candidate cleanup window.
Two things the model cannot see for you. First, cleanup rules only act on last check-in and only hide the record from the admin center and reports — they trigger no wipe or retire, and a hidden device reappears if it checks in before its management certificate expires. A device that was properly retired or wiped through remote actions leaves cleanly the moment that action completes — the lingering tail is almost entirely devices that went silent without an explicit offboarding step. Fix the offboarding process and the tail shrinks faster than any threshold change. Second, the cleanup rule is platform-aware: you create one rule per platform, and if a platform-specific rule and an All-platforms rule both apply, the one with the fewer days wins. Cleanup also hides the device only in Intune — it does not remove the record from Microsoft Entra ID — so always validate against the actual Devices > All devices count after a rule runs rather than trusting the projection alone.
Why a stale tail quietly corrupts licensing and compliance
A phantom record is not harmless padding. It carries the device's last compliance verdict until it is hidden, so a machine that was compliant the day it died keeps reporting compliant — flattering your compliance percentage and masking the real denominator your security team is measuring against. On the licensing side, the impact depends on how you license: Intune is primarily licensed per user (each user license covers that user and up to 15 of their MDM devices), so a stale record usually doesn't burn a license on its own — but if you run device-only licenses for userless kit (kiosks, dedicated, shared devices), a few hundred ghosts can distort consumed-license counts and chargeback to business units. And in Conditional Access reporting, stale "managed" devices muddy the very signal CA depends on. Pick the shortest threshold your legitimately-dark devices can tolerate, pair it with a disciplined retire/delete step at offboarding, and revisit the number after any migration or hardware-refresh wave temporarily spikes churn. If you want to see where device cleanup discipline sits against the rest of your hygiene practices, run the operational maturity score.
Decision Tools · Scorecard
Operational maturity
Score your day-2 Intune operations — the monitoring, reporting, change control, and incident readiness that separate a tenant that runs itself from one that surprises you.
Everyone obsesses over day-0: enrollment, compliance, Conditional Access, the first golden Autopilot profile. Almost nobody invests in day-2 — the boring discipline of watching the right reports, ringing your changes, calendaring your renewals, and having a runbook when a thousand devices stop checking in at 9am. That gap is where outages live. A tenant with great policy and zero operational hygiene is a tenant that works until exactly the moment it doesn't, and then nobody knows why.
This is a self-assessment, not an audit. Be honest — a half-checked box you're "mostly" doing is a no. Score yourself, find your weakest group, and fix that one first. The single highest-leverage item below is the one most teams skip: calendaring your certificate and token renewals. An expired APNs certificate silently breaks every Apple enrollment; an expired ABM/VPP token stops app and device sync cold. It is the classic, entirely preventable, all-hands outage.
The renewals item is the one that pages you at 2am
If you take one thing from this scorecard, make it the lifecycle renewals row. Policy mistakes are usually loud and local — a bad compliance setting flags some devices and you notice. Expirations are silent and total: an APNs certificate lapses and every Apple device stops being manageable the next time it tries to talk to Intune; an ABM or VPP token expires and device/app sync just stops with no dramatic error. None of it shows up as a "failure" you'd catch in passing, and the fix often requires the original Apple ID or a re-token dance you didn't rehearse. Put every expiry on a shared calendar with two owners and a 45-day warning, then go earn the rest of these points. Instrument before you scale — a bigger fleet only multiplies the blast radius of the operations you skipped.
Once you've scored yourself, two natural next steps: tighten your change discipline with a deliberate group-targeting model so ringed rollouts are easy, and validate the foundations underneath all of this with the tenant configuration health scorecard.
Decision Tools · Troubleshooter
A device won’t sync
A device isn’t checking in, or your policy change isn’t landing on it. Pick the platform and symptom and get the most likely cause and the next thing to check.
Ninety percent of “Intune isn’t working” tickets are sync tickets, and most of those are not Intune’s fault — they’re a stopped agent, a blocked endpoint, a sleeping laptop, or simple impatience with the check-in cadence. Before you escalate or re-enroll, confirm the device is actually online and powered, then walk the chain from the agent on the device out to the service endpoints.
Remember the cadence: Windows and the mobile agents poll on a schedule (roughly every 8 hours for general policy, more frequently right after enrollment and whenever a policy or assignment changes), and a push notification triggers an on-demand check-in when one is available. An on-demand Sync from the device short-circuits the wait — always try that first before you start digging.
The architect’s rule of thumb
Triage from the device outward, and isolate scope before you isolate cause. If one device is stuck, it’s almost always local — a stopped IME, a missing PRT, a battery-optimized agent, or a dead clock — and an on-demand Sync plus the right log file settles it in minutes. If every device on a platform went quiet at once, stop touching endpoints and go straight to the shared dependency: an expired APNs certificate, a disconnected Managed Google Play connection, or a blocked service endpoint. Matching the blast radius to the layer is the fastest path to root cause.
Decision Tools · Troubleshooter
Can’t get the BitLocker key
A user is at the recovery screen and the key isn’t where you expected. Walk the symptom to the reason it never escrowed — and where to look right now.
A BitLocker recovery prompt is two problems wearing one trench coat. Either a valid key was escrowed and you’re looking in the wrong store, or the key never escrowed because the encryption policy didn’t force escrow-before-encrypt and the disk silently encrypted out from under you. The fastest way to tell them apart is the Key ID on the recovery screen: Windows shows the first 8 characters of the recovery Key ID. If that prefix matches a Key ID on the Entra device object, the key exists — go find it. If nothing matches, it was never escrowed (or an old key rotated away).
Before you start: confirm the device’s join type and write down those 8 characters. Everything below branches on join type because Entra-joined and Hybrid-joined keys live in completely different places.
The rule of thumb
If a tenant ever produces a "no key on the object" ticket, that’s a policy defect, not a one-off. Encryption must never be allowed to start before the recovery password is escrowed — set Do not enable BitLocker until recovery information is stored in Entra ID = Require, turn on client-driven key rotation, and ship a remediation that flags any device that is encrypted but has no escrowed numerical password. Do that once and the recovery screen stops being a panic and starts being a 30-second lookup. While you’re here, confirm a compliance policy actually requires disk encryption so an un-escrowed device can’t quietly stay compliant.
Decision Tools · Troubleshooter
App Protection isn’t enforcing
Your MAM / App Protection policy isn’t taking effect on a phone — no PIN prompt, copy/paste still works, no wipe on unenrol. Find the break.
App Protection Policy (APP) is the most misdiagnosed feature in Intune because it fails silently. There is no compliance flag, no red banner, no error toast — the app just opens and behaves like a consumer app. When someone reports "MAM isn't working," the real question is almost always one of four things: is the app even SDK-managed, is the user actually in scope, is the user licensed, and (for BYOD) is Conditional Access forcing them into the managed app at all.
Remember the foundational model: APP is targeted at users, not devices, and it only governs apps built with the Intune App SDK or wrapped/whitelisted apps (Outlook, Teams, Edge, the Microsoft 365 apps, OneDrive — not the native iOS Mail app or Gmail). Without MDM enrolment there is nothing blocking data from flowing into an unmanaged app — APP can only police the apps it manages. Walk the questions below in order; the first "no" is usually the break.
The rule of thumb
APP is a guardrail, not a gate. Ninety percent of "MAM isn't enforcing" tickets collapse to one sentence: the user got to corporate data without going through a managed app. Either they used an unsupported app, or there was no Conditional Access "Require app protection policy" grant forcing them into the managed one. Ship APP and the CA grant as a pair — a protection policy without the grant that mandates it is theatre, and you'll spend your week chasing leaks that the policy was never in a position to stop.
iOS · Baseline Settings
Importing Baseline Settings into Intune
Get a community-reviewed iOS security and management baseline into your tenant fast.
RequiresPolicy-creation rights; Graph consent for the import script
ScopePolicies import unassigned — pilot group first
Scope
The baseline targets supervised, ADE-enrolled corporate devices. Settings that require supervision are marked on each page; BYOD guidance lives in the App Protection Baseline.
Prerequisites
A local copy of the baseline files. Download them from IntuneNerds so you can review every policy before anything touches your tenant.
Rights to create policies in your tenant — Settings Catalog configuration, compliance, and App Protection. If you use the import script, you also need consent to call Microsoft Graph with device-management write permissions.
A pilot group. An Entra ID group of test devices and users, so imported policies are never assigned straight to the fleet.
Option 1 — Import the JSON (Recommended)
Each policy in the baseline repository ships as exported JSON you can import with a short Graph script:
Get the policy files locally. Clone or download the baseline folder from the repository so you import from a version you've pinned, not a moving branch.
Review every JSON file.Never import a policy you haven't read. You are accountable for every value that lands in your tenant — and reading the export is also the fastest tour of what the baseline actually changes.
Run the import script in the repo (plain PowerShell + Graph REST, same style as our Graph Quickstart) to POST each policy to its endpoint:
Assign to your pilot group. Policies land unassigned by design — nothing applies anywhere until you assign it. Scope every imported policy to the pilot group first and widen only after the pilot stays quiet.
Option 2 — Build by Hand
Every settings page in this section lists the exact Settings Catalog paths and values. Twenty minutes of clicking gets you the same result, and you'll know exactly what each setting does — familiarity that pays for itself the first time a setting needs troubleshooting.
Rollout Order
Enterprise SSO Plug-in (improves everything else)
Passcode + Compliance
Restrictions
Software Updates (deferral first, enforcement after a cycle)
App Protection (BYOD ring)
Pilot → Ring 1 → fleet. Watch helpdesk volume between rings.
Verification
Every imported policy is visible in the console with its expected iOS-BL- prefixed name, and its Assignments tab lists only the pilot group.
On a pilot device, the profiles arrive (Settings > General > VPN & Device Management) and each policy's per-device status reports Succeeded.
Helpdesk stays quiet through the pilot window — that silence is your signal to widen the rings.
How baseline changes are proposed, reviewed, and merged.
The baseline is only as good as the operational experience behind it. If a setting bit you in production, or a new iOS release added something the baseline should adopt, contribute.
What a Baseline Contribution Looks Like
The change: exported policy JSON (or the exact Settings Catalog path + value for hand-built review).
The rationale: what it does, why the chosen value, what breaks without it.
The blast radius: supervision requirements, minimum iOS version, user-visible impact, known conflicts.
Process
Send your proposed change via the Feedback page — describe the setting, the change you want, and why; include your test evidence.
A maintainer reproduces the setting in a test tenant. Nothing merges on trust alone; reproduction catches typos in paths and values before they reach anyone's production fleet.
Discussion happens on the PR. Controversial defaults get a documented "Decision" note on the settings page, so future readers see why a value won — not just what it is.
Merged changes appear in the Changelog, so adopters can diff exactly what moved between baseline versions.
Principles We Hold
Secure by default, usable by default. A baseline nobody deploys protects nobody.
Every setting earns its place. No cargo-culted CIS line items without operational justification.
Version-aware. Settings note the iOS version they appeared in and whether supervision is required.
Everything possible is Settings Catalog, not legacy templates — Microsoft's investment is there, and DDM delivery happens automatically where supported.
The baseline is split into multiple small policies rather than one mega-profile, so you can adopt incrementally and troubleshoot conflicts sanely.
Naming convention used in the JSON: iOS-BL-<Area>-v<version>, e.g. iOS-BL-Restrictions-v1.
What the Baseline Deliberately Doesn't Do
No Wi-Fi/VPN/certificate payloads — too environment-specific.
No Home Screen Layout — cosmetic, org-specific.
No app deployment — see the Complete Guide for the core app set.
Restriction conflicts across multiple profiles resolve to the most restrictive value on iOS. Keep restrictions in this single policy so "why is this blocked?" has exactly one place to look.
Settings Catalog > Declarative Device Management > Software Update, one profile per ring:
Ring
Target
Deadline
Ring 0 (IT)
Current minor version
Release + 5 days
Ring 1 (10%)
Same
Release + 14 days
Ring 2 (fleet)
Same
Release + 30 days
Set Target OS Version to the exact version string and Target Date Time in UTC. The device handles download scheduling, escalating user notifications, and forced installation at deadline.
Operating Rhythm
Validate the release. Apple ships an update → install it on Ring 0 devices inside their window and confirm your critical apps and profiles still behave.
Move the deadlines forward. Update the Target OS Version and Target Date Time in each ring profile (or script it via Graph — the profiles are Settings Catalog policies, editable at deviceManagement/configurationPolicies).
Let compliance sweep the stragglers. Keep the compliance policy minimum OS one version behind enforcement, so devices lose access only after every ring's deadline passes — pressure without surprise lockouts.
Caution
Don't set a DDM deadline in the past "to force it now" — give devices at least 48–72 hours of runway so download windows and user notifications behave as designed.
Microsoft Authenticator deployed (required VPP app) — the extension lives inside it.
Assign to device groups for corporate, and include in BYOD user-enrollment targeting too: SSO is equally valuable on the work partition.
Don't
Don't add wildcard URL entries or third-party IdP URLs to this payload "while you're in there" — scope creep here causes the weirdest auth loops you'll ever troubleshoot.
Baseline app configuration policies for Outlook, Edge, and Office on iOS.
App Configuration Policies (managed devices channel) that pre-configure Microsoft apps so they're signed-in-ready on first launch. Background: App Configuration Policies.
Intune offers the toggle to add the shared device/account mode and SSO-relevant keys automatically when you create app config policies for Microsoft apps — let it. Combined with the Enterprise SSO plug-in, first-launch sign-in is typically zero-prompt.
Insight
Token variables like {{username}}, {{mail}}, and {{userprincipalname}} resolve per-assigned-user at delivery. On user-affinity ADE devices they just work; on no-affinity (kiosk) devices they resolve empty — scope these policies to user-affinity devices only.
The MAM baseline that protects corporate data with or without enrollment.
App Protection Policies (APP/MAM) wrap corporate data inside managed apps — they work on enrolled devices and on completely unmanaged BYOD alike. This baseline (iOS-BL-APP-v1) is Microsoft's "Level 2 — Enhanced" data protection framework with field-tested adjustments.
Apps > Protection policies > Create policy > iOS/iPadOS. Target: all Microsoft 365 apps + your LOB apps using the Intune App SDK. Assign to user groups (it follows the user, not the device).
PolicyiOS-BL-APP-v1 — Level 2 Enhanced base
Applies toEnrolled devices and unmanaged BYOD alike
❌ Block (org choice — relax if you have managed print)
Access Requirements
Setting
Value
PIN for access
✅ Require, numeric, 4+
Touch ID / Face ID instead of PIN
✅ Allow (with PIN fallback after timeout)
Work account required
✅
Recheck access timeout
30 min
Conditional Launch
Check
Value
Action
Max PIN attempts
5
Reset PIN
Offline grace period
720 min
Block access
Offline grace period
90 days
Wipe org data
Jailbroken/rooted
—
Block access + wipe org data
Min OS version
(current − 1 major)
Warn, then block on (current − 2)
Pair with Conditional Access
Create a CA policy with grant control Require app protection policy for iOS, so unprotected apps can't touch corporate data even with valid credentials. Details: Conditional Access.
What Apple Business Manager is and how to enroll your organization.
Apple Business Manager (ABM) is Apple's free web portal for organizations. It is the foundation of every corporate iOS deployment — it provides device enrollment automation, app licensing, and Managed Apple Accounts.
Devices: assign corporate devices to Intune for Automated Device Enrollment — zero-touch, supervised, mandatory management.
Apps & Books: buy app licenses (free apps too) in volume and deploy them silently — no Apple ID needed on devices. See Apps & Books (VPP).
Managed Apple Accounts: organization-owned Apple Accounts, ideally federated with Entra ID, required for Shared iPad and account-driven enrollment.
Device Identity in Entra ID
However an iOS device enrolls, it becomes Entra registered — the device record Conditional Access reads. The enrollment path decides how corporate that record is; the device identity guide has the full picture:
Enrollment path
Entra identity
What Conditional Access sees
ADE (supervised, via ABM)
Entra registered, corporate record from Setup Assistant
User + device compliance on supervised hardware
Company Portal (BYOD)
Entra registered at enrollment sign-in
User + device compliance; personal ownership respected
App protection only (no enrollment)
No device record — identity is the user + managed app
App-based grants only; device-based grants will fail
Prerequisites
A D-U-N-S number registered to your legal entity. Apple validates your application against the Dun & Bradstreet record, so confirm the registered legal name and address are current before you apply.
A work email address on a domain your organization owns — consumer mailbox addresses are not accepted for the enrolling account.
A verification contact who can legally accept the terms on behalf of your organization. Apple calls this person to verify, so brief them that the call is coming.
Enrolling Your Organization — Step-by-Step
Start the application. Go to business.apple.com and select Sign up now, entering the legal-entity details exactly as they appear in your D-U-N-S registration.
Complete verification. Apple phones the verification contact to confirm the request is genuine before approving the organization.
Allow a few business days for approval. If your D-U-N-S details don't match your legal name exactly, fix them with Dun & Bradstreet first; mismatches are the most common rejection reason.
After Approval
Add at least one additional Administrator account — never run ABM with a single admin; one departed colleague or forgotten password shouldn't lock the organization out of its own device program.
Note your Organization ID (Settings > Enrollment Information); resellers need it to auto-assign purchased devices.
Configure federated authentication if you'll use Managed Apple Accounts. Under Settings > Accounts, federate with Microsoft Entra ID so users sign in with their work credentials.
Education?
Schools use Apple School Manager (ASM) instead. Everything in this guide applies equally — ASM is a superset of ABM.
Connect ABM to Intune with an enrollment program token so devices flow automatically.
The integration between ABM and Intune is a server token (.p7m file). One token per ABM "MDM server" entry; the token tells Apple to hand devices to your Intune tenant at activation. The exchange is a three-part handshake: Intune generates a public key, ABM binds that key into a server token, and Intune consumes the token.
RequiresABM Administrator or Device Enrollment Manager role
Console pathDevices > Enrollment > Apple > Enrollment program tokens
RenewalEvery year — same ABM account that created the token
ScopeOne token per ABM MDM server entry
Step 1Download the Intune public key.pem from the Enrollment program token wizard
Step 2Create the MDM server in ABMUpload the .pem; download the .p7m server token
Step 3Upload the token to IntuneEnter the owning Apple ID — record it for renewals
Step 4Verify the connectionGreen status; expires one year out — set an 11-month reminder
Prerequisites
An ABM account that can manage MDM server assignments (Administrator or Device Enrollment Manager role).
Access to the Intune admin center with permission to manage Apple enrollment.
A decision about which ABM account owns the token — renewals must come from the same account every year, so use a role account your team controls rather than a personal login.
Step 1 — Download the Intune Public Key
Open the token wizard. In the Intune admin center: Devices > Enrollment > Apple tab > Enrollment program tokens > Add.
Grant consent and download the key. Grant Apple permission to send user/device info, then Download your public key (.pem). ABM will bind your server token to this key.
Step 2 — Create the MDM Server in ABM
Add a server entry. In ABM: Settings (or Preferences) > MDM Server Assignment > Add.
Name it clearly, e.g. Intune - Production — this name shows up in assignment menus for years, so make it self-explanatory.
Upload the .pem public key from Step 1.
Download the generated server token (.p7m).
Step 3 — Upload the Token to Intune
Enter the owning Apple ID. Back in the Intune wizard, enter the Apple ID of the ABM account used to create the token (record this — renewals must use the same account).
Upload the .p7m file and create. Intune validates the token and the connection goes live.
Step 4 — Verify
The token appears under Enrollment program tokens with a green status and an expiration date one year out. Set a renewal reminder at 11 months. Devices assigned to this MDM server in ABM will sync into Intune (manual sync available; Apple rate-limits a full sync to once per 15 minutes).
Token hygiene
Renew with the same ABM account that created the token. A different account breaks the device assignment chain.
One token can serve every device family ABM supports — or you can create separate ABM MDM server entries per device family if you want different default enrollment profiles. Separate entries per family is the cleaner pattern at scale.
The three ways devices get into ABM — reseller channel, Apple Configurator for iPhone, and Apple Configurator 2 over USB.
A device must exist in ABM before it can use Automated Device Enrollment. There are three ways in, and the right one depends on how the device was purchased.
devices are purchased through Apple or an authorized resellerReseller channelGive them your Organization ID — purchases appear in ABM automatically, no provisional period.
a retail-bought device needs adding in the fieldApple Configurator for iPhoneCable-free proximity add at the Hello screen; 30-day provisional period applies.
a bench is doing batch intake from traysApple Configurator 2 over USBTethered Prepare workflow — slower per device, suits lined-up hardware.
1. Purchased Through Apple or an Authorized Reseller (Best)
Give Apple or your reseller your Organization ID (and add their Reseller Number under ABM Settings > Enrollment Information). New purchases then appear in ABM automatically — true zero-touch. This should be your default procurement path for every corporate device going forward.
2. Apple Configurator for iPhone (iOS 16+)
For devices bought retail or otherwise outside the reseller channel:
Install Apple Configurator from the App Store on a work iPhone and sign in with an ABM administrator/device-manager account.
Factory-reset the target device. At the Setup Assistant Hello screen, bring it near the Configurator iPhone (like AirPods pairing) and scan the on-screen image.
Confirm the add. The device is added to ABM and appears in your MDM server assignment within minutes.
No cables and no bench hardware required. This is the field-friendly method.
3. Apple Configurator 2 over USB
The classic tethered method for benches doing batch intake: connect the freshly-wiped device by USB to a bench computer running Apple Configurator 2, select Prepare, and choose Add to Apple Business Manager. Slower per device than the iPhone method, but it suits an intake bench where devices are already lined up in trays.
The 30-day provisional period
Devices added via either Configurator method enter a 30-day provisional period during which the user can remove the device from ABM (Settings > General > About shows the option). After 30 days, ABM membership is permanent. Reseller-purchased devices have no provisional period.
Assign to Your MDM Server
Assign the serials. In ABM: Devices > select device(s) > Edit MDM Server > choose your Intune server.
Set a default MDM server per device type (Settings > MDM Server Assignment) so new purchases auto-assign without manual work.
Sync the token in Intune. The serials appear under your enrollment program token after the next sync.
Verification
The device shows in ABM under Devices with your Intune server listed as its MDM server, and the same serial appears in Intune under the enrollment program token's device list. If a serial seems "missing" in Intune right after assignment, trigger a token sync and allow a few minutes — Apple rate-limits a full sync to once per 15 minutes.
Create and maintain the certificate that lets Intune talk to your Apple devices.
Every command Intune sends to any Apple device — policy, app install, wipe — is triggered through the Apple Push Notification service (APNs) using one certificate. It's free, takes five minutes, and is the single most important object in your Apple deployment.
LicenseFree — takes five minutes
Console pathDevices > Enrollment > Apple > Apple MDM Push certificate
RequiresDedicated organizational Apple ID with two-factor authentication
RenewalEvery year — same certificate, same Apple ID
Prerequisites
A dedicated organizational Apple ID (e.g. apple-mdm@yourdomain.com) with two-factor authentication configured — never a personal account. This identity anchors the certificate for the life of your deployment.
Intune admin center access with rights to manage Apple enrollment settings.
Create It — Step-by-Step
Open the certificate blade. Intune admin center: Devices > Enrollment > Apple tab > Apple MDM Push certificate.
Download the CSR. Check I agree, then Download your CSR (a .csr file signed by Microsoft).
Sign in with the dedicated organizational Apple ID (e.g. apple-mdm@yourdomain.com — never a personal account).
Create the certificate. Select Create a Certificate, accept the terms, upload the CSR, then download the resulting .pem.
Finish in Intune. Enter the Apple ID you used (this is recorded for renewal), upload the .pem, and finish.
Verification
Status turns Active with a one-year expiration. To prove the push channel end to end, sync or remote-lock a test device and confirm the command lands — command delivery is the certificate doing its job.
Renewal — Read This Twice
Renew the same certificate in the Apple portal using the same Apple ID every year.
If the certificate expires, every Apple device stops receiving commands until you renew it — devices stay enrolled and recover once renewed.
If you create a new certificate instead of renewing (or use a different Apple ID), the certificate topic changes and every Apple device must be re-enrolled. This is the classic career-limiting Apple MDM mistake.
Operational guardrails
Calendar the renewal at 11 months with two owners invited.
Document the Apple ID, who controls its mailbox, and its 2FA recovery in your vault.
The Bulk Device Actions page includes a Graph snippet to check days-to-expiry — wire it into your monitoring.
Do
Renew the same certificate with the same Apple ID every year
Calendar the renewal at 11 months with two owners invited
Document the Apple ID, its mailbox owner, and 2FA recovery in your vault
Don't
Let it expire — every Apple device stops receiving commands until you renew
Create a new certificate or switch Apple IDs — every Apple device must re-enroll
Build the enrollment profile that controls Setup Assistant and supervision for corporate iOS devices.
The enrollment profile defines what happens when an ABM-assigned device activates: supervision, user affinity, authentication method, and which Setup Assistant screens users see. Every device that activates against the profile inherits these decisions until its next wipe, so this is where the corporate device experience is really designed.
Applies toABM-assigned devices at activation
Console pathDevices > Enrollment > Apple > Enrollment program tokens > Profiles
RequiresActive APNs certificate + connected enrollment program token
ScopeDecisions persist until the next wipe
Prerequisites
Your APNs certificate is active and your enrollment program token is connected, with device serials syncing from ABM.
You know which devices are 1:1 user devices and which are shared or kiosk hardware — the user-affinity decision below follows directly from that split.
Create the Profile — Step-by-Step
Open the profile wizard.Devices > Enrollment > Apple tab > Enrollment program tokens > your token > Profiles > Create profile > iOS/iPadOS.
Work through the key decisions in the table below. Each row is a choice the device keeps until it is wiped, so decide deliberately rather than accepting defaults.
Trim Setup Assistant and create the profile. Skip the screens users don't need (guidance below), review, and save.
Key Decisions
Setting
Recommendation
Why
User affinity
Enroll with user affinity for 1:1 devices; without for kiosks/shared
Affinity links the device to a primary user for app/policy targeting
Authentication method
Setup Assistant with modern authentication
Entra ID sign-in (with MFA/Conditional Access) during Setup Assistant
Await final configuration
Yes
Locks the device at Setup Assistant until critical policies and apps land — users get a finished device, not a half-configured one
Locked enrollment
Yes
Users cannot remove the management profile
Supervised
Yes (forced for locked enrollment)
Unlocks the full iOS management surface
Setup Assistant Screen Skipping
Skip everything users don't need to touch: Apple Intelligence/Siri, Apple Pay, Screen Time, Restore, etc. Leave Passcode visible — you want a passcode set during setup, and your compliance policy will require it anyway.
Modern auth details
With Setup Assistant modern authentication, the user authenticates to Entra ID during setup, and Company Portal completes Entra registration after enrollment so Conditional Access sees the device as compliant. Deploy Company Portal as a required VPP app to these devices. Just-in-time (JIT) registration via the Enterprise SSO plug-in can remove the Company Portal sign-in step — see Deploy the Enterprise SSO Plug-in.
Assign Devices to the Profile
Assign serials. In the token blade: Devices > select serials > Assign profile.
Set the token's default profile. Make this profile the token's default profile so newly synced devices pick it up automatically — an unassigned serial is how a corporate device ends up activating with no management.
Verification
The token's device list shows your profile name against each assigned serial.
Wipe and activate a test device: the Remote Management screen appears during Setup Assistant, followed by your chosen authentication flow.
Profile changes apply at next activation — already-deployed devices must be wiped to receive an updated enrollment profile.
Configure the Microsoft Enterprise SSO plug-in so users sign in once across all Entra-protected apps on iOS.
The Microsoft Enterprise SSO plug-in gives iOS devices true single sign-on to Entra ID: a user authenticates once and every app and website that uses Entra ID picks up the session — including Safari. It also enables just-in-time (JIT) device registration during web-based and Setup Assistant enrollments.
RequiresMicrosoft Authenticator as a required VPP app
Applies toMDM-enrolled devices — the extension only activates via MDM
Microsoft Authenticator deployed to the device (the plug-in ships inside it). Deploy it as a required VPP app. Users do not need to open or configure Authenticator for SSO to work.
Device must be MDM-enrolled (the extension only activates when delivered by MDM).
After the profile lands (Settings > General > VPN & Device Management shows the SSO payload), sign into one Microsoft app, then open Safari to https://office.com — you should land signed-in without a password prompt.
Insight
Deploy the SSO plug-in before broad app rollout. Retrofitting it works, but users only feel the magic when it's there from day one — and JIT registration during enrollment depends on it.
License and silently deploy App Store apps with no Apple IDs on devices.
Apps & Books (still universally called VPP) is how corporate iOS app deployment works: your organization acquires licenses in ABM, Intune consumes them through a location token, and supervised devices install apps silently with no Apple ID signed in.
Find the app. Search for the app (e.g., Microsoft Authenticator, Outlook, Edge, Company Portal).
Acquire licenses. Choose a quantity (free apps still need "purchased" license counts — grab plenty, e.g. 5,000 for core apps) and assign to your Location.
Step 2 — Connect the Location Token to Intune
Download the token from ABM. Your account > Preferences > Payments and Billing > Content Tokens — download the .vpptoken for your location.
Open the connector blade in Intune.Tenant administration > Connectors and tokens > Apple VPP tokens > Create.
Upload and configure. Upload the token, enter the Apple ID that manages it, set Automatic app updates to Yes, and decide if this token grants used licenses to Intune-managed devices only.
Tokens expire annually — same renewal discipline as your APNs certificate.
Step 3 — Deploy Apps
Licensed apps appear automatically under Apps > All apps (type: iOS volume purchase program app) after the token syncs.
Open the assignment. Select the app > Properties > Assignments.
Pick the intent.Required for must-have apps (silent install on supervised devices), Available for enrolled devices for the self-service catalog in Company Portal.
Keep device licensing.License type: Device licensing (default and recommended) — no Apple ID involvement at all.
Core App Set for the Complete Guide
Deploy these as Required / Device licensed to your corporate iOS group:
What your users actually see during zero-touch enrollment, start to finish.
This is the end-to-end experience on a corporate device deployed through everything configured so far. Knowing it cold makes support tickets self-explanatory.
1 · HelloLanguage, region, Wi-Fi
2 · Remote ManagementNo skip with locked enrollmentAppears because the serial is ABM-assigned
3 · Entra sign-inWork account; MFA and Conditional Access apply
4 · PasscodeSet during setup, policy minimums enforced
5 · ConfiguringAwait Final Configuration holds the deviceProfiles and required VPP apps land first
6 · Home screenFully provisionedTypically 8–15 minutes on decent Wi-Fi
Unboxing to Desk-Ready
Hello screen — user powers on, selects language/region, joins Wi-Fi (or uses cellular activation).
Remote Management screen — "Your organization will automatically configure your device." This appears because the serial is ABM-assigned to your Intune token. With locked enrollment, there is no skip option.
Entra ID sign-in — with Setup Assistant modern authentication, the user signs in with their work account; Conditional Access and MFA apply right here.
Passcode — user sets a passcode (your compliance and passcode policies enforce minimums).
Await Final Configuration — the device holds at "Configuring..." while required profiles and VPP apps land, so the home screen appears fully provisioned.
Home screen — Outlook, Teams, Authenticator, Company Portal already installed. If you deployed a Home Screen Layout, icons are arranged your way.
First app launch — thanks to the Enterprise SSO plug-in, apps pick up the Entra session without re-prompting for the password.
Typical elapsed time on decent Wi-Fi: 8–15 minutes, most of it app downloads.
What Users Notice Day-to-Day
Settings > General > VPN & Device Management shows the management profile; on supervised devices the top of Settings reads "This iPhone is supervised and managed by…".
App Store can stay enabled or be hidden — managed apps update via VPP regardless.
No Apple ID prompts for any managed app, ever.
What They Can't Do
Remove the management profile (locked enrollment).
Erase their way out — after a wipe, the Remote Management screen returns at activation (and Activation Lock doesn't strand you if managed properly).
Deploy Microsoft Defender for Endpoint on iOS with zero-touch onboarding.
Microsoft Defender for Endpoint on iOS provides web protection (anti-phishing via a local loopback VPN), jailbreak detection feeding device risk into compliance, and vulnerability assessment of OS versions.
LicenseMDE P1/P2, Microsoft 365 E5, or standalone
RequiresMDE–Intune connection enabled in both consoles
Applies toCorporate iOS group — Required, device-licensed VPP app
ScopeSilent onboarding needs supervision
Prerequisites
Defender for Endpoint licensing (MDE P1/P2, Microsoft 365 E5, or standalone).
The MDE–Intune connection enabled: Defender portal > Settings > Endpoints > Advanced features > Microsoft Intune connectionOn, and in Intune Endpoint security > Microsoft Defender for Endpoint > allow iOS to report to MDE.
Step 1 — Deploy the App
Deploy Microsoft Defender: Security as a Required, device-licensed VPP app to your corporate iOS group.
Step 2 — Silent Onboarding (Supervised)
On supervised devices Defender can onboard silently — no user tap-through:
Create an App configuration policy (Managed devices) targeting the Defender app.
Add the onboarding keys. Use the configuration designer and add:
issupervised = {{issupervised}} (variable)
For silent/zero-touch onboarding follow the current Microsoft Learn doc "Deploy Microsoft Defender for Endpoint on iOS" — Microsoft updates the exact key set periodically; pin your config to the doc, not to a blog post.
Deploy the Defender VPN payload. Push the Device control/Web protection VPN profile (Microsoft provides the VPN payload values in the same doc) so web protection activates without user consent.
Step 3 — Connect Risk to Compliance
In your iOS compliance policy, set Require the device to be at or under the machine risk score (e.g., Medium). Now a jailbroken or high-risk device automatically loses access through Conditional Access.
Verification
The device appears in the Defender portal's device inventory shortly after onboarding completes.
On the device, the Defender app reports web protection active and the loopback VPN shows under Settings > VPN.
Risk flows into compliance: a test device's compliance state reflects the machine risk score requirement you configured.
Insight
The zero-touch path matters: in our experience, user-driven Defender onboarding completion rates plateau around 70–80%. Supervised + app config + VPN profile gets you to ~100% without a single user tap.
How DDM changes iOS management and where Intune uses it today.
Declarative Device Management is Apple's modern management protocol, layered on top of MDM. Instead of the server polling and pushing commands, the server sends declarations — desired states — and the device itself enforces them and proactively reports status changes.
ProtocolDeclarations layered on MDM — the device enforces desired state
RequiresiOS/iPadOS 17+ for update enforcement (DDM itself since iOS 15)
Server sends command, waits for device to check in
Device holds the declaration and acts autonomously
State drift until next sync
Device self-corrects immediately
Server polls for status
Device pushes status reports when things change
The flagship example: a software update declaration with a deadline. The device schedules downloads, notifies the user with escalating urgency, and force-installs at the deadline — even if it can't reach Intune at that moment.
Requirements
iOS/iPadOS 17 or later for the update enforcement scenarios Intune exposes (DDM itself exists since iOS 15).
No special enrollment — DDM activates automatically within an existing Intune MDM enrollment on supported OS versions.
Where Intune Uses DDM Today
Managed software updates (the headline scenario — full guide).
A growing set of Settings Catalog payloads are delivered declaratively when the device supports it — Intune chooses the channel; you don't have to.
Enforce iOS updates with DDM — deadlines that actually stick.
The final piece of the deployment: keeping the fleet current. On iOS 17+ this is done with DDM-based software update enforcement, which replaces the old MDM update commands with deadlines the device itself enforces.
Pick the payload. Category Declarative Device Management > Software Update.
Set the target and deadline. Configure:
Target OS Version — e.g. 17.5.1 (exact version string)
Target Date Time — the enforcement deadline (UTC)
Optionally Target Build Version for precision
Assign to your iOS device groups (use a pilot ring first — see below).
Before the deadline, users get increasingly insistent notifications and can update on their own terms. At the deadline, the device downloads (if it hasn't) and installs the update, requiring the passcode where needed.
DeclareTarget OS Version + UTC deadline assigned
NotifyEscalating user notificationsUsers can update on their own terms before the deadline
EnforceDownload and forced install at deadlinePasscode requested where needed
Verification
On a targeted device, Settings > General > Software Update shows the targeted version, and the notification cadence begins as the deadline approaches.
The policy's per-device status in Intune reports success, and after the deadline the device's inventoried OS version moves to the target.
Stragglers surface in the compliance minimum-OS report — chase that report, not individual serial numbers.
Hide Updates Users Shouldn't See Yet
Pair enforcement with deferral so users can't jump ahead of your validation:
This creates the classic pattern: defer 14–30 days for validation, then enforce by deadline.
Recommended Ring Model
Ring
Audience
Deadline after release
Ring 0
IT + volunteers
~5 days
Ring 1
10% of fleet
~14 days
Ring 2
Everyone
~30 days
Drive ring assignment with Entra groups, one enforcement profile per ring with staggered Target Date Times.
Legacy update policies
The older Update policies for iOS/iPadOS (one-time ScheduleOSUpdate pushes) still exist in the console but are not reliable as an enforcement mechanism — devices on a charger and locked might update. DDM deadlines are deterministic. Use DDM for anything you actually need to happen.
A decision guide for the four iOS enrollment methods in Intune.
Intune offers four practical ways to enroll an iOS device. Choosing correctly up front matters — moving a device between methods later means wiping it.
the device is corporate-ownedADESupervision and locked enrollment are non-negotiable for company hardware.
it's corporate-owned but genuinely can't get into ABMWeb-based device enrollmentUnsupervised and removable — a stopgap while procurement catches up.
it's BYOD needing full corporate app accessAccount-driven User EnrollmentCryptographic work/personal separation; the user keeps control.
it's BYOD and MAM is enoughNo enrollment at allApp Protection Policies guard the data with zero device management.
Corporate-owned? → ADE. Always. Supervision and locked enrollment are non-negotiable for company hardware. Get devices into ABM even if bought retail (here's how).
Corporate-owned but genuinely can't get it into ABM? → Web-based device enrollment. Accept that it's unsupervised and removable; plan to replace these devices through proper procurement.
BYOD with full corporate app access? → Account-driven User Enrollment. Cryptographic separation of work/personal data, privacy-respecting, user keeps control of the device.
BYOD where MAM is enough? → Don't enroll at all. App Protection Policies without enrollment protect corporate data inside Microsoft apps with zero device management. This is the right answer more often than people think.
Retired Methods
Profile-based User Enrollment (the old Company Portal BYOD flow) has been retired by Microsoft and Apple in favor of account-driven enrollment. If you still have devices on it, plan migrations — users sign out / retire, then re-enroll account-driven.
Supervised, locked, zero-touch enrollment for corporate iOS devices.
ADE (formerly DEP) is the gold standard for corporate iOS: the device enrolls itself during Setup Assistant because Apple's activation servers know the serial belongs to your organization.
Applies toCorporate devices with ABM-assigned serials
RequiresABM + server token + an assigned enrollment profile
ScopeSupervised, locked, whole-device management
What You Get
Supervision — the prerequisite for the strongest controls: Lost Mode, Single App Mode, Home Screen Layout, blocking app removal, many restrictions, silent VPP app installs, and Activation Lock management.
Locked enrollment — the management profile cannot be removed; a wipe just lands the device back at the Remote Management screen.
A zero-touch rollout — ship sealed boxes; users self-provision in minutes.
Await Final Configuration — devices arrive at the home screen fully provisioned.
A device re-checks its ABM assignment at every activation. Reassigning a serial to a different enrollment profile only takes effect after a wipe.
ABM token sync to Intune is rate-limited (full sync every 15 minutes) — "missing" serials right after assignment usually just need a sync and patience.
Keep one default profile per token sane: it's what every newly purchased device gets if you forget to assign explicitly.
Safari-driven device enrollment without Company Portal — for corporate devices outside ABM.
Web-based device enrollment lets a user enroll a device entirely through Safari — no Company Portal app required to enroll. It produces a standard (unsupervised) device enrollment and is Microsoft's default for new device enrollment profiles. Because the entire flow runs in the browser, it is the lowest-friction way to bring a corporate-owned device under management when it was procured outside the channels that feed automated enrollment.
Applies toCorporate devices outside ABM
RequiresiOS/iPadOS 15 or later; Enterprise SSO plug-in for JIT registration
Console pathDevices > Enrollment > Apple > Enrollment types
ScopeUnsupervised — the user can remove management
Prerequisites
iOS/iPadOS 15 or later on the devices being enrolled.
Licensed users in an assignable group — the flow is user-driven, so the enrollment link and instructions you communicate are part of the deployment.
The Enterprise SSO plug-in policy in place — just-in-time (JIT) registration during this flow depends on it. The plug-in deploys once the device is managed, and it is used at sign-in time to complete Entra device registration.
Step-by-Step: Create and Assign the Enrollment Profile
Open the enrollment configuration. Go to Devices > Enrollment > Apple tab > Enrollment types.
Create the profile. Choose Create profile, select Web based device enrollment as the enrollment type, and name it so the intended audience is obvious from the assignment view later.
Assign it to user groups. Enrollment type profiles target users, not devices. If several profiles could match the same user, the profile priority order decides which flow they get — review that order deliberately whenever you add a profile.
Step-by-Step: The User Flow
Open Safari and go to https://portal.manage.microsoft.com (or the enrollment link you communicate). Safari specifically — the management profile download requires it.
Sign in with Entra ID credentials. Conditional Access applies at this step exactly as it would for any other sign-in.
Install the management profile. Safari downloads it; the user finishes via Settings > Profile Downloaded and confirms with the device passcode.
Let JIT registration complete. Entra device registration happens inside the flow itself — no Company Portal sign-in needed afterward.
Wait for policy to land. Apps and configuration profiles arrive over the following minutes as the device starts checking in.
Company Portal can still be deployed afterward as an app catalog, but it's optional.
Verification
The device appears under Devices > iOS/iPadOS with the expected primary user, and the management profile is visible on-device under Settings > General > VPN & Device Management.
Compliance evaluates to Compliant after the first check‑ins — a record stuck at Not evaluated means the enrollment didn't finish cleanly.
Open a managed app gated by Conditional Access: a successful grant proves the Entra registration that JIT was responsible for actually completed.
Limitations to Accept
Not supervised — no Lost Mode, no Single App Mode, no update deferral, no blocking profile removal.
The user can remove management at any time (compliance + Conditional Access is your backstop: remove the profile, lose access).
No Await Final Configuration — provisioning happens live on the home screen.
When It's the Right Call
Corporate devices procured outside the reseller channel that you can't (yet) Configurator-add to ABM.
Contractor/loaner hardware with short lifecycles.
Fast pilots where ABM logistics would slow you down.
For anything long-lived and corporate-owned, do the ABM work and use ADE.
The modern BYOD enrollment — users sign in from Settings, work data lives in a separate APFS volume.
Account-driven User Enrollment is Apple's privacy-first BYOD model: the user signs into their work account directly in iOS Settings, and the device creates a cryptographically separate work partition. IT manages the work side only; the personal side is invisible to MDM. The separation is structural, not cosmetic — the work side gets its own encrypted APFS volume and key material — which is what makes the privacy promise to users credible and a retire surgically clean.
Applies toPersonal (BYOD) devices, iOS/iPadOS 15+
RequiresManaged Apple Accounts + service discovery endpoint
Console pathDevices > Enrollment > Apple > Enrollment types
ScopeWork partition only — serial number hidden
What IT Can and Can't See
Can
Cannot
Managed (work) apps and their data
Personal apps, photos, messages
Work account configuration
Device location
Installed managed app inventory
Full app inventory
Retire (remove work data)
Full device wipe
Require passcode (limited)
Device serial number (a per-enrollment ID is used instead)
Prerequisites
iOS/iPadOS 15 or later on the personal devices being enrolled.
Managed Apple Accounts — via ABM, ideally federated to Entra ID so users sign in with work credentials and accounts materialize on demand.
Service discovery: an HTTPS endpoint at https://yourdomain/.well-known/com.apple.remotemanagement returning JSON that points Apple at Intune's enrollment URL. Microsoft Learn documents the exact JSON body — host the file on the domain matching your users' UPN suffix.
An Intune license per user and a user group to carry the enrollment profile assignment.
Stand up the discovery endpoint. Publish the well-known JSON on the UPN-suffix domain over HTTPS with a publicly trusted certificate. This file is what turns a typed work email into a routed enrollment — without it, nothing downstream happens.
Confirm Managed Apple Account coverage. With federation, accounts are created at first sign-in; if you provision accounts manually instead, verify every pilot user actually has one before they try.
Create the enrollment profile.Devices > Enrollment > Apple tab > Enrollment types — create a profile of type Account driven user enrollment.
Assign it to user groups, and review profile priority if multiple enrollment type profiles could match the same user.
Step-by-Step: The User Flow
Start from Settings.Settings > General > VPN & Device Management > Sign In to Work or School Account.
Enter the work email. Discovery resolves your domain and hands off to Entra ID sign-in — Conditional Access and MFA apply normally.
Let iOS build the work partition. Managed apps and the work Apple Account land in it automatically.
Review the separation. Settings shows the user a clean statement of what the organization manages — worth pointing at during onboarding, because it is the privacy story in one screen.
Verification
Before pilot day: request the well-known URL from the public internet and confirm it returns HTTP 200 with the correct JSON body.
After a test enrollment: the device record appears keyed to a per-enrollment ID rather than a hardware serial, and managed apps install into the work side only.
Confirm compliance evaluates and Conditional Access grants access from a managed app signed in with the work account.
Insights
The serial-number privacy behavior breaks any process keyed on serials — inventory reconciliation must use the enrollment user instead.
Users can end management anytime by signing out — pair with App Protection Policies so the data story doesn't depend on enrollment persisting.
If discovery isn't set up, enrollment fails with vague errors at the email step — validate the well-known URL returns HTTP 200 + correct JSON from the public internet before pilot day.
Settings-initiated full device management for personal devices — iOS 18 and later.
Account-driven Device Enrollment is the newest member of the family (iOS/iPadOS 18+): the same friendly Settings-based sign-in flow as account-driven User Enrollment, but resulting in whole-device management rather than a separated work partition.
Applies toPersonally owned devices that must be fully managed
RequiresiOS/iPadOS 18 or later + Managed Apple Accounts
Console pathDevices > Enrollment > Apple > Enrollment types
ScopeWhole device — real serial visible, full wipe possible
Where It Fits
Think of it as the successor to old profile-based device enrollment for personally owned devices that need to be fully managed — common in regulated industries, or where corporate policy requires whole-device control on stipend/BYOD hardware. Unlike User Enrollment, IT sees the real serial number, full app inventory, and can issue a full wipe — make sure users understand that trade before enrolling.
Prerequisites
iOS/iPadOS 18 or later — older builds cannot take this enrollment type.
Managed Apple Accounts (ABM, federation recommended) — the same identity plumbing as User Enrollment.
The same service discovery endpoint (/.well-known/com.apple.remotemanagement); the JSON advertises both enrollment flavors with separate version keys (mdm-byod for user enrollment, mdm-adde for device enrollment) — see Microsoft Learn for the current body.
An Intune license per user and a user group to carry the profile assignment.
Step-by-Step: Enable and Roll Out
Update the discovery JSON. Make sure the mdm-adde capability is advertised alongside any existing mdm-byod entry, so devices learn that full device enrollment is on offer for your domain.
Create the enrollment profile.Devices > Enrollment > Apple tab > Enrollment types — create a profile of type Account driven device enrollment and assign it to the target user groups. Profile priority decides which flow wins when a user matches several profiles.
Communicate the trade before anyone enrolls. IT sees the real serial number and full app inventory and can issue a full wipe — put that in the enrollment instructions in plain language so users on personal hardware consent knowingly, not retroactively.
The User Flow
Identical entry point to User Enrollment: Settings > Sign In to Work or School Account → work email → Entra sign-in. iOS evaluates which enrollment type the targeted profile prescribes and proceeds into full device management with user consent screens that spell out what IT will control.
Compared to Its Siblings
User Enrollment
Device Enrollment (account-driven)
ADE
Scope
Work partition
Whole device
Whole device
Supervised
No
No
Yes
Removable by user
Yes
Yes
No
Serial visible
No
Yes
Yes
Full wipe
No
Yes
Yes
Verification
The enrolled device shows the hardware serial number and full app inventory in the console — the visible markers that distinguish it from a User Enrollment record.
Policy lands device-wide (not in a separated work partition) and compliance evaluates normally.
Run one full lifecycle in the pilot — enroll, apply policy, unenroll from Settings — so the helpdesk knows exactly what each side sees at every stage.
Insights
Intune support for this enrollment type is recent — pilot on current Intune service releases and keep an eye on What's New for capability changes.
Because users can still unenroll, treat compliance + Conditional Access as the enforcement backbone, exactly as with web-based enrollment.
Wipe-to-working without hands — the modern erase flow that re-enrolls the device before anyone touches it.
The classic device handoff had a dead zone: wipe the iPhone, and it sits at Hello until a human walks it through Setup Assistant. Return to Service closes the zone — the erase command carries a Wi-Fi payload (and optionally eSIM preservation on supported builds), so the device wipes, rejoins the network on its own, runs straight through ADE, and lands back at the home screen enrolled and configured. Wipe-to-working becomes one remote action.
How It Works
The wipe action, issued with Return to Service options, embeds: the Wi-Fi configuration the freshly-erased device should join, the default language/region (skipping those panes), and — because the device is ABM-assigned and supervised — the ADE flow that does the rest. Your enrollment profile's pane skips and await-configuration design carry the experience from there.
WipeErase issued with Return to Service optionsWi-Fi payload (and optionally the eSIM) rides along
RejoinDevice erases and joins the network on its own
Re-enrollADE runs hands-freePane skips + await-configuration from your enrollment profile
ReadyHome screen, enrolled and configuredWipe-to-working as one remote action
Where It Changes Operations
Shared iPad and frontline pools: end-of-term or end-of-rotation resets become a bulk action run after close, with carts full of ready devices by morning — no bench day
Device transfers: departing user's iPhone → Return to Service → next user's first touch is the sign-in screen — the handoff becomes a remote action instead of a desk-side reprovisioning appointment
Remote remediation: the troubleshooting economics shift — past a half hour of diagnosis on a weird-state supervised device, reprovisioning is now genuinely cheaper than continuing
Prerequisites
Supervised + ABM-assigned — the front-door guarantees that let the device re-enroll itself hands-free.
An OS version on the device that supports the flow.
A Wi-Fi payload that works at the device's actual location — a corporate-PSK payload sent to a home-office device re-enrolls nothing. Build location-appropriate payloads before you need them.
Confirm the device qualifies. Supervised, ABM-assigned, supported OS, Activation Lock accounted for — thirty seconds on the device blade saves a stranded device later.
Choose the Wi-Fi payload deliberately. The network configuration embedded in the erase must be joinable where the device physically sits when it reboots, not where it was originally provisioned.
Issue the wipe with Return to Service options. From the device's Wipe action — or across a pool via a bulk action — enable Return to Service and attach the Wi-Fi configuration; preserve the cellular plan where the device should keep its line.
Let ADE do the rest. The device erases, rejoins the network on its own, runs your enrollment profile's pane skips and await-configuration design, and lands provisioned at the home screen.
Verification
The device re-enrolls and checks in — confirm the fresh enrollment timestamp on the device blade and that policies and apps report as applied.
A quick remote confirmation with the receiving user (sign-in screen reached, apps present) closes the loop without anyone shipping hardware.
If the device never comes back, assume the Wi-Fi payload didn't match its location — the fix is physical, which is exactly why the lab test below matters.
Insights
Test the failure path deliberately: issue Return to Service with a wrong Wi-Fi password once in the lab and watch what you get — knowing what a stranded device looks like (and that the fix is physical) calibrates how confidently you fire this at remote workers.
Pair with stale-device hygiene: Return to Service makes recycling easy, which makes the inventory-truth question ("is this device active or a drawer ghost?") the only remaining gate before pulling the trigger.
Gate the front door — ownership checks, OS floors, and per-user device caps, evaluated once at the moment of enrollment.
Enrollment restrictions decide which devices get to enroll at all. They are evaluated when a device attempts enrollment — and crucially never again afterward. Intune offers two restriction types for iOS: device platform restrictions (allow or block the platform, block personally owned devices, enforce an OS version range) and device limit restrictions (cap how many devices one user can enroll). You can run up to 25 policies of each type, assigned to user groups, with a priority order resolving conflicts.
ScopeAssigned to user groups only — priority 1 wins
Applies toEvaluated once, at enrollment — never re-checked afterward
What "Personally Owned" Actually Means
Intune classifies every iOS device as personally owned unless it can prove otherwise at the gate. There are exactly two proofs:
The device comes through ADE — its serial lives in ABM and is assigned to your MDM server, so corporate ownership is established by the supply chain before any user touches it.
The serial or IMEI is pre-registered under corporate device identifiers — your way of vouching for corporate hardware that lives outside ABM.
Everything else — Company Portal, Safari, Settings — presents as personal, whoever actually paid for the hardware.
Blocked — this is the BYOD flow the setting exists to stop
Blocking personal devices is an enrollment decision, not a data-protection one: BYOD users turned away here can still be served with App Protection Policies, which need no enrollment at all.
Caution
ADE bypasses the ownership block — not a platform block. If a restriction that catches your users sets the iOS/iPadOS platform to Block, ADE devices fail activation with an invalid-profile error in Setup Assistant. For a corporate-only fleet, block personally owned devices and leave the platform allowed.
OS Version Floors
Platform restrictions accept a minimum and maximum allowed OS version, in major.minor.rev format. The floor is the useful half: it keeps forgotten hardware on ancient builds from ever entering the tenant. But the gate is evaluated once — a device that enrolled healthy and then stopped updating sails on untouched. Pair the enrollment floor with a minimum-OS rule in your compliance policies: the restriction guards the door, compliance patrols the building.
Device Limit Restrictions
The device limit caps how many devices a single user can enroll — from 1 to 15. A record counts against the cap when it is Intune-managed, made contact within the last 90 days, isn't stuck pending registration over 24 hours, and hasn't failed enrollment or been deleted. Two separate caps exist, and the stricter one wins:
The Intune device limit — gates enrollment into management.
The Entra ID "maximum number of devices per user" setting — gates the device registration underneath; a device blocked from registering fails enrollment however generous the Intune limit is.
Corporate enrollment is not exempt: an ADE device enrolling with user affinity counts against the signing user under both limits, which bites when a provisioning technician signs into device after device and hits the cap mid-cart. Plan for it — enroll genuinely shared hardware without user affinity (no user, no cap), give provisioning staff a high-limit restriction, or use a device enrollment manager account for Company Portal-driven staging (DEM doesn't work with ADE).
25max policies per restriction type
1–15device limit range per user
90 daysactivity window for the device cap
~15 mingroup and filter propagation
Priority and Assignment
Restrictions are assigned to user groups only. When a user sits in several groups with different restrictions, the highest-priority policy — 1 is the top — applies and the rest are ignored. New restrictions land just above the default; reorder by dragging in the priority column. The default restriction sits immovably at the bottom and catches everyone unassigned — including enrollments with no user behind them, such as ADE without user affinity, which always evaluate against the default. That makes the default the most consequential policy you own. Assignment filters are supported with a reduced property set (the device isn't enrolled yet): manufacturer, model, OS version, ownership, and enrollment policy name.
Prerequisites
The Intune Administrator role — other built-in Intune roles get read-only access to restrictions.
User groups that mirror your enrollment audiences — a restriction without an assignment does nothing.
Corporate device identifiers uploaded for corporate hardware outside ADE — before flipping the block, not after the first lockout ticket. Better still, get the hardware into ABM.
A helpdesk article written in advance describing what a blocked user sees and what to do next.
Step-by-Step: Block Personally Owned Devices
Pre-stage the exceptions. Upload serials/IMEIs of corporate devices that don't come through ADE, and confirm the ADE token and enrollment profiles are healthy — those two populations are the only ones that will pass.
Open the restriction blade. Go to Devices > Enrollment > Device platform restrictions, select the iOS/iPadOS tab, and choose Create restriction.
Name it for the audience. "iOS — corporate only — all staff" reads better in the priority list at 2 a.m. than "Restriction 3".
Configure platform settings. Leave the platform on Allow, set Personally owned devices to Block, and set the minimum OS version while you're here — one gate, one review.
Scope and assign. Apply scope tags if you delegate administration, then assign to the user groups this gate should govern. Group and filter changes take up to about 15 minutes to propagate — don't test enrollment seconds after adding a user to the group.
Review priority. If multiple restrictions could catch the same user, drag the order until the intended one wins.
Verification
An ADE device enrolls untouched through Setup Assistant — proof the block is scoped to ownership, not platform.
An identifier-listed device enrolls through your user-driven flow of choice.
An unlisted personal device is refused. Company Portal and the Safari flow show a deliberately generic couldn't-enroll message; a user at the device limit instead sees they've added the maximum number of devices allowed and must remove one to continue.
Check enrollment failure reporting in the admin center after the pilot window — blocked attempts appear with a failure reason pointing at enrollment restrictions. Enrollment Errors covers the triage from there.
Insights
A restriction is a gate, not a policy. It is evaluated exactly once, at enrollment; editing it later affects new enrollments only and never unenrolls a device already inside. Tightening the gate doesn't clean the fleet — compliance does that.
Most "device cap reached" tickets are stale-record problems wearing a limit costume. Before raising anyone's cap, check the age of the devices on their list and run stale device cleanup — usually the cap was doing its job.
The blocked-user message is vague by design, so the helpdesk traffic arrives as "Company Portal is broken", not "I'm blocked by policy". Publishing the what-you-will-see article before enforcement is the difference between a quiet rollout and a loud one.
Do
Upload corporate identifiers before flipping the block
Block personally owned devices and leave the platform allowed
Publish the what-you-will-see helpdesk article before enforcement
Don't
Set the iOS/iPadOS platform to Block — ADE devices fail activation in Setup Assistant
Raise device caps before checking for stale records
Expect a tightened gate to unenroll devices already inside
What enrollment actually creates in Entra ID — the device record and certificate that every compliance and Conditional Access decision hangs from.
Enrolling an iPhone or iPad creates two records that are easy to conflate: the Intune managed-device object (the management channel — MDM profile, APNs, check‑ins) and the Microsoft Entra ID device object (the identity). Every iOS enrollment flow produces the same identity class: a Microsoft Entra registered device. Registration is the device identity model for iOS — the device registers with the directory; it never becomes a joined device. What varies between flows is when registration completes and what the record is keyed to — two variables that explain most "enrolled but still blocked" tickets.
Registration produces a device object in the directory — device ID, display name, OS version, a compliance flag, an activity timestamp — and provisions a workplace-join certificate on the device. The private key lives in the device keychain, where the broker apps (Microsoft Authenticator, Company Portal) and the Enterprise SSO plug-in can present it. That certificate binds hardware to directory: brokered sign-ins carry a certificate-backed device claim, and in Safari, Entra identifies the device by prompting for the client certificate. No certificate at sign-in means Entra sees a user with no device — however healthy the Intune record looks. In short: enrollment establishes management, registration establishes identity, and compliance-driven Conditional Access needs both.
The Chain That Makes Compliance Mean Something
Intune evaluates compliance policies against the enrolled device as it checks in.
The verdict is stamped onto the Entra device object as its compliant flag — the Intune record holds the detail, the Entra record holds the answer.
The sign-in presents the device identity — the SSO plug-in or broker app attaches the certificate-backed claim.
Conditional Access matches the claim to the record, reads the flag, and grants or blocks.
1 · EvaluateIntune checks compliance at check‑in
2 · StampVerdict lands on the Entra object's compliant flag
3 · PresentSign-in carries the certificate-backed device claim
4 · DecideConditional Access reads the flag — grant or block
The chain fails closed: a device whose registration never completed presents nothing at step 3, so a require-compliant-device grant fails even while the Intune blade shows green. That isn't a compliance problem, and re-enrolling won't fix it faster than completing the registration would.
Tip
The device overview in Intune shows the Microsoft Entra Device ID — the join key between the two portals. When records multiply, match on it, never on display names.
Entra registered, keyed to a per-enrollment ID — not the serial
During the Settings sign-in that performs the enrollment
The pattern to internalize: Setup Assistant and the enrollment profile get the device managed; registration is a second, interactive handshake that needs an Entra sign-in on the device itself. Historically that was Company Portal's job; with just-in-time registration it happens at the first sign-in to any work app. Until then, a freshly provisioned ADE device sits in the gap — managed, compliant in the Intune blade, and invisible to device-based Conditional Access.
Where Duplicate and Stale Records Come From
Wipe and re-enroll. The wipe destroys the keychain, and the workplace-join certificate with it. Re-enrollment completes a fresh registration and creates a new Entra object; the old one lingers with its timestamp frozen. Routine Return to Service cycles produce these by design — budget for cleanup.
Restore from backup. Backups never carry the management profile, so a user migrating to new hardware by restore arrives looking configured but unmanaged and unregistered. The fresh enrollment creates new records while the old device's linger, and a restored Company Portal can show stale state until the next sign-in.
The activity timestamp is coarse. It updates only when the stored value is more than 14 days old (with about a five-day variance) — anything younger than roughly three weeks is noise, not a liveness signal.
Step-by-Step: Clean Up Records Safely
Cleanup needs the Intune Administrator or Cloud Device Administrator role, and a deliberate order:
Clean the management side first. Retire or delete the dead Intune record — stale device cleanup automates the find-and-action. Intune deletions remove the Intune object only; the Entra object survives independently.
Identify Entra candidates by activity timestamp. Export the list before acting — the export is your undo plan for everything except deletion, which has none.
Match on device ID, not name. Duplicates share display names by construction; the live record is the one matching the Entra Device ID on the active Intune object.
Disable before deleting. A disabled record stops satisfying Conditional Access but is reversible. Give it a grace period.
Delete after the grace period. Deletion is permanent, and it removes the directory identity only — the device itself keeps a registration state it can no longer use.
Verification
The user's device list in Entra shows one record per physical device, matching the active Intune object.
A sign-in to a Conditional Access-protected app from the surviving device still gets a grant — you removed the twin, not the identity in use.
No new device-limit complaints — stale registrations quietly consume per-user headroom.
Caution
Deleting the Entra record of a working device is the self-inflicted outage here: the device keeps a certificate the directory no longer recognizes, and every device-based grant starts failing for that user. Recovery is a fresh registration — Company Portal sign-out and sign-in, or a retire and re-enroll in stubborn cases.
Hardening the Identity: Managed Device Attestation
Registration proves possession of key material; it doesn't prove what hardware holds it. Managed Device Attestation closes that gap: the Secure Enclave generates keys that cannot leave the silicon, and Apple's attestation servers vouch cryptographically that the request comes from a genuine, specific device. Classic registration binds the record to a certificate that could theoretically be exfiltrated; attestation binds it to physics — the strongest anchor a Conditional Access posture can stand on.
Insights
When Intune says compliant and Entra says noncompliant, registration never completed. The fix is an interactive sign-in on the device — Company Portal or any SSO-extension app — not a re-enroll, which rebuilds the same gap with more downtime.
Processes keyed on serial numbers silently miss Account-driven User Enrollment records, which deliberately carry a per-enrollment ID. Reconcile BYOD inventory by user, not hardware.
Do inventory hygiene in Intune and identity hygiene in Entra — in that order, on a schedule. Tenants that clean only one side accumulate the half-orphaned records that make every future cleanup scarier.
How Intune's per-setting policy surface maps to Apple payloads — and the conflict rules that govern it.
The Settings Catalog is the modern home for iOS configuration: every setting individually selectable, mapped 1:1 to Apple's MDM payload keys, with per-setting reporting. New Apple capabilities land here first.
Practical rule: new policies go in the Catalog; keep Templates only where the Catalog hasn't absorbed the payload yet (some Wi-Fi/VPN scenarios) or where an existing fleet depends on them.
Finding Settings
The Catalog's search matches both Intune's friendly names and Apple's raw key names — searching allowAirDrop or "AirDrop" both work. When Microsoft's description is thin, look the key up in Apple's Device Management documentation — the Catalog is a UI over that spec, and Apple documents supervision and OS-version requirements per key.
Conflict Resolution — Memorize This
Restrictions: when two profiles disagree, the most restrictive value wins. A single allow can never override a block.
Other payload types (Wi-Fi, SSO, etc.): conflicting duplicates produce a conflict state and neither applies reliably — per-setting reporting shows exactly which key collided.
Corollary: keep each setting in exactly one policy. The baseline's one-policy-per-area split exists for this reason.
Operational Hygiene
Name policies so the assignment story is readable at a glance: iOS-<Area>-<Audience>-v<N>.
One purpose per policy; resist the 200-setting mega-profile — it can't be piloted, diffed, or rolled back sanely.
Document the why in each policy's description field. Future-you and auditors both read it.
Policies are Graph objects (deviceManagement/configurationPolicies) — version them with IntuneCD for config-as-code backup and diffing.
Do
Put new policies in the Settings Catalog
Keep each setting in exactly one policy
Name for the assignment story: iOS-<Area>-<Audience>-v<N>
Document the why in the description field
Don't
Build 200-setting mega-profiles — they can't be piloted, diffed, or rolled back
Duplicate a setting across profiles — non-restriction payloads land in a conflict state
Expect an allow to win — restrictions resolve to the most restrictive value
PSK and 802.1X enterprise Wi-Fi for iOS — including the MAC randomization gotcha.
Push Wi-Fi so devices join the right network before the user can mistype a passphrase. Two tiers: simple PSK, and certificate-based enterprise (EAP-TLS) — the second is where iOS fleets earn their keep.
the segment is guest or IoT-gradePSK profileSSID + pre-shared key, connect automatically — quick and adequate there.
it's a corporate data networkEnterprise EAP-TLSThe device authenticates with a certificate — no passwords anywhere.
Prerequisites
Network facts agreed with the network team: SSID, security type, and (for PSK) the passphrase.
For EAP-TLS: a working certificate issuance chain (trusted root + SCEP) and the exact server names on your RADIUS certificate.
A decision per SSID on whether network tooling needs the hardware MAC (corporate networks) or privacy-preserving randomization is fine (guest) — see the gotcha below.
Step-by-Step: Basic (PSK) Profile
Create the profile.Devices > iOS/iPadOS > Configuration > Create — Wi-Fi (Templates, or the Catalog's Wi-Fi category).
Set the SSID and turn on Connect automatically so devices join without user action.
Leave Hidden network off unless it truly is hidden — hidden SSIDs add probe noise, not security.
Choose the security type — WPA/WPA2/WPA3 Personal — and enter the pre-shared key.
Add per-network proxy settings if your egress design requires them.
Assign to the target device group and deploy.
Good for guest/IoT-grade segments. Corporate data networks deserve certificates.
Step-by-Step: Enterprise (EAP-TLS) Profile
The gold standard: the device authenticates with a certificate, no passwords anywhere. Build order matters — three profiles, deployed together:
Deploy the trusted certificate profile — your root (and issuing) CA, so the device trusts the RADIUS server. (Certificates guide)
Deploy the SCEP certificate profile — issues the device its identity cert.
Create the Wi-Fi profile (Enterprise) — EAP type EAP-TLS, Identity certificate = the SCEP profile from step 2, Server Trust > certificate server names matching your RADIUS server's cert.
Assign all three profiles to the same group. Intune sequences the dependencies automatically; reporting on the Wi-Fi profile shows "pending" until the SCEP cert lands.
Profile 1Trusted certificateRoot + issuing CA so the device trusts RADIUS
Profile 2SCEP certificateIssues the device its identity cert
Profile 3Wi-Fi (Enterprise)EAP-TLS, identity cert + server trust names
AssignAll three to the same groupWi-Fi shows pending until the SCEP cert lands
The MAC Randomization Gotcha
Since iOS 14, devices present a per-network private (randomized) MAC address by default — which breaks MAC-based NAC, DHCP reservations, and Wi-Fi analytics keyed on hardware MACs. The Intune Wi-Fi profile exposes a MAC address randomization setting — set it to use the static (hardware) MAC on your corporate SSIDs where network tooling depends on it. Leave randomization alone on guest networks; it's good privacy hygiene there.
Verification
Profile reporting shows Succeeded for all deployed profiles — a Wi-Fi profile stuck at Pending usually means the SCEP certificate hasn't issued yet.
On a pilot device, the SSID joins without prompting, and the identity certificate is visible inside the management profile details.
Ask the network team to confirm one successful EAP-TLS authentication in the RADIUS logs — that single log line proves the entire chain end to end.
Insights
Deploy the Wi-Fi profile in the enrollment-time policy set so ADE devices land on corporate Wi-Fi during Await Final Configuration — otherwise first-boot app installs ride whatever network the user picked.
Removing a Wi-Fi profile removes the network and its stored credentials — sequencing matters during SSID migrations: add the new profile, confirm fleet adoption, then retire the old one.
802.1X failures are almost always server trust (RADIUS cert name not listed) or an expired device cert — check those before blaming the WLAN team, and they'll do the same for you.
Device-wide, per-app, and always-on VPN for iOS — and where Microsoft Tunnel fits.
iOS VPN comes in three escalating flavors. Most enterprises should be running the middle one and don't know it.
users need classic full-device remote accessDevice-wide VPNIKEv2 or a vendor client; user-initiated or on-demand rules.
corporate apps need internal access and personal traffic must never touch your gatewayPer-app VPNTunnel activates only for designated managed apps — the one most fleets should run.
a regulated fleet must tunnel everything, alwaysAlways-On VPNSupervised-only, IKEv2-only, no user off-switch — pilot longer than feels necessary.
1. Device-Wide VPN
The classic: a VPN profile (IKEv2 native, or a vendor connection type — Cisco Secure Client, GlobalProtect, FortiClient, F5 Access, Zscaler, Check Point, and friends) the user or on-demand rules activate. Configure under Devices > Configuration > VPN (Template or Catalog):
Connection type determines which client app must also be deployed (VPP, required) — the profile configures the vendor's app, it doesn't replace it.
On-demand rules can auto-connect when specific domains are requested.
2. Per-App VPN (the one you probably want)
The standout iOS capability: the tunnel activates only for designated managed apps — corporate apps reach internal resources, personal traffic never touches your gateway. Better privacy, smaller attack surface, happier users.
Setup is two halves, and the second half is the step everyone misses:
Create the VPN profile with per-app VPN enabled (the vendor must support it — most do).
Associate the profile on the app assignment. In the app assignment (the VPP/LOB app's Required assignment), associate the per-app VPN profile. The association lives on the assignment, not on the profile — configure the profile alone and the tunnel never activates.
Safari can participate via Safari domains listed in the profile: matching URLs route through the tunnel.
3. Always-On VPN
Supervised-only, IKEv2-only: the device tunnels all traffic, always, with no user off-switch. Reserved for regulated/high-security fleets — it's operationally unforgiving (gateway outage = fleet outage). Configure deliberately, pilot longer than feels necessary.
Microsoft Tunnel
Microsoft's own VPN gateway: a Linux-hosted appliance, with the iOS client delivered inside Microsoft Defender — one app provides MTD and per-app VPN. If you're already deploying Defender for iOS and need lightweight internal access, Tunnel avoids introducing another vendor. Conditional Access can gate the tunnel itself.
Verification
Per-app: launch a designated managed app and confirm it reaches an internal resource while non-designated traffic does not — that asymmetry is the feature working as designed.
Device-wide / always-on: the VPN indicator shows on the device, and the gateway's session table lists the device.
Check per-device deployment status on the profile; a per-app tunnel that never activates almost always means the app-assignment association (step 2) was skipped.
Insights
Per-app VPN + Defender's web-protection loopback VPN can coexist (the loopback isn't a real tunnel), but stacking multiple real VPN vendors on one device is misery — pick one.
Test the failure mode: what does the LOB app show users when the gateway is down? "Spinning forever" generates tickets; work with the app team on a timeout message.
The certificate chain that powers Wi-Fi, VPN, and app authentication on iOS.
Certificates are the quiet dependency under everything good: EAP-TLS Wi-Fi, per-app VPN auth, and password-less access to internal systems. iOS handles them beautifully — once the issuance chain is built.
The Three Profile Types
Profile
Purpose
Notes
Trusted certificate
Installs your root/issuing CA public certs
The anchor; deploy first, everything references it
SCEP certificate
Device requests its own identity cert
Per-device keys, never leave the device — the default choice
PKCS imported/PKCS
CA-side key generation, pushed to device
For scenarios needing key escrow (S/MIME) or specific CA constraints
Issuance Backends — Pick One
Microsoft Cloud PKI (Intune Suite add-on): Microsoft-hosted CAs purpose-built for Intune SCEP — no on-prem connector, no NDES, stand up issuance in an afternoon. The default recommendation for new builds without an existing PKI mandate.
Your enterprise CA via the Certificate Connector for Intune: the on-prem path — install the connector, publish templates, point SCEP profiles at it. Right answer when AD CS already runs your world.
Third-party CAs (DigiCert, Sectigo, EJBCA, SCEPman, etc.) via their Intune integrations — SCEPman in particular is a popular Azure-native community favorite for Intune-only PKI.
you're building new with no existing PKI mandateMicrosoft Cloud PKIIntune Suite add-on; no connector, no NDES — issuance in an afternoon.
AD CS already runs your worldEnterprise CA + Certificate ConnectorInstall the connector, publish templates, point SCEP profiles at it.
you want a third-party or Azure-native serviceThird-party CA integrationDigiCert, Sectigo, EJBCA — SCEPman is the community favorite for Intune-only PKI.
Step-by-Step: Build the Issuance Chain
Deploy the Trusted certificate profile first. Export your root (and issuing) CA public certs, create the profile, and assign it to the target group — every SCEP profile references it, so it anchors everything that follows.
Create the SCEP profile.Devices > Configuration > Templates > SCEP certificate (iOS/iPadOS), then work through the settings:
Subject name format: e.g. CN={{DeviceName}},O=YourOrg — token variables ({{AAD_Device_ID}}, {{SerialNumber}}, {{UserPrincipalName}} on user-affinity devices) make certs traceable
SAN: include {{AAD_Device_ID}} as URI for Entra-aware services
Validity: 1 year is the sane default; shorter if your backend automates renewal cleanly (Intune renews automatically near expiry)
Root certificate: link the Trusted certificate profile
SCEP server URLs: from Cloud PKI / your connector
Assign both profiles to the same groups so issuance can complete in one policy cycle — a SCEP profile without its trusted root never finishes.
Verification
Profile reporting shows Succeeded for both the trusted root and the SCEP profile; on the device, the issued identity certificate is visible inside the management profile details.
Your CA's issued-certificates log shows one cert per device with the expected subject — duplicates or rapid re-issuance point at a profile misconfiguration.
Test one downstream consumer end to end (an EAP-TLS Wi-Fi join or a per-app VPN authentication) — certificates only matter insofar as the things they authenticate actually work.
Insights
Renewal is silent until it isn't. Intune re-issues before expiry, but a broken connector fails silently fleet-wide; alert on the connector's health and on Wi-Fi auth failure spikes — that's your early warning.
Certs issued to the device die with the management profile — a retire/wipe revokes access to everything cert-gated instantly. That's a feature; document it for the helpdesk.
One identity cert can serve both Wi-Fi and VPN profiles — reference the same SCEP profile from each rather than issuing duplicates.
Wallpaper, lock screen messages, and pinned icon layouts — turning a fleet into your fleet.
Branding settings are supervised-only and pure quality-of-life — but on shared, kiosk, and frontline fleets they're the difference between "an iPad" and "our iPad." All of it lives in supervised territory (ADE).
Applies toSupervised (ADE) corporate hardware only
Console pathDevices > Configuration > Templates > Device features
RequiresPortrait PNG, asset-tag scheme, if-lost contact line
ScopeShared, kiosk, and frontline fleets — skip 1:1 knowledge workers
Prerequisites
Supervision — every control on this page requires it, which in practice means ADE-enrolled, corporate-owned hardware.
Assets and copy ready: a portrait PNG for wallpaper, your asset-tag scheme, and the if-lost contact line.
Step-by-Step: Home Screen Layout
Open the template.Devices > Configuration > Templates > Device features > Home screen layout (supervised).
Define the Dock. 4–6 daily-driver apps: Outlook, Teams, your LOB app — the things a user reaches for hourly.
Lay out pages and folders for the curated set. Apps not in the layout flow onto later pages automatically — you're pinning the front door, not cataloguing everything.
Position web clips like apps — pin the intranet portal next to Outlook.
Assign to the shared/kiosk/frontline device groups and deploy.
Reality check: users on 1:1 personal-enabled devices resent frozen layouts. Use layout policies on shared/kiosk/frontline fleets; skip them (or dock-only) for knowledge workers.
Step-by-Step: Wallpaper
Prepare the asset. A portrait PNG sized generously — devices scale down better than up — with a high-contrast logo. A branded lock screen makes pool devices identifiable across a room; operationally underrated in hospitals and warehouses.
Configure the same Device features template (supervised): push the image to the lock screen, home screen, or both.
Test on both iPhone and iPad aspect ratios before any fleet-wide push — one asset rarely flatters both without checking.
Step-by-Step: Lock Screen Message (the asset tag trick)
Find the settings. Settings Catalog > search Lock Screen Message.
Set Asset tag information: e.g. Asset: CFA-00231 · IT: x4357 — it shows on the lock screen and in Settings > General > About.
Set the "If Lost, Return To…" footnote text. Combined with Lost Mode, this is your loss-recovery funnel: every honest finder sees exactly who to call without unlocking anything.
Verification
After the next check‑in on a pilot device, lock it and read the lock screen exactly the way a finder would: wallpaper, asset tag, and if-lost line all present.
Confirm the asset tag also appears under Settings > General > About — that is where the helpdesk will look during calls.
Check the home screen layout applied: Dock contents and page order match the policy.
Naming Ties It Together
Branding on glass should match identity in the console — the Bulk Device Rename script enforces a naming convention (IOS-<site>-<serial-tail>) across the fleet so the label, the lock screen, and the Intune object all agree.
The iOS 18+ AI restriction set — what each control governs and a sane enterprise posture.
Apple Intelligence (iOS/iPadOS 18+ on supported hardware) brought a new family of MDM restrictions, and "what's our AI policy on phones?" is now a question every iOS admin gets. Here's the control surface and a defensible default.
Applies toiOS/iPadOS 18+ on supported hardware
RequiresSupervision for most controls
Console pathSettings Catalog > Restrictions
RenewalRe-run the Catalog search every OS cycle — Apple adds keys each release
Where the Controls Live
Settings Catalog > Restrictions — search "intelligence", "Genmoji", "writing", or "playground" to surface the family. Most require supervision, and Apple adds keys each OS cycle — re-run that search after every major release and check Apple's device management documentation for per-key OS requirements.
The Control Family
Control
Governs
Writing Tools
System-wide rewrite/proofread/summarize in any text field — including corporate app content
Mail / message summarization
AI-generated summaries of (potentially sensitive) correspondence
Genmoji
Generated emoji
Image Playground / Image Wand
On-device image generation features
External intelligence integrations
The big one: hand-off of requests to external providers (the ChatGPT integration) — blockable independently of on-device features
Siri request history / external processing controls
Where assistant requests may be processed
The Data-Flow Mental Model
Apple processes most Apple Intelligence requests on-device, escalating heavier requests to Private Cloud Compute (Apple silicon servers, cryptographically attested, no retention per Apple's design). External integrations (ChatGPT) are a separate, explicit hand-off to a third party — which is why the controls split there. Your legal/security stance on "Apple PCC" vs "third-party AI" can differ, and the keys let you encode that difference.
A Defensible Baseline Posture
Tier
Posture
External integrations (ChatGPT)
Block until counsel explicitly approves a third-party AI data path
Summarization of Mail/Messages
Block in regulated environments; allow elsewhere
Writing Tools
Allow — blocking it punishes productivity for little risk reduction (data stays in Apple's path)
Genmoji / Image Playground
Allow; block only on locked-down frontline fleets where it's pure distraction
Whatever you choose, write the rationale into the policy description — this is the restriction family auditors ask about first now.
Step-by-Step: Put the Posture in Place
Create the policy.Devices > iOS/iPadOS > Configuration > Create > Settings catalog, named so the intent is obvious later, e.g. iOS-Restrictions-AppleIntelligence-v1.
Add the restriction keys. Search the Restrictions category for the family ("intelligence", "Genmoji", "writing", "playground") and set each control according to the tier table above.
Record the decision. Put the rationale — what is blocked, why, and who approved the external-integration stance — into the policy description field before assignment.
Pilot on hardware that actually supports Apple Intelligence. Ineligible devices silently ignore the keys, so a pilot ring of older hardware proves nothing about the restrictions working.
Assign broadly, then re-audit every OS cycle. Apple adds keys each release; re-run the Catalog search after every major version and fold new controls into the policy deliberately rather than letting them default.
Insights
These restrictions interact with device eligibility: older hardware without Apple Intelligence simply ignores the keys — fine, but it means reporting "policy applied" ≠ "feature existed to restrict."
Pair the MDM posture with your App Protection story: APP's data-egress rules already prevent pasting corporate data into a personal ChatGPT app — the restriction keys close the system-integration path specifically.
What Intune can and can't do with cellular — and the operational traps in eSIM fleets.
eSIM-only iPhones made cellular an endpoint-management problem. Set expectations correctly: Intune observes and protects cellular configuration well, but provisioning lives with your carrier.
What Intune Gives You
Inventory: per-device hardware blade (and Graph) reports EID, ICCID, IMEI, phone number, and carrier — everything your telecom team needs for reconciliation.
Protection: the wipe action's "Retain cellular data plan" option — the single most important checkbox in eSIM fleet operations (below).
Configuration: a Cellular payload (Settings Catalog/custom profile) for APN settings in private-APN/IoT deployments.
Restrictions: block users from modifying eSIM settings / removing the plan (supervised) — stops the accidental "deleted my work line" ticket.
What Intune Doesn't Do
Activating a plan onto a device. eSIM provisioning paths are: carrier activation at point of sale, the carrier's app/QR flow, or carrier eSIM orchestration platforms that push profiles by EID. Enterprise pattern: ship your carrier a CSV of EIDs (export via Graph) and they pre-provision — pair that with ADE and a device arrives with management and service, zero touch.
The Wipe Trap (Read Twice)
A standard Wipe erases the eSIM along with everything else. The device returns to a user — or worse, a remote field tech — with no cellular service and possibly no Wi-Fi to recover with. Check "Retain cellular data plan" on every wipe of a device that will be redeployed with its line. Wipe without it only when the line should genuinely die with the assignment.
Train the helpdesk on this before the first remote-worker redeploy, not after.
Do
Check Retain cellular data plan on every wipe of a device that keeps its line
Train the helpdesk before the first remote redeploy
Pilot the full lifecycle with your carrier: provision → wipe-with-retain → reassign → terminate
Automate the EID → user → line mapping from day one
Don't
Run a standard wipe on a device that will be redeployed with its plan — it erases the eSIM
Expect Intune to provision plans; activation lives with the carrier
Leave EID reconciliation for later — retrofitting it across a fleet is a quarter of someone's life
Insights
Pilot your carrier, not just your devices. eSIM transfer/redeploy behavior varies meaningfully between carriers; run a full lifecycle (provision → wipe-with-retain → reassign → terminate) before committing the fleet.
Dual-SIM (work eSIM + personal physical/eSIM) is increasingly the BYOD-adjacent ask — Intune sees both identifiers; your acceptable-use policy should say which line the org pays for and controls.
Keep EID → user → line mapping automated from day one (inventory script + telecom billing export); reconciling it retroactively across 2,000 devices is a quarter of someone's life.
The modern iOS network-control payloads — relays as the VPN successor, encrypted DNS, and filter architecture.
VPN profiles cover the classic tunnel; this page covers the payload family Apple built for the post-tunnel era — network controls that shape traffic without a legacy VPN's weight.
your ZTNA/secure-edge vendor exposes relay-compatible endpointsRelay payloadDomain- or app-scoped MASQUE transport — no packet-tunnel extension, better battery, the bridge out of VPN debt.
you want the cheapest meaningful network-security winDNS payloadProtective DoH/DoT resolvers enforced at the OS, following the device onto every network.
you need real web policy from a security vendorFilter-provider payloadPoints at the vendor's filter extension — one provider per scope, never stacked.
Network Relay (the VPN Successor Pattern)
The relay payload configures Apple's built-in relay client (the MASQUE/HTTP-3-based transport behind iCloud Private Relay, opened to enterprise): traffic to defined domains routes through your relay infrastructure — per-app or domain-scoped — with no packet-tunnel extension, no third-party client app, and dramatically better battery and connection-migration behavior than device-wide VPN. The fit: organizations on ZTNA/secure-edge platforms whose vendors expose relay-compatible endpoints, replacing per-app VPN for web-shaped corporate access. The strategic note: relays are the bridge out of VPN debt, not another tunnel to accumulate.
Encrypted DNS (DNS Settings Payload)
The DNS payload pins devices to DoH/DoT resolvers — your protective DNS, enforced at the OS — with optional always-on behavior on supervised devices. This is the cheapest meaningful network-security control on the platform: phishing/malware domain blocking that follows the device onto every network, deployed as one payload.
Content Filter Architecture
Filtering on iOS is payload-mediated, two-tier: the built-in restrictions (limit adult content / allow-list) for blunt needs, and filter-provider payloads pointing at a vendor's filter extension for real policy — the MTD/Defender class of products ride this for web protection. One provider per scope; stacking filter providers recreates the classic two-security-agents-one-hook conflict in network form — multiple extensions claiming the same traffic produce breakage nobody can cleanly triage, so pick a single provider and document the choice.
Insights
Decide the sequencing against per-app VPN explicitly — relay, VPN, DNS, and filter payloads all touch the same flows, and the interaction matrix is yours to own: document which control owns which traffic class or the first conflict ticket will be unsolvable by anyone who didn't write the profiles.
The DNS payload is the quiet BYOD-tier win: protective DNS on enrolled devices costs users nothing visible and closes the commodity-phishing door — deploy it before the fancier layers.
The ecosystem features as policy surface — sharing, casting, and cross-device handoff under management.
Apple's ecosystem magic — AirDrop, AirPlay, Handoff, clipboard sync — is also a set of data paths, and managed fleets decide each one on purpose. The restrictions catalog's ecosystem family, organized by what's actually at stake:
AirDrop
The headline decision. Options run from off (regulated fleets — AirDrop is unauditable point-to-point file transfer) through managed-devices-only postures via the managed pasteboard/sharing boundary interactions, to open with managed open-in doing the data-boundary work (the common knowledge-worker landing: AirDrop exists, but corporate documents can't leave managed apps to ride it). Decide per data classification, write the one-liner for users, move on.
AirPlay and Casting
The conference-room reality: AirPlay to meeting-room hardware is a productivity feature; AirPlay to arbitrary receivers is a projection-of-confidential-content risk. The control set: restrict AirPlay targets via allow-listed receivers/passwords where rooms are managed, and pair with the screen-capture/recording restrictions that govern the adjacent risk on regulated fleets.
These ride the user's Apple Account across their devices — and that is exactly the question: corporate data continuing onto unmanaged personal hardware. On supervised corporate devices, Handoff/clipboard restrictions close the path; on BYOD, the workable answer is App Protection's cut/copy boundary governing the data rather than fighting the feature. The underlying discipline is iCloud-boundary thinking: decide which Apple Account data paths corporate data may ride, write the decision down, and apply it consistently across every ecosystem feature.
Do
Decide each data path per data classification — then write the one-liner for users
Allow-list AirPlay receivers (and passwords) where rooms are managed
Govern BYOD with App Protection's cut/copy boundary instead of fighting the feature
Test restrictions in the actual conference room
Don't
Block ecosystem features without explanation — mystery breakage breeds personal-device workarounds
Leave Apple Account data paths undecided while corporate data rides them
Let confidential content project to arbitrary receivers on regulated fleets
Insights
This family is where the restraint doctrine earns trust: block what the data classification demands, leave the rest — a fleet where AirDrop mysteriously "doesn't work" without explanation breeds workarounds (personal devices in the workflow), a worse outcome that happens to look compliant.
Test in the actual conference room: AirPlay restrictions interact with receiver firmware and network segmentation, and the ten-minute room test beats the theoretical matrix every time.
Apple's modern management protocol — desired state on the device, not commands from the server.
Declarative Device Management (DDM) is Apple's next-generation management protocol, introduced at WWDC 2021 and expanded every release since. It runs inside an existing MDM enrollment — same channel, new grammar.
The Mental Model Shift
Legacy MDM is imperative: the server sends a command ("install this update"), the device executes it (maybe), and the server polls for status. Latency, drift, and "did it actually happen?" are baked into the design.
DDM is declarative: the server sends a declaration describing the desired state ("be on iOS 17.5.1 by June 20, 18:00 UTC"), and the device takes ownership of getting there — scheduling, retrying, notifying the user, and enforcing the deadline autonomously, even if it can't reach the server at the moment of truth.
1 — DeclareServer sends desired state"Be on iOS 17.5.1 by June 20, 18:00 UTC"
2 — Device owns itSchedules, retries, notifies, enforcesAutonomous — even if the server is unreachable at the deadline
3 — Status flows backDevice reports state changes proactivelyNo polling — reporting freshness improves dramatically
The Building Blocks
Concept
What it is
Declarations
The desired-state payloads: configurations, activations, assets, and management properties
Activations
Logic that decides when a configuration applies (can include predicates)
Status channel
The device proactively reports state changes — no more polling
Assets
Referenced content (e.g., per-user data) that declarations can point to
The status channel is the underrated half: when a device installs the update, changes passcode state, or drifts, it tells the server immediately. Reporting freshness in Intune improves dramatically for DDM-managed state.
Software update enforcement via DDM: iOS/iPadOS 17+ — this is the scenario Intune exposes today and the one that matters operationally.
What This Means in Intune
You don't toggle DDM on. Intune delivers supported payloads declaratively when the device qualifies — most visibly the Software Update enforcement settings in the Settings Catalog. Your job is simply to prefer those payloads over their legacy equivalents.
Target OS Version — exact version string, e.g. 17.5.1
Target Date Time — enforcement deadline. Entered/stored in UTC; do the timezone math for your users
(Optional)Target Build Version — only when you must disambiguate builds
Assign to the ring's device group. Repeat per ring with staggered deadlines.
What the User Experiences
Declaration lands silently; the device begins downloading the update on its own schedule (charger + Wi-Fi preferred).
Notifications start polite and get insistent as the deadline approaches — including a final countdown phase the user cannot dismiss away forever.
At deadline: install proceeds. If a passcode is set, iOS prompts for it; an ignored prompt results in installation at the next practical opportunity (lock/charge), and the OS treats the deadline as binding.
Verification
Devices > Monitor > the Apple software updates reporting surfaces per-device update state (DDM status reports make this near-real-time compared to legacy).
Per-device: the device blade shows the installed OS version refreshed by the status channel.
After a ring's deadline passes, spot-check one device: the installed OS version matches the declaration's target — that single comparison proves the policy end to end.
Real-world DDM update behavior that the docs won't tell you.
Field notes from running DDM update enforcement on production fleets.
UTC will bite you once. Target Date Time is UTC. A "5:00 PM" deadline entered naively becomes mid-morning enforcement for US time zones. Decide deadline in local terms, convert deliberately, write the local time in the policy name or description.
Give real runway. Deadlines less than ~48–72 hours out skip most of the polite-notification phase and feel hostile to users. The design shines when the device has days to find its own charger-and-Wi-Fi moment.
Don't stack legacy update policies on top. Remove old Update policies for iOS/iPadOS assignments from devices that get DDM enforcement. They don't merge; they confuse both your reporting and occasionally the device.
Exact version strings matter.17.5.1 and 17.5 are different declarations. When Apple ships a same-week security respin, update the policy — the device won't "round up" on its own.
Offline enforcement is real. Devices that received the declaration enforce at deadline even with Intune unreachable — great for field devices, surprising the first time a device in a drawer updates itself.
Low battery is the most common "it didn't update" cause. The device defers installation until charging conditions are reasonable; deadlines effectively resolve at the next charge. Tell your helpdesk before they escalate.
Deferral + enforcement is the complete system. Enforcement without deferral restrictions lets eager users jump to day-one releases before validation. Deferral without enforcement lets laggards live on old builds forever. You need both halves.
Apps as declarations — the autonomous install model that does to app deployment what DDM did to updates.
DDM's premise — ship the device a desired state and let it converge autonomously — was proven on software updates; Apple has been extending the same model to apps: app declarations the device honors itself, reporting status back through DDM's status channel rather than waiting on command-queue round-trips.
What Changes vs Command-Based Installs
The classic VPP install is imperative: the server sends InstallApplication, the device obeys (eventually), the server polls for truth. Declarative apps invert it: the declaration states this app, this configuration, present — and the device owns convergence: installing when conditions allow, retrying on its own after transient failures, re-asserting if the app vanishes, and reporting state proactively through status subscriptions. The pending-forever class of ticket is exactly what this architecture deletes.
DeclareDesired state lands"This app, this configuration, present"
ConvergeDevice installs when conditions allowRetries transient failures on its own
Re-assertState is defendedIf the app vanishes, the device puts it back
ReportStatus flows proactivelyStatus subscriptions, not command-queue polling
The Practical State of Play
This is a capability arriving in stages — OS support landed before management-platform surfacing, and what Intune exposes evolves by release. The pragmatic operating posture: know the model now (it's where the platform is going), watch the What's New feed for the Intune-side surfacing of declarative app configuration, and design new app-deployment standards so the intent layer (which apps, which populations — your assignment taxonomy) is independent of the delivery mechanism, which is precisely what makes mechanism upgrades free.
Why It Matters Beyond Speed
Declarations compose: an app declaration can participate in DDM's predicate/activation logic — state that applies when conditions hold — which points at app management that reacts on-device to context without server round-trips. The update-enforcement page's lesson generalizes: the device is the best agent of its own state.
Insights
The migration thinking to start now: inventory which of your app deployments are state ("these 12 apps, always present, current") versus events ("push this once") — the state set is the natural DDM-apps cohort, and naming it today makes the eventual cutover a targeting exercise instead of a redesign.
Apple's emergency patch lane — what RSRs are, the MDM controls that govern them, and where they fit in your update strategy.
Rapid Security Responses are Apple's out-of-band patch vehicle: small, fast security fixes (the "(a)" suffix builds) that ship between full OS updates — installable without a full update cycle and, distinctively, removable. They exist for the actively-exploited-in-the-wild class of vulnerability where waiting for the next point release is the wrong answer.
Applies toDevices on the latest OS — laggards aren't eligible
Patch laneOut-of-band "(a)" suffix builds between point releases
MDM restrictions govern the RSR experience on supervised devices:
Allow/disallow RSR installation — whether devices take responses at all; the corporate default should be allow (these are the patches whose entire reason is urgency)
Allow/disallow RSR removal — whether users can roll one back; managed fleets generally disallow removal, since "user uninstalled the emergency mitigation" is not a state you want discoverable in an incident review
These sit alongside — not inside — your DDM update enforcement: DDM deadlines drive scheduled OS currency; RSR policy governs the emergency lane. Two lanes, two doctrines, deliberately different speeds.
How to Run It
Allow installs fleet-wide, block removal — the boring, correct posture
Don't ring RSRs like point releases: their value is speed, and a three-week bake on an actively-exploited fix inverts the risk math. The ring-1 canary still exists — it just measures in hours, not weeks
Verify uptake: RSR state surfaces in OS version strings — the inventory report's version column showing the lettered suffix is your coverage proof when security asks
Insights
RSRs apply to the latest OS — a fleet lagging on point releases isn't eligible for the emergency lane, which is one more argument for the DDM deadline discipline keeping the fleet current: emergency patching is a privilege of the up-to-date.
When an RSR ships, the comms move is pre-written one-liner territory: "Apple shipped an urgent fix; your device may install it quickly and prompt for a short restart — that's expected and protective." Thirty seconds of comms converts a confusion spike into a non-event.
True multi-user iPadOS for frontline, clinical, and education fleets.
Shared iPad is Apple's only true multi-user mode: multiple people share one iPad, each signing in with a Managed Apple Account to get their own separated workspace — apps see per-user data, sign-ins persist between sessions, and a returning user picks up where they left off.
How It Works
The iPad partitions local storage among a configurable number of cached users. A returning cached user signs in to their data instantly; a new user beyond the cache triggers eviction of the least-recent.
User data syncs against the Managed Apple Account, so a user can move between shared devices.
Temporary Sessions (guest mode) provide a sign-in-free session that is completely wiped when the user signs out — ideal for kiosks-with-flexibility, libraries, patient devices.
Hard Requirements
Requirement
Detail
Enrollment
ADE only, with Shared iPad enabled in the enrollment profile — cannot be retrofitted without a wipe
Identity
Managed Apple Accounts from ABM (federate with Entra ID so users sign in with work credentials) — except Temporary Sessions, which need no account
Hardware
Modern iPads with sufficient storage; user partitioning consumes space fast on 64 GB models
Healthcare: nurses sharing cart iPads across shifts
Retail/frontline: shift workers with personal sign-in but pooled hardware
Education: the original use case (via Apple School Manager)
If users don't need their own state on the device, you may not need Shared iPad at all — a no-affinity ADE device with Single App Mode or a focused app set is far simpler to operate.
users need their own state on pooled hardwareShared iPadPer-user workspaces behind Managed Apple Accounts; sign-ins persist and follow users across devices.
the population is anonymous walk-up trafficTemporary SessionsSign-in-free guest sessions, completely wiped at sign-out — libraries, patient devices, loaners.
nobody needs personal state at allNo-affinity deviceADE without user affinity plus Single App Mode or a focused app set — far simpler to operate.
In ABM: Settings > Accounts, configure federated authentication with Microsoft Entra ID. Users then sign into Shared iPads with their existing work credentials; Managed Apple Accounts are created on the fly. (Manual MAA creation works but doesn't scale.)
Step 2 — Enrollment Profile
Devices > Enrollment > Apple tab > Enrollment program tokens > token > Profiles > Create profile > iOS/iPadOS:
User affinity: Enroll without user affinity
Shared iPad: Yes
Maximum cached users: balance storage vs sign-in speed. Rule of thumb: number of people who realistically rotate through a single device in a week. Fewer cached users = more storage each.
Or Temporary Sessions only for guest-style fleets — no Managed Apple Accounts needed at all.
Setup Assistant: skip aggressively; nobody should linger in setup on a shared device.
Assign serials, wipe/activate devices. Shared iPad state is set at activation.
Step 3 — Target Policies and Apps to Devices
Everything targets device groups (there is no persistent primary user):
VPP apps: Required, device licensed
Configuration: Wi-Fi, restrictions, Enterprise SSO plug-in — SSO makes the per-user Microsoft sign-in experience tolerable
A dynamic device group on the enrollment profile name keeps targeting automatic: (device.enrollmentProfileName -eq "SharedIPad-Production")
Step 4 — Session Settings (Settings Catalog)
Settings catalog > Shared iPad category exposes session behavior — temporary session timeouts, passcode requirements for MAA sign-ins, and quota-related options. Configure idle logout for clinical/retail floors so abandoned sessions close themselves.
Verification
Activate one device and confirm the Shared iPad sign-in screen appears at the end of setup — if it boots to a standard home screen, the enrollment profile's Shared iPad setting wasn't applied at activation.
Sign in with a test Managed Apple Account (or start a Temporary Session) and confirm apps, Wi-Fi, and the SSO experience land inside the session.
Sign out and back in: the returning user's workspace should restore quickly — that round-trip exercises caching, identity, and policy in one pass.
Operational truths about Shared iPad from production fleets.
First sign-in is the slow one. A new user's first session provisions their workspace and syncs account state — on weak Wi-Fi this is tens of seconds to minutes. Pilot users conclude "it's broken." Set expectations: first sign-in slow, returning sign-in fast.
Storage math is the design constraint. Usable space divides across the system, shared apps, and per-user partitions. On 64 GB iPads with heavy apps, more than 8–10 cached users gets cramped. Buy 128 GB+ for shared fleets and thank yourself later.
Eviction is silent. When cached-user slots overflow, the least-recently-used profile is purged locally (cloud-synced data survives; purely local app data does not). Apps that stash data outside proper sync get blamed for "losing" work — vet your LOB apps' data story before committing to Shared iPad.
Temporary Sessions wipe absolutely everything at sign-out. This is the feature. It's also why a patient/visitor who "saved" something locally cannot get it back. Signage near the device beats a helpdesk ticket.
Some apps just behave badly multi-user. Apps assuming a single keychain identity or device-bound licensing can cross-contaminate or break between users. Test every LOB app with two different accounts on one device before scale-out.
No affinity means no user-targeted policy. App config that depends on {{mail}}-style tokens resolves empty here. Apps must get user context at sign-in (MSAL + the SSO plug-in), not from MDM.
The sign-in screen is your brand moment. Shared iPad's lock screen lists cached users — combine with a wallpaper policy and clean device naming (SHARED-ER-CART-03) so staff grab the right device and IT can find it in Intune.
Quotas, temporary sessions, and sign-in behavior — the dials that decide whether shared carts feel fast or full.
Shared iPad's architecture and setup get devices into multi-user mode; this page is the tuning — the handful of settings that determine the daily experience once carts are in the field.
The Storage Math
Shared iPad partitions storage across cached user spaces; the core dial is how many users the device caches versus how much space each gets. The trade is explicit: more cached users = faster repeat sign-ins for a rotating population; fewer = more room per user for app data. Calibrate from the actual rotation: a cart serving the same 8 nurses caches 8 beautifully; a lobby device serving hundreds shouldn't cache deeply at all — which is the temporary-session conversation.
Temporary Sessions (the Guest Mode)
Temporary sessions let anyone tap in without credentials and wipe the slate at sign-out — the kiosk-adjacent mode for libraries, loaners, and exam carts. The control set: whether temporary sessions are offered at all, plus idle timeouts (auto-end abandoned sessions) and sign-out behavior. The decision rule: if the population is anonymous, temporary sessions beat shared-credential workarounds every time — credentials shared on a sticky note are the failure mode this feature exists to delete.
the same small crew rotates through the deviceCache the crewA cart serving the same 8 nurses caches 8 beautifully — repeat sign-ins stay fast, everyone keeps room.
hundreds of anonymous users pass throughTemporary SessionsDon't cache deeply — guest sessions wipe at sign-out and end the shared-credential sticky note.
Sign-In Experience
Managed Apple Accounts drive Shared iPad identity — federation makes the password the Entra password, and the sign-in screen's responsiveness rides your network's ability to reach Apple's auth quickly. Session timeouts tuned to shift rhythm close the loop: too short and users re-authenticate mid-task; too long and the next shift inherits a session.
Insights
The classic "Shared iPad is slow" ticket is storage pressure showing up as a performance complaint — a device at quota evicting/rebuilding user spaces on every rotation churns visibly. The inventory view's capacity data per cart tells you before users do.
Pilot the cache-count change on one cart and measure sign-in time — it's a thirty-second stopwatch test, and the number ends the meeting about it.
The three flavors of locking an iOS device to one app — and which one you actually want.
"Kiosk mode" on iOS is really three different mechanisms. Picking the right one up front saves a redeploy.
The Three Flavors
Single App Mode (SAM)
Autonomous SAM (ASAM)
Guided Access
Who locks it
MDM, permanently
The app enters/exits itself (MDM allowlists it)
A human, ad hoc
Supervised required
✅
✅
❌
Survives reboot
✅
App decides
✅ (with passcode)
Use case
Signage, POS, check‑in kiosks
Testing/exam apps, clinical workflows that lock during a task
One-off situations, parents, demos
Managed by Intune
✅ App Lock payload
✅ Restrictions allowlist
❌ (on-device feature)
SAM is the true kiosk: the device boots into one app and physically cannot leave it — no home gesture, no app switcher. The home screen ceases to exist.
ASAM delegates the locking to the app itself. The MDM allowlists bundle IDs that may call the autonomous lock APIs; the app then locks during an exam or signature capture and releases afterward. The app must actually implement ASAM support — check with the vendor.
Guided Access is the consumer feature (triple-click side button). Useful to know about; not a management strategy.
What SAM Implies Operationally
The locked app is the entire user experience — if it crashes to a black screen or needs an update restart, your remote tools are the only way in.
Pair with restrictions that suit a dark-corner appliance: auto-lock disabled, no passcode (plus Block Erase Content and Settings), and a remote restart capability you've tested.
ExitRemove the assignment and let the device sync — the only way out
Single App Mode (App Lock)
Create the profile.Devices > iOS/iPadOS > Configuration > Create > Settings catalog, and name it so the intent is readable in a policy list six months from now (e.g. iOS-AppLock-Lobby-Kiosks).
Add the App Lock category and configure it:
App > Identifier: the bundle ID, e.g. com.yourorg.checkin. Copy it from the Intune app blade rather than typing it — the identifier must match character-for-character, and a typo produces a profile that reports success while locking nothing.
Options: disable what a kiosk shouldn't have — auto-lock, touch can stay on, volume/sleep buttons per use case, disable VoiceOver/Zoom unless accessibility requires them.
Assign to the kiosk device group. Target devices, not users — kiosk fleets enroll without user affinity, so user-group assignments never reach them.
The device locks to the app within moments of the policy applying. Removing the assignment (and the device syncing) is the only exit.
Verification
Watch a pilot device take the policy: within moments of a sync it should snap into the app, with the home gesture and app switcher dead.
Reboot it: the device must boot straight back into the locked app — surviving restarts is the point of SAM.
Prove the exit path before shipping units: remove the pilot device from the assignment group (or unassign the profile), force a sync, and confirm the device returns to a normal home screen. A kiosk you can't unlock in the lab is a kiosk you can't unlock in the field.
Supporting Policies for a Kiosk Fleet
Bundle these in a kiosk-specific restrictions profile:
Setting
Value
Why
Auto-lock
Never (App Lock option)
Signage/check‑in stays awake
Require passcode
No passcode policy assigned
Nobody "unlocks" an appliance
Block Erase Content and Settings
✅
No passcode means Settings must be defanged (also unreachable under SAM, defense in depth)
Block app removal
✅
Belt and suspenders
Autonomous Single App Mode
For exam/clinical apps that lock themselves: Settings catalog > Restrictions > Autonomous Single App Mode Permitted App IDs — add the vendor's bundle ID(s). The app handles enter/exit via its own UI.
Multi-App "Kiosk"
iOS has no true multi-app kiosk. The accepted pattern: no-affinity supervised device + Home Screen Layout (pin the allowed apps) + restrictions hiding everything else (block App Store, Safari if unneeded) + Block app removal. It's a curated device, not a locked one — set expectations accordingly.
Plan the exit before the entrance. Leaving SAM requires the device to receive a policy change — which requires working Wi-Fi and APNs. A kiosk on a captive-portal network that dropped its session is a brick until someone gives it network. Validate connectivity health before assigning App Lock, and keep a bench procedure (wipe via ADE) for the stragglers.
Deploy the app before the lock. If App Lock lands first, the device locks to... nothing useful. Stage assignments: app to the device group, confirm install, then the App Lock policy. For new batches, bake a soak delay into your process.
App updates restart the app. VPP auto-updates apply under SAM, and the app relaunches. For 24/7 signage, that's a brief flicker; for a POS mid-transaction it's a support call. Schedule-sensitive fleets should stage app updates deliberately (pin versions, update in maintenance windows).
A crashed kiosk app = black screen. The device is fine; the app isn't running. The Restart device remote action (supervised) is your first-line fix — wire it into a bulk action script for fleet-wide overnight restarts. Weekly scheduled restarts prevent most of it.
Disable auto-lock, or the whole fleet goes dark on schedule. It's an App Lock option, and the #1 forgotten setting — every display sleeps at the default interval and stays that way until someone touches it. Pair with guided brightness for signage longevity, and remember always-on displays cook batteries — keep units on quality power.
Name devices for humans on the floor.KIOSK-LOBBY-NORTH on a label and in Intune turns "the iPad by the door is frozen" into a 30-second remote restart.
Temporary Sessions vs SAM: if users need to do anything beyond the one app — even occasionally — a Shared iPad with Temporary Sessions may fit better than fighting SAM's absolutism.
When the app drives the lock — ASAM for testing, point-of-sale, and clinical workflows that confine themselves.
Single App Mode locks a device to one app by policy; Autonomous Single App Mode (ASAM) hands the keys to the app itself — a whitelisted app may enter and exit single-app lock programmatically, on its own logic. The difference sounds subtle and changes the use cases entirely.
Applies toSupervised devices — ASAM payloads are ignored elsewhere
RequiresAn app built for ASAM, deployed before the allowlist
Your configuration profile names the bundle IDs permitted to self-lock; the app (built against the relevant API) then locks the device when its workflow demands and releases when done. The device isn't a kiosk — it's a normal supervised iPad that becomes one for the duration of an exam, a transaction, or a procedure.
Where ASAM Is the Right Tool
Assessment and testing: the canonical case — the exam app locks at test start, releases at submission; the device serves the whole class day normally otherwise
Point-of-sale and payment moments: the register app confines during transactions on a device that also runs inventory and email
Clinical and procedure workflows: a charting/procedure app that owns the screen during the sterile window, by its own state machine
The pattern in one line: periodic confinement on a multi-purpose device — versus full kiosk mode for dedicated appliances and Guided Access for ad-hoc human-supervised moments
Prerequisites
Supervised devices (the universal rule) — ASAM payloads are ignored on unsupervised hardware.
The app deployed and installed first — an allowlist entry for an app that isn't on the device grants nothing.
An app actually built for ASAM. The app itself must call the autonomous lock APIs; the app vendor's documentation defines the contract. ASAM only works for apps built for it, so the procurement question "does your app support autonomous single app mode" belongs in the RFP, not the deployment week.
Step-by-Step
Collect the exact bundle ID(s) from the vendor's documentation. The allowlist matches identifiers, not app names — character-exact or it silently does nothing.
Create the profile. The allowlist rides the custom/settings-catalog surface: Settings catalog > Restrictions > Autonomous Single App Mode Permitted App IDs, adding each permitted bundle ID.
Assign to the device group that runs the workflow and let the devices sync.
Verification
Run the app's own lock workflow on a pilot device: start an exam, transaction, or procedure and confirm the device confines itself (home gesture dead, app switcher gone) — then complete the workflow and confirm it releases. The release test matters more than the lock test; an app that locks and never releases is the failure mode you will meet in production.
Insights
Troubleshooting ASAM is mostly state confusion: a device "stuck in kiosk" is usually an app that locked and crashed/never released — force-quit paths and the vendor's release behavior belong in the runbook, and the device-side logs name the locking bundle in seconds.
Audit the allow-list annually like any standing trust list: every bundle ID that may seize the screen is a small standing grant — keep it to the apps that still earn it.
Remotely lock, message, and locate supervised iOS devices.
Lost Mode is the supervised-only remote action that turns a missing device into a locked beacon: a full-screen message with your contact info, all notifications silenced, and — uniquely — location lookup becomes available to IT while the mode is active.
Applies toSupervised corporate devices — no BYOD Lost Mode
RequiresAPNs reachability — the command queues until the device is online
Console pathDevices > select the device > Lost mode > Enable
UnlocksLocation lookup and Lost Mode sound while active — audit-logged
Requirements
Supervised device (ADE) — this is a corporate-device capability; BYOD/user enrollment has no Lost Mode
Device reachable via APNs (online at some point — the command queues)
Enable It
Devices > select the device > ... (or the action bar) > Lost mode > Enable.
Provide:
Message: e.g. "This device belongs to Contoso. Please call IT."
Phone number: tappable from the lock screen
Optional footnote text
The device locks immediately on receipt — whatever the user was doing ends.
While Lost Mode Is Active
Locate device action returns the device's location on a map in the Intune console. Outside Lost Mode, location is not available for standard corporate devices — this is the privacy boundary working as designed (location requests are audit-logged).
Play Lost Mode sound action makes the device emit a persistent tone — couch-cushion recovery.
The device is unusable: no notifications, no apps, just your message.
Disable It
Same device blade > Lost mode > Disable. The device unlocks back to normal (passcode still applies). If the device is gone for good, escalate: Wipe — and handle Activation Lock properly so the hardware remains recoverable.
Insights
Lost Mode is queued via APNs: a powered-off device locks the moment it next comes online. Enable it immediately on report of loss; don't wait to "see if it turns up."
Every Lost Mode and location action lands in Intune Audit logs — your evidence trail for HR/legal.
Train helpdesk that this exists. The median lost-device ticket still gets a wipe as the first response, destroying the locate-and-recover option Lost Mode provides.
Stop Activation Lock from turning returned corporate devices into paperweights.
Activation Lock ties a device to the Apple Account that enabled Find My. Brilliant anti-theft for consumers; for fleets it's the classic failure mode: an employee signs in with a personal Apple ID, leaves the company, and the returned iPhone demands their password at activation. Without a plan, that hardware is scrap.
The Managed Approach (Supervised Devices)
Intune gives you three layers — use all of them:
1. Control who can enable it
Settings catalog > Restrictions > Allow Activation Lock: Block on supervised corporate devices. Users can still use Find My features; the device just doesn't bind to their personal account.
If business needs require Activation Lock (high-theft field environments), prefer device-based Activation Lock managed by the org rather than user Apple IDs.
2. Bypass codes (your get-out-of-jail card)
For supervised devices, Intune automatically escrows an Activation Lock bypass code (device blade > Hardware). At the Activation Lock screen, leave the username blank and enter the bypass code as the password — the lock clears.
3. The Disable Activation Lock remote action
Device blade > Disable Activation Lock consumes the stored bypass code server-side. Run it before wiping a device headed for redeployment or return.
The Decommission Flow That Never Strands Hardware
Retrieve/confirm the bypass code exists (Hardware blade or Graph).
Disable Activation Lock action.
Wipe.
Device activates clean for the next user — or returns to ABM stock.
Do
Block Allow Activation Lock on supervised corporate devices
Confirm the escrowed bypass code exists before any decommission
Run Disable Activation Lock before wiping hardware headed for redeploy or return
Don't
Delete the Intune device object before clearing the lock — the bypass code goes with it
Let personal Apple Accounts bind corporate hardware via Find My
Expect a bypass on unsupervised BYOD — the user's password is the only key
Insights
Bypass codes are single-use — after one bypass, the stored code is spent. Re-supervision generates a new one.
ABM can also release org-owned devices from Activation Lock (device must be in your ABM org) — your fallback when an Intune record was deleted prematurely. Never delete the Intune device object before clearing Activation Lock; the bypass code goes with it.
Unsupervised BYOD: there is no bypass. The user's Apple ID is the only key — which is fine; it's their device. This entire page is about corporate hardware.
Pre-configure apps so they launch ready — settings, accounts, and onboarding pushed from Intune.
App configuration policies push key/value settings into apps that support managed configuration (Apple's NSUserDefaults-based managed app config). It's how Outlook knows the user's address before first launch, how Defender onboards silently, and how LOB apps get their server URLs.
Create either under Apps > Configuration policies > Add.
Building a Managed-Devices Policy
Add > Managed devices, pick platform iOS/iPadOS, select the targeted app (it must already exist in Intune — usually your VPP app).
Settings format:
Configuration designer — friendly key/value editor; Microsoft apps surface known keys.
XML — paste a property list for apps whose vendors hand you raw plist config.
Add keys. Vendor documentation is the source of truth for key names — there is no discovery mechanism; apps read whatever keys they were coded to read.
Token Variables
Values can include Intune variables resolved per device/user at delivery:
On no-affinity devices, user tokens resolve empty — scope user-dependent configs to user-affinity devices.
Verifying It Worked
App config has no user-visible footprint — the app simply behaves configured.
Intune: the policy's Device install status shows delivery.
If the app ignores the config: confirm the bundle ID matches exactly, the app actually supports the keys (vendor docs), and the app was restarted after the policy landed — most apps read managed config at launch only.
Protect corporate data inside apps — with or without device enrollment.
App Protection Policies (APP, colloquially MAM) draw the security boundary around the data inside managed apps rather than the device. They're the reason "we don't manage personal phones" and "corporate data is protected on personal phones" can both be true.
Applies toApps built with the Intune App SDK — all Microsoft 365 mobile apps
RequiresNo enrollment — APP activates at work-account sign-in
Assign toUser groups; the policy follows the user across devices
MonitorApps > Monitor > App protection status
What APP Controls
Data egress: where org data can go — save-as targets, share-sheet destinations, cut/copy/paste boundaries, backup exclusion
Access: PIN/biometric to open the app's work context, work-account requirement
Conditional launch: automatic responses to risk — jailbreak detected → block and wipe org data; offline too long → block; OS too old → warn
Selective wipe: remove org data from the apps, touch nothing personal
It applies to apps built with the Intune App SDK — all Microsoft 365 mobile apps, plus a large supported app list and your own wrapped/SDK-integrated LOB apps.
Enrollment State Targeting
One policy can target, or you can split policies by state:
Assign to user groups — APP follows the user across devices.
APP activates when the user signs into a targeted app with their work account. No enrollment prompt, no Company Portal requirement on iOS (Authenticator handles broker duties where needed).
Pair with the Conditional Access grant Require app protection policy so only protected apps can reach corporate data — details in Conditional Access.
Offboarding: a selective wipe (Apps > App selective wipe) clears org data from a departing user's personal device — the respectful goodbye.
Insight
The most common "APP isn't working" report is a user signed into the app with a personal account. APP governs the work account's data inside the app; multi-identity apps like Outlook keep personal and work contexts separate by design. Check which account the user means before debugging policy.
Pin intranet sites and web apps to the home screen as managed icons.
Web clips put a URL on the home screen with an icon, indistinguishable at a glance from an app. For intranet portals, ticketing systems, ESS/HR pages, and PWAs, a web clip is frequently the right "app deployment" — zero licensing, instant updates, nothing to package.
Console pathApps > All apps > Add > Web link
LicenseNone — zero licensing, instant updates, nothing to package
IconSquare PNG; 512×512 works well
LifecycleManaged — removed at retire/unenrollment
Deploy One
Apps > All apps > Add > app type Web link (under Other).
Configure:
Name — what appears under the icon (keep it short; iOS truncates)
URL — https:// destination
Icon — upload a square PNG (512×512 works well); skip it and you get an unloved default
Full screen: opens without Safari chrome — feels app-like, but no URL bar means no user navigation rescue; best for true web apps
Assign as Required (icon appears automatically) or Available (Company Portal self-service).
Behavior Worth Knowing
Web clips deployed by MDM are managed: they're removed at retire/unenrollment and can be pinned in place with a Home Screen Layout policy.
Authentication uses Safari's engine — with the Enterprise SSO plug-in deployed, Entra-protected sites open already signed in. This combination is what makes web clips feel like real apps.
A PWA-capable site in full-screen mode gets you most of the "native app" feel for the cost of an icon and a URL.
Privately distributing a vendor-built or in-house app to your organization through Apple Business Manager, then deploying it through Intune like any VPP app.
Most iOS apps reach devices one of two ways: public App Store titles, or sideloaded line-of-business IPAs you sign yourself. Custom Apps are a third path. A developer (a vendor or your own team) publishes the app privately to your organization in App Store Connect, and it then appears in your Apps and Books in Apple Business Manager as a licensable, device-assignable app — vetted through App Review, installed through the store, and updated automatically — but invisible to the public. This avoids the enterprise-certificate signing and re-signing lifecycle that sideloaded IPAs require.
How distribution flows
The developer designates your organization (by ABM Organization ID) as the private audience in App Store Connect. Once the app clears App Review, it surfaces in your ABM Apps and Books, you acquire licenses, and the VPP token sync brings it into Intune as an assignable app.
App Store Connectvendor publishes privately to your org
Give the developer your ABM Organization ID. Find it in Apple Business Manager under Settings > Enrollment Information > Organization ID. The developer enters it as the app's private audience in App Store Connect (Pricing and Availability > Distribute on Apple Business Manager / custom app). This audience setting lives entirely on the developer's side — handing over the ID is the whole integration.
Acquire licenses in ABM. Once the app passes App Review it appears in Apps and Books, visible to your organization only. Buy the quantity you need (free apps still require a license "purchase") under the same location whose VPP/content token Intune already holds.
Sync the token in Intune. Go to Tenant administration > Connectors and tokens > Apple VPP Tokens, select the token, and choose Sync (or wait for the scheduled sync). The app and its license count appear under Apps > iOS/iPadOS.
Assign and deploy. Open the app, go to Properties > Assignments, and assign it as Required with device licensing for corporate devices. Updates continue to flow through the store with no re-signing schedule to maintain.
When to use this lane
Vendor-built apps for your organization — an agency-built field app, a white-labeled portal. Custom Apps is the channel Apple intends for this; a vendor offering to "send you an IPA" in current iOS is worth pushing back on.
Your own apps with a store-compatible release cadence — App Review adds a few days but provides the automatic update pipeline and removes the signing-certificate expiry that strands sideloaded apps.
Sideloaded LOB IPAs remain the option for what genuinely cannot go through review — rapid-iteration internal tools and functionality App Review would reject. Treat it as the deliberate exception, not the default.
Operational notes
License management is ordinary VPP: the same license pools and the same reclaim-on-retire hygiene. The usual onboarding failure is that the app never appears in your Apps and Books — almost always because the developer's private-audience setting does not match your ABM Organization ID. It is a developer-side fix; confirm the ID they used against Settings > Enrollment Information in ABM.
Insights
Put Custom Apps into your procurement language: require that "iOS deliverables are distributed via Apple Custom Apps to our ABM Organization ID." One contract line removes every future conversation about enterprise certificates, expiring provisioning profiles, and re-signing.
The OS-level boundary between managed and unmanaged apps on enrolled iOS devices — what it controls, how to set it, and how it composes with App Protection Policies.
iOS classifies every app on an enrolled device as managed (installed or assigned by Intune/MDM) or unmanaged (installed by the user). The managed open-in controls govern whether documents, contacts, and clipboard content can cross that line. This predates App Protection Policies (APP) and still applies on enrolled — especially supervised — devices, so you need to know how the two interact to avoid both gaps and conflicting double-blocks.
Enforced byiOS itself, device-wide (no per-app agent)
RequiresEnrollment; the document/clipboard controls work best on supervised devices
Set inDevices > Configuration > Device restrictions (iOS/iPadOS), or the equivalent Settings Catalog restriction keys
BoundaryWho installed the app (managed vs unmanaged), not user identity
The two restriction settings
In a Device restrictions profile (Devices > Manage devices > Configuration > Create > iOS/iPadOS > Templates > Device restrictions), under Apps:
Require managed apps to share data only with other managed apps (block managed → unmanaged): a corporate document opened in managed Outlook cannot be handed to a user-installed PDF reader. The iOS share sheet simply omits unmanaged destinations.
Require unmanaged apps to share data only with other unmanaged apps (block unmanaged → managed): personal content cannot flow into the corporate context. Enforce this only where ingestion of unvetted content is a real concern; it is the less common of the two.
Supporting controls in the same profile: the managed contacts/calendar boundary (block managed apps from writing contacts to unmanaged accounts), the managed pasteboard (clipboard honors the same managed/unmanaged line), and the AirDrop restriction covered on the AirPlay and Continuity page (treat AirDrop as an unmanaged destination). Together these form a device-level data perimeter defined by which apps Intune installed.
Open-in vs App Protection Policies
The two mechanisms solve different problems and target different fleets:
On corporate supervised fleets, open-in is the inexpensive OS-level floor and APP is the precision layer on top. On BYOD without enrollment, open-in does not apply at all — APP is the only data boundary you have. The common misconfiguration is running both on enrolled devices with rules that disagree, producing reports of "sharing works from Outlook but is blocked from Teams." Keep one written data-flow matrix — which source apps may hand documents to which destination apps — and re-audit both the restriction settings and the APP data-transfer settings against it whenever either changes.
Do
Use open-in as the OS-level floor on supervised fleets and APP as the precision layer
Keep one written data-flow matrix: which source apps may share to which destinations
Audit the open-in restrictions and the APP data-transfer settings together whenever either changes
When triaging a "can't open this document" ticket, first identify which control fired: a missing share-sheet destination is open-in; an in-app block dialog is APP
Don't
Let the OS restrictions and the APP settings disagree — that is the "works in Outlook, blocked in Teams" symptom
Rely on open-in for BYOD — it does not exist without enrollment; APP is the boundary there
Insights
For any "can't open this document" ticket, identify the control before touching policy. A share sheet that is missing destinations is managed open-in. An in-app "your organization does not allow this" dialog is App Protection Policy. The two live in different profiles, so naming which one fired tells you which policy to open.
Define what a healthy iOS device looks like — and what happens when it isn't.
A compliance policy is the contract: devices meeting it are marked compliant, and Conditional Access uses that mark as a gate to corporate resources. Configuration policies set device state; compliance policies judge it.
Devices with no compliance policy assigned: set to Not compliant — otherwise unpoliced devices ride free.
Compliance status validity period: default 30 days; devices that stop checking in fall noncompliant when it lapses.
Monitoring
Devices > Monitor > Noncompliant devices; per-policy per-setting drill-downs show exactly which check failed. The complianceState property is also in our inventory report script.
A compliance policy enforces consequences, but it doesn't tell you which controls to demand in the first place. For that, iOS/iPadOS leans on the same external authorities as the Mac — with one blunt caveat up front: Microsoft does not publish a security baseline for iOS or iPadOS. Microsoft's importable security baselines are Windows-only. There is no "iOS baseline" tile in Intune the way there is for Windows. The authoritative iOS controls come from CIS, Apple Platform Security, and — for the app/data layer — Intune's own App Protection Framework. Treat anyone who tells you "just import the Apple baseline" as someone who hasn't deployed one.
No MS baselineMicrosoft security baselines are Windows-only
CIS Apple iOS/iPadOS Benchmark
CIS ships a benchmark per major release — currently iOS 26 (v1.0.0), iOS 18 (v2.0.0) and iOS 17 (v1.1.0), with matching iPadOS 26 / 18 / 17 documents. Unlike the desktop benchmarks, the iOS document is organized around what an MDM-managed, supervised device can actually enforce — passcode policy, restriction payloads, network and Safari hardening, AirDrop/handoff controls, update behavior. The practical translation: a CIS iOS recommendation almost always maps to either a Settings Catalog/restriction payload you push, or a property your compliance policy on this page checks. Supervision is the dividing line — a large share of the benchmark's higher-value restrictions only apply to supervised (ADE-enrolled) devices, so a BYOD fleet can satisfy far fewer CIS items than a corporate-owned supervised one. Scope your audit claims to your enrollment model.
Apple Platform Security
Where CIS tells you what to set, the Apple Platform Security guide documents why the platform can be trusted — the Secure Enclave, hardware-backed key storage, Data Protection class keys tied to the passcode, Face ID/Touch ID, and the secure boot chain. This is the evidence layer for the controls your compliance policy can't directly toggle: when you require a passcode and block jailbroken devices, you're relying on Apple's hardware enforcement to make those requirements meaningful. Cite it in your control narrative rather than treating "encryption" and "jailbreak detection" as self-evident.
Intune App Protection Framework (the app/data layer)
For unmanaged or BYOD iPhones — and for defense-in-depth on managed ones — the device-level benchmark isn't reachable, so the control surface shifts to the data inside the apps. Microsoft's App Protection Framework (the data-protection configuration framework) is the closest thing to an official iOS hardening baseline, expressed as three escalating levels applied through App Protection Policies:
Level 1 — enterprise basic data protection. The minimum: require an app PIN, encrypt org data, enable selective wipe. Mirrors the defaults when you create an App Protection Policy and replaces basic Exchange Online device-access rules.
Level 2 — enterprise enhanced data protection. The recommended standard for most users handling sensitive data: restricts data transfer to policy-managed apps, blocks backup of org data, sets a minimum OS version. Some user-experience impact.
Level 3 — enterprise high data protection. For high-risk users and sophisticated security teams: tighter PIN complexity (6-digit, no simple PIN), blocks third-party keyboards, adds Mobile Threat Defense via "max allowed threat level," and constrains the dialer. Significant user impact — ring it carefully.
The levels are cumulative (L2 includes L1, L3 includes L2) and Microsoft recommends a QA → Preview → Production ring rollout — the same discipline you'd give any baseline change. App Protection works with or without enrollment, which is exactly why it carries the iOS data-protection story where MDM restrictions can't reach.
Operationalizing It
Set the controls with restriction/Settings Catalog payloads tailored to the CIS iOS benchmark for your OS version — and be honest about supervised vs. BYOD scope.
Judge the state with the compliance policy on this page (passcode, OS floor, jailbreak block, threat level) — configuration sets, compliance judges.
Protect the data with the App Protection Framework level matched to the user's risk tier, gated by Conditional Access.
Re-baseline per major iOS release — CIS reissues the benchmark each year, and the App Protection minimum-OS values track Apple's N-1 support window.
Make compliance mean something — gate corporate access on device and app state.
Conditional Access (CA) is the enforcement engine in Entra ID. Intune supplies device compliance and app protection signals; CA turns them into access decisions. Without CA, a noncompliant device is just a sad dashboard entry.
Intunecompliance & app-protection signals
→
Entra Conditional Accessthe enforcement engine
→
Corporate resourcesOffice 365 and everything behind CA
The classic iOS policy uses "Require one of the selected controls" with both — corporate devices satisfy via compliance, BYOD satisfies via APP, everything else is blocked.
A Sane Starter Policy Set
Block legacy authentication — all users, all apps, legacy auth clients: Block. (Old protocols bypass everything else here.)
Office 365 on iOS requires managed access
Users: all (exclude break-glass accounts)
Apps: Office 365
Conditions > Device platforms: iOS
Grant: require compliant device or app protection policy
MFA everywhere — your standing all-apps MFA/phishing-resistant policy applies to iOS sign-ins automatically; Setup Assistant modern auth during ADE honors it too.
Build in Report-only mode first; review the sign-in log impact for a week before flipping on.
Insights
Always exclude break-glass accounts. A CA policy that locks every admin out of a tenant during an Intune outage is a story you only get to tell once.
The What If tool (Entra > Conditional Access) answers "why is this user blocked" faster than any forum thread.
Sign-in logs (Entra > Sign-in logs > Conditional Access tab per event) show exactly which policy applied, which grant failed, and the device's compliance claim — first stop for any access ticket.
Newly enrolled devices can take a few minutes to present as compliant (first check‑in + Entra registration). The Enterprise SSO plug-in's JIT registration shrinks this window dramatically.
Hardware-rooted trust for iPhones and iPads — the Secure Enclave attestation model and what it ends.
Managed Device Attestation (MDA) first shipped on iOS and iPadOS, and it changes what device identity means in a management system: instead of services trusting what the enrollment record asserts, they verify what the hardware can cryptographically prove.
The Problem It Ends
Classic device identity is assertion: the MDM record claims serial X, the device presents a certificate someone could theoretically exfiltrate, and services trust the paperwork. MDA replaces the paperwork with silicon: the Secure Enclave generates hardware-bound keys (non-exportable by construction), and Apple's attestation servers vouch — cryptographically — that the request comes from a genuine, specific Apple device with the properties it claims. A cloned identity can't complete the handshake; there's no Enclave behind it.
The Mechanics in Brief
The ACME payload (the modern issuance protocol with attestation extensions) carries the flow: the device requests an identity, an Enclave-bound key plus Apple's attestation accompany the request, and the issuing CA enforces certificates only for proven hardware. Those identities then underpin the things that matter — 802.1X, VPN, MDM client identity — with private keys that physically cannot leave the device. SCEP remains the workhorse for the long tail; ACME-with-attestation is where high-assurance identity is heading, and PKI readiness — does your CA speak ACME, and can it consume attestation evidence? — is the gating project to scope first.
Secure Enclavehardware-bound, non-exportable keys
→
Apple attestation serversvouch for genuine, specific hardware
→
Issuing CAcertificates only for proven devices
Two properties worth holding onto when you design around it. First, the attestation speaks to identity and genuineness — this specific, genuine Apple device with these identifiers — which is exactly the claim a stolen or cloned certificate cannot fake. Second, attestation evidence is produced at issuance and renewal, not continuously; its freshness is bounded by your certificate rotation cadence, so pick lifetimes with that trade-off in mind rather than treating the attestation as a live health feed.
Where It Touches Compliance
Attestation-grade signals strengthen the compliance + Conditional Access loop at its root: the difference between "a device claiming to be enrolled iPhone-4821" and "hardware-proven iPhone-4821." As management platforms surface attestation-backed checks, the posture conversation shifts from what the device reports to what the silicon proves — the strongest foundation a compliance signal can stand on, because every downstream decision inherits the quality of the identity underneath it.
Insights
The security-review one-liner that lands: "What stops a stolen device certificate from impersonating a corporate iPhone? On attested identities — physics. The key never existed outside the Secure Enclave." That sentence is the entire ROI.
Diagnosing the most common iOS enrollment failures by symptom.
Work top-down from the symptom. First stop in every case: Intune > Devices > Monitor > Enrollment failures — filter to iOS and check whether the attempt even reached Intune.
"No Remote Management screen" (ADE device sets up like a personal device)
The device isn't being told it's yours. In order:
Is the serial in ABM? Search it in ABM > Devices. Retail-bought devices aren't there until you add them.
Assigned to the right MDM server? The serial must be assigned to your Intune server entry in ABM.
Synced to Intune? Check the token blade's device list; trigger a sync and respect the 15-minute rate limit.
Enrollment profile assigned? A synced serial with no profile still activates unmanaged. Set a default profile on the token.
Device was already activated before the assignment? Wipe it — ABM assignment is evaluated at activation.
"Unable to complete enrollment" during Setup Assistant sign-in
CA blocking enrollment: a Conditional Access policy requiring a compliant device on the enrollment/registration flow is a chicken-and-egg lock. Review sign-in logs for the user; exclude the Intune enrollment cloud apps appropriately.
License missing: user has no Intune license — instant, unhelpful failure.
Enrollment restriction: ADE counts as corporate, but check Enrollment device platform restrictions for OS-version blocks.
MFA method unavailable: Setup Assistant modern auth presents the full Entra sign-in — a user with no registered MFA method and a require-MFA policy stalls here.
An old management profile already exists: Settings > General > VPN & Device Management — remove stale profiles, or wipe.
Time skew: a wildly wrong device clock breaks the TLS chain — set automatically.
Network filtering: see APNs Connectivity for the inspection-breaks-Apple checklist.
Account-driven enrollment dies at the email step
The /.well-known/com.apple.remotemanagement discovery endpoint isn't reachable/valid for the user's UPN domain — curl it from outside your network; expect 200 + correct JSON.
The user's targeted profile type doesn't match the OS (account-driven device enrollment needs iOS 18+).
No Managed Apple Account resolvable: check ABM federation status for the domain.
"Device appears enrolled but gets no policy"
Almost always Entra device registration didn't complete — the Intune object exists, CA sees an unregistered device. Have the user launch Company Portal and sign in (or verify JIT registration / SSO plug-in reached the device), then sync.
When devices stop responding to Intune, it's almost always the push path.
Intune never talks straight to an iPhone. Every action follows the same path: Intune → Apple Push Notification service → device wakes → device checks in to Intune over HTTPS. Break any hop and the fleet looks "dead" while being perfectly healthy.
Intunequeues the command
→
APNswake-up nudge — TCP 5223, fallback 443
→
Devicechecks in to Intune over HTTPS 443
Symptoms That Mean "Check APNs"
Remote actions stuck at Pending fleet-wide
Devices only sync when a user manually opens Company Portal
Everything broke at once across all Apple platforms (the giveaway)
Checklist, in Order
1. The certificate
Devices > Enrollment > Apple tab > Apple MDM Push certificate — status Active, not expired? An expired cert stops everything; renew correctly (same Apple ID!) and devices recover on their own. Automate the watch with the expiry check script.
2. The network path (device side)
Devices need a direct connection to APNs:
TCP 5223 to 17.0.0.0/8 (Apple's block), falling back to TCP 443 on some networks
No TLS/SSL inspection on Apple traffic — APNs uses certificate pinning; an inspecting proxy kills the connection silently. This is the #1 root cause in enterprises.
Captive portals: a kiosk Wi-Fi whose session expired = no push. Use PSK/802.1X networks for unattended fleets.
Test from the device's actual network segment (guest Wi-Fi working proves nothing about the kiosk VLAN).
One device unresponsive while peers are fine: toggle Wi-Fi/airplane mode (forces a new APNs connection), verify the management profile still exists, and as a last resort re-enroll.
What APNs Does Not Carry
Push only carries the "wake up and check in" nudge — policies, apps, and inventory all move over standard HTTPS (443) to Intune. A device that can be nudged but fails to sync has an HTTPS/proxy problem to *.manage.microsoft.com instead, which is a different firewall conversation.
Deep cutsUnified log / sysdiagnoseConsole streaming during a reproduction, or the full archive
Company Portal Logs (first line)
On device: Company Portal > menu > Send Logs (also reachable via Settings > Company Portal > toggle verbose logging first for richer output).
The upload produces an incident ID — that ID lets Microsoft support pull the logs; have users screenshot it into the ticket.
Covers: enrollment flow, sync, Entra registration, app install orchestration as CP sees it.
The Intune Console (second line)
Device blade > Device configuration / Compliance: per-profile, per-setting status with error codes — most "policy didn't apply" answers live here.
Apps > the app > Device install status: VPP failures show distinct errors for no license vs App Store unreachable vs user declined (unsupervised).
Tenant administration > Audit logs: who did what, including remote actions — your evidence trail.
Troubleshooting + support pane: per-user rollup of devices, policies, app installs — the fastest helpdesk view in the product.
Settings on the Device (ground truth)
Settings > General > VPN & Device Management > the management profile shows every payload, restriction, and certificate the device actually has. If the console says delivered and the device disagrees, the device is right — sync and investigate the gap.
Unified Log Streaming and sysdiagnose (deep cuts)
For enrollment cryptography failures, SSO extension behavior, or anything you're escalating to Apple/Microsoft engineering:
Stream the device's unified log during a reproduction. Tether the device over USB to an admin workstation running Apple's Console log viewer, select the device in the sidebar, and stream — filter subsystems for the loud, honest mdmd/profiled messages while you reproduce the failure.
Or capture a sysdiagnose on-device (volume buttons + side button chord, then Settings > Privacy & Analytics > Analytics Data) for the full archive Apple support will ask for anyway — no tethering required.
One streamed Console session during a failing enrollment usually names the actual problem — a profile rejection reason, a TLS failure, an SSO extension crash — in plain text.
What to Put in Every Escalation
Serial number, Intune device ID, UPN, timestamp of the reproduction (with timezone), CP incident ID, and what the device's VPN & Device Management screen showed. That set turns a ping-pong ticket into a one-pass fix.
Why a VPP app silently isn't on the device — the diagnosis ladder.
App installs on iOS fail quietly — usually no user-visible error at all, just an absent icon and a ticket. Work this ladder top to bottom; the culprit is almost always in the first three rungs.
Rung 1Licenses0 available fails silently — the #1 cause
Rung 2StorageUnder ~1–2 GB free, installs and updates fail
Rung 3Token / regionWrong VPP location, country mismatch, failed sync
Rung 4DeliveryOffline, push blocked, or the user tapped Cancel
Rung 5App odditiesStuck updates, expired IPA signing, OS minimum
1. Licenses (the #1 cause)
A VPP app with 0 available licenses fails silently, every time, fleet-wide for new devices. Check the app's license counts in the portal or run the VPP License Report. Fix: raise the quantity in ABM (free apps included), sync the token, installs resume on next check‑in.
2. Storage
Devices under ~1–2 GB free routinely fail app installs and OS updates. The inventory report surfaces FreeStorageGB — under-provisioned 64 GB fleets generate this ticket forever. Short-term: clear space; long-term: buy bigger.
3. Token / region mismatches
The app was licensed under a different VPP location than the token Intune holds — license counts look fine in ABM, Intune sees zero.
Country mismatch: VPP location country ≠ the app's availability in that storefront — the app simply can't be granted.
Device offline / APNs blocked → install command never arrives. One device: toggle network, sync. Many devices: APNs Connectivity.
Unsupervised devices prompt the user to approve App Store installs — "failed" sometimes means "user hit Cancel." Supervised devices install silently; this entire class disappears with ADE.
5. App-specific oddities
Update loops ("installing…" forever): usually a stuck prior install — remove the app assignment for that device's group momentarily or wipe the app via device blade, resync.
LOB (IPA) apps: expired provisioning profile or missing device UDID in an ad-hoc profile — check the app's expiration in Intune and re-sign annually.
OS minimum: the app's deployment target exceeds the device's iOS version — shows as not applicable/failed on stragglers; your update enforcement is the real fix.
Evidence to Collect
Per-app Device install status in the portal (or the status report script) gives state + detail per device; the device-side truth is Settings > General > VPN & Device Management > the management profile > Apps — if Intune says installed and the device disagrees, sync and re-check before deeper surgery.
Payloads that bounce — the triage ladder from delivery to dependency to payload-level rejection.
A configuration profile "not working" is three different failures wearing one symptom: it never arrived, it arrived and was rejected, or it installed and the payload's dependencies are unmet. Walk them in order.
Rung 1Did it arrive?Scope, filters, APNs — then check the device's profile list
Rung 2Was it rejected?Conflicts, supervision gates, malformed payloads, OS mismatch
Rung 3Installed but inertDependencies unmet — certificates, apps, provider extensions
Rung 1 — Did It Arrive?
Targeting and transport first, as always: assignment/filter scope, then APNs and sync health — a device that can't hear commands installs nothing, and that's a connectivity ticket, not a profile ticket. Device-side, Settings > General > VPN & Device Management shows what's actually present; absence after a healthy sync points back at scope.
Rung 2 — Was It Rejected?
The OS validates payloads on install; rejection causes cluster tightly:
Conflicting payloads: two profiles claiming the same exclusive territory (duplicate identifiers, competing single-instance payloads). Give every exclusive setting exactly one profile home — when two claim it, the device resolves by rejection or an arbitrary winner, and both read as "profile failed"
Supervision-gated payloads on unsupervised devices: the payload requires supervision the device lacks; the fix is the enrollment path, not the profile
Malformed custom profiles: hand-built .mobileconfig with schema errors — validate in the lab on a test device before fleet assignment, every time
OS-version mismatches: payload keys newer than the device's OS fail quietly or partially — the annual OS-validation pass exists for this
Rung 3 — Installed but Inert
The profile shows present; the behavior doesn't — almost always a dependency: the Wi-Fi profile whose certificate hasn't issued yet (sequence assignments), the SSO payload waiting on its app, the filter payload whose provider app isn't installed. Map the profile's dependency chain and check each link — the profile is fine; its prerequisites aren't.
Insights
Fleet-level reading beats device archaeology: per-profile deployment status grouped by error, sliced by OS/model/enrollment type — a cohort failing one payload shares an attribute, and the attribute is the answer.
Keep a known-good minimal profile (one harmless restriction) as the probe: if it installs on a problem device, transport and trust are fine and the investigation narrows to the real profile's content in one move.
Devices stuck behind the DDM deadline — eligibility, capacity, connectivity, and the genuinely wedged.
A device sitting behind its DDM software-update enforcement usually isn't broken. Four things cause it, and only the last is a genuine malfunction — so check them in order, cheapest first, before you reach for a device.
EnforcementDDM declarative software update (target version + deadline)
EligibilityDevice must support the target iOS/iPadOS version
HeadroomFree storage for the payload (tight on 64 GB devices)
ConditionsNeeds power + network; installs at idle
1. The deadline hasn't passed yet
A DDM update has a target version and an enforcement deadline. A device inside that window is behaving correctly — it isn't late until the deadline is. Confirm two things before calling anything stuck:
Today vs the deadline. Open the update policy and compare its enforcement date to now. Inside the window = working as designed.
The declaration actually reached the device. Enforcement only applies once the device received the declaration, which needs a successful sync — a device that hasn't checked in hasn't heard the deadline. Work APNs / sync health first.
2. The device can't take the target version
Two hard blockers, both visible in inventory before you touch the device:
Hardware too old. The model doesn't support the target iOS/iPadOS major. Keep a model → last-supported-OS list and treat these as a refresh-planning item, not a ticket.
Not enough storage. The update payload needs free space (commonly several GB); 64 GB devices are the usual offenders. The device inventory report exposes free-storage and model columns so you can pre-sort the fleet and clear space (offload unused apps, clear caches) before the deadline.
3. The conditions for an automatic install are never met
iOS installs updates when the device is on power, on a good network, and idle (typically overnight, charging, on Wi-Fi). When those never coincide the update never starts:
The handset that's never charged overnight — installs have no window.
The cellular-only device avoiding a multi-gigabyte download over a metered link.
The kiosk that's never idle. DDM tightens the prompt as the deadline nears, but if the conditions are structurally absent, fix the conditions (charging habit, Wi-Fi access) — that's not an MDM problem.
4. The update mechanism is genuinely wedged
The small real-failure residue: a download that won't complete, or the update stuck mid-flight. The ladder:
Restart the device — clears most stuck downloads.
Free up storage and retry; a partial download plus a full disk is a common dead end.
Reprovision. On a supervised fleet, Return to Service wipes the device straight back to the current OS and re-enrolls it — for a device that's resisted real effort, that's faster and cleaner than more update surgery.
Read the pattern across the fleet
Before opening individual tickets, look at the shape of the lag — it names the cause: a whole ring lagging points at declaration delivery; a single model at eligibility; a site at network/bandwidth; scattered stragglers at conditions and genuine wedges. Rapid Security Responses follow the same triage on a compressed clock — and a fleet kept current on point releases is what makes that emergency lane work at all.
Insights
Most "stuck update" tickets are categories 1–3 — policy timing, eligibility, or conditions — not failures. Triage the distribution first; only category 4 needs hands on a device.
Twenty-plus vetted open-source projects every iOS admin should know — from Apple's own MDM schema to Graph tooling.
The Apple admin's open-source shelf for iOS & iPadOS — Apple's own MDM schema, the servers that teach the protocol, profile and declaration tooling, device diagnostics, and the cross-platform Intune core that ties it together.
Looking for everything across platforms? Browse the central Open-Source Toolbox — all 144 tools in one filterable, searchable place.
🧰 Intune core & tenant automation
Tenant-wide Graph automation, config-as-code, backup, and assignment analysis.
ugurkocde/IntuneAutomation — Curated library of ready-to-run Microsoft Graph PowerShell scripts (and Azure Automation runbooks) for Intune device operations, app management, compliance reporting, and monitoring.
MG-Cloudflow/Intune-Toolkit — WPF/PowerShell GUI to view and bulk-manage Intune policy and app assignments, audit what a security group has assigned, and back up/restore/document configurations.
Microsoft365DSC/Microsoft365DSC — PowerShell Desired State Configuration module that extracts, deploys, and continuously monitors full-fidelity Microsoft 365 (including Intune, Entra, and CA) tenant config as code, flagging and remediating drift.
Azure/enterprise-azure-policy-as-code — EPAC manages Azure Policy and policy assignments/exemptions as code in Git with CI/CD plan-and-deploy pipelines, giving admins desired-state governance and compliance enforcement at scale.
merill/graphxray — Browser DevTools extension that captures the Microsoft Graph calls behind clicks in the Entra/Intune portals and auto-generates equivalent PowerShell, C#, Java, or Go, so admins can script any portal action.
microsoft/EntraExporter — Microsoft PowerShell module that exports an entire Entra/Azure AD tenant configuration to versionable JSON files for Git-based backup, change tracking, and audit of identity and CA policies.
microsoftgraph/msgraph-bicep-types — Microsoft Graph Bicep extension that lets admins declare Entra/Graph resources (groups, apps, service principals) as Infrastructure-as-Code in Bicep templates alongside Azure resources.
microsoftgraph/msgraph-sdk-python — Microsoft's actively maintained Python SDK for Microsoft Graph, used to script tenant-wide Intune/Entra automation and reporting from Python instead of PowerShell.
DanielChronlund/DCToolbox — PowerShell module for Microsoft 365 security work, with cmdlets to export/import and bulk-deploy Conditional Access policies as JSON for managing CA as code across tenants.
fleetdm/fleet — MIT-licensed open-source cross-platform device management platform built on osquery and Apple's native MDM/DDM, letting admins manage profiles, OS updates, software, and CIS-benchmark compliance from one GitOps/API workflow alongside (or instead of) Intune.
micromdm/nanocmd — Go library and reference server that abstracts Apple MDM v1 commands into reusable workflows, useful for building automated command sequences against NanoMDM for older devices where declarative management isn't available.
cmdmnt/commandment — A full open-source Apple MDM server (Python/TypeScript) for enrolling and managing iOS and macOS devices, useful as a self-hostable reference MDM for labs and protocol study.
petarov/apple-mdm-clients — Java client libraries for Apple's Device Assignment (ABM/ADE/DEP) and legacy App-and-Book (VPP) management APIs, letting admins automate device assignment and license workflows from JVM tooling.
ProfileManifests/ProfileManifests — Community preference-manifest repository for Apple system and third-party app settings that powers ProfileCreator and iMazing Profile Editor, giving admins up-to-date payload keys for building configuration profiles.
🛠️ MDM internals & provisioning
MDM servers, enrollment, Autopilot/ADE, imaging, and profile authoring.
apple/device-management — Apple's official, versioned YAML schema of every MDM command, profile payload, and DDM declaration. The ground truth under every vendor's UI; when documentation disagrees, this repo wins.
micromdm/micromdm — the open-source Apple MDM server; enrollment, commands, and APNs in readable Go
micromdm/nanomdm — its minimalist successor; the protocol with nothing else attached
macadmins/contour — Apple device-management configuration toolkit (Rust) that validates, normalizes, and generates .mobileconfig profiles and DDM JSON declarations against Apple's embedded schema, so admins can author and lint Intune-deployable profiles/declarations offline and in CI.
micromdm/nanodep — Go tools and library (depserver reverse proxy, depsyncer) for talking to Apple's DEP/ADE API, letting admins script Automated Device Enrollment profile assignment and device sync against Apple Business/School Manager.
ProfileCreator/Configuration-Profile-Reference — A version-controlled Markdown mirror of Apple's Configuration Profile Reference, letting admins diff exactly which profile payload keys changed between OS releases (which Apple's docs don't surface).
📦 App packaging & delivery
Build, package, wrap, and ship apps — Win32, PKG, VPP, winget, and CI pipelines.
ennnbeee/IntuneAppAssigner — Interactive PowerShell tool for bulk-assigning or replacing app assignments (including Apple VPP/license assignment) across Android, iOS, macOS, and Windows apps in Intune.
🛡️ Security, hardening & identity
Baselines, hardening, app vetting, Conditional Access, and identity posture.
maester365/maester — PowerShell test-automation framework that runs hundreds of curated security checks (EIDSCA, CISA SCuBA, CIS) against a tenant's identity, device, and app config and alerts on drift via GitHub Actions or Azure DevOps.
cisagov/ScubaGear — CISA's PowerShell tool that assesses a Microsoft 365 tenant against the SCuBA secure-configuration baselines (incl. Entra/CA) using Open Policy Agent and outputs HTML/JSON/CSV compliance reports.
Cloud-Architekt/EntraOps — PowerShell/DevOps project that classifies and monitors privileged access across Entra RBAC systems using Microsoft's Enterprise Access Model, helping admins identify and protect over-privileged identities.
dafthack/MFASweep — PowerShell script that logs a test account into many Microsoft endpoints (Graph, ARM, EWS, web, ActiveSync, ADFS) to reveal protocols and Conditional Access gaps where MFA is not actually enforced.
CompassSecurity/EntraFalcon — Lightweight PowerShell tool that enumerates Entra ID privileged objects, risky role/app assignments and misconfigurations into interactive HTML reports, letting admins audit identity attack surface with no extra modules or Graph consent.
silverhack/monkey365 — Self-contained PowerShell security-assessment framework with 200+ checks for M365, Azure and Entra ID, scoring tenant configuration against CIS and best-practice benchmarks in a single HTML report for admins.
kayasax/EasyPIM — PowerShell module that manages Entra PIM role, group and Azure-resource settings and assignments as code, with drift detection, WhatIf and audit reporting so admins can govern privileged access without raw ARM/Graph calls.
🔬 Diagnostics & device control
Logs, device queries, remote control, and lab / emulation.
doronz88/pymobiledevice3 — the modern Python take; syslog streaming and profile/device queries scriptable in minutes
facebook/idb — automation bridge for simulators and devices; lab-automation muscle
blacktop/ipsw — firmware download/inspection tooling; answers "what's actually in this iOS build"
ninxsoft/LowProfile — Free macOS app that inspects Apple configuration-profile payloads (including signed ones) and flags deprecated or duplicate keys, helping admins debug and validate the .mobileconfig profiles they deploy through Intune.
jessepeterson/mdmb — Simulates fake Apple devices enrolling and checking in with an MDM server, so admins can load-test, protocol-test, and validate their MDM infrastructure without real hardware.
📊 Reporting & monitoring
Dashboards, KQL packs, Power BI, and inventory reporting.
SMSAgentSoftware/IntuneAssignmentsReport — Azure Automation + Power BI reporting solution that pulls all Intune assignments (25+ item types) from Graph into a dashboard so admins can audit what is assigned where.
merill/idPowerToys — Generates a PowerPoint document of a tenant's Conditional Access policies so admins can review, share, and audit CA design without granting portal access.
AzureAD/AzureADAssessment — Microsoft's PowerShell tooling that collects Entra/Azure AD tenant configuration and hybrid component data and produces Power BI assessment reports on identity, app, and Conditional Access posture.
petripaavola/IntuneDeviceDetailsGUI — PowerShell tool that produces searchable HTML 'Resultant Set of Policy' reports for a device, surfacing assigned apps, policy conflicts, Win32 detection scripts, BitLocker keys, and LAPS for fast troubleshooting.
ugurkocde/IntuneMonitoring — Deploy-in-seconds Azure Workbook that gives a single-pane-of-glass view of device health, enrollment, compliance and app deployment across the tenant without an app registration.
ugurkocde/KQL_Intune — Curated library of KQL queries and Azure Workbooks (Audit, Compliance, Device, Operational) for analyzing Intune diagnostic data piped into a Log Analytics workspace.
haavarstein/intune-dashboard — Client-side browser dashboard that inspects a live tenant via Graph (managed devices, app deployments, BitLocker, compliance, Win11 readiness) or visualizes CSV exports with no backend.
JayRHa/PowerBiDashboards — Ready-made Power BI (.pbix) dashboard templates for Microsoft Intune endpoint analytics and device-management reporting.
PowerStacks-BI/BI-for-Intune — Open-source Power BI template collection (Intune KPI, Support Desk, Windows 11 Migration Tracker, Windows Update for Business) for building Intune executive and operational reports.
microsoft/intune-tenant-doc — Microsoft-published PowerShell script that connects to any tenant via read-only Graph and exports a full Intune configuration inventory as per-platform and combined Markdown documentation.
Insights
Adoption rule for anything on this shelf: read the source of what you run before you run it, pin versions, and treat community tooling with tenant write-access like the privileged code it is — repo-versioned, reviewed, least-privilege app registrations.
Android · Fundamentals
Android Enterprise Overview
The management framework underneath everything — work profiles, device owners, and why device admin is dead.
Android Enterprise (AE) is Google's management framework, and it is the only modern way to manage Android. Everything on the Android side of this site assumes it. Five minutes here saves you weeks of confusion later.
The Model in One Paragraph
Android management runs on ownership boundaries enforced by the OS. A device owner (DO) controls an entire device; a profile owner (PO) controls a sealed work profile — an encrypted container with its own apps, data, and badge (the briefcase icon) living alongside an untouched personal side. Intune acts as the management authority through Google's APIs; on modern AE enrollments there's no separate agent doing the policing — the OS itself enforces policy.
Intunemanagement authority
→
Android Enterprisethe management framework
→
Device OSenforces policy natively
Device Admin Is Dead — Don't Look Back
The legacy "device administrator" API was deprecated and gutted: Android 10 removed its core powers, and Google has been dismantling the rest since. Any guide, vendor, or colleague proposing device admin enrollment in the 2020s is handing you technical debt. If you're migrating off device admin, the migration playbook patterns apply — it's a re-enrollment, not a toggle.
The Four (Plus One) Management Modes
Mode
Ownership
Control surface
Personally-owned work profile (BYOD)
User
Work profile only — org never sees personal side
Corporate-owned work profile (COPE)
Org
Work profile fully + limited device-wide guardrails
Fully managed (COBO)
Org
Entire device
Dedicated (COSU / kiosk)
Org
Entire device, no user affinity
AOSP (no Google services)
Org
Reduced surface for GMS-less hardware (rugged/HMD)
The decision tree lives in Choosing a Management Mode — it's the most consequential Android decision you'll make.
Device Identity in Entra ID
Every management mode produces an Entra registered device record — the identity Conditional Access evaluates. What differs per mode is what that record represents and which user (if any) stands behind it. The device identity guide covers the full story; the shape of it:
Mode
Entra identity
What Conditional Access sees
Work profile (BYOD)
Entra registered — the work profile, not the whole device
User + compliant work profile; personal side invisible
COPE
Entra registered, corporate-owned record
User + device compliance from the corporate half
Fully managed
Entra registered, whole device
User + full-device compliance verdict
Dedicated
Entra registered, no user affinity
No user — user-scoped policies never apply; plan exclusions deliberately
The Google Mobile Services Dependency
Android Enterprise (outside AOSP mode) requires Google Mobile Services — Play Store, Play Services, the works. Devices without GMS certification (some imported/budget hardware, most devices sold in mainland China) can't do standard AE enrollment. Check the Android Enterprise Recommended directory when buying; it filters for certified, update-committed hardware.
Operating Assumptions Worth Internalizing
The platform's single point of failure is the Managed Google Play binding — there is no annually expiring certificate to babysit, but losing that binding retires the entire fleet. Put it under change control from day one.
Capability flows from enrollment mode, full stop. There is no post-enrollment trust upgrade or elevation step — the mode a device enrolls into fixes its management ceiling, which is why the mode decision deserves to be written down per fleet before hardware ships.
The OS update story is fragmented and OEM-controlled: each manufacturer and carrier ships updates on its own cadence, so enforcement works through patch-level compliance rather than forced installs — you set a patch floor and let access depend on meeting it.
Privacy separation on work profiles is architectural, not policy — the org cannot see personal apps or data. That's a selling point; lead with it in BYOD comms.
The one-time binding between Intune and Google that everything Android depends on.
Connecting Intune to Managed Google Play (MGP) is the foundational act of Android management: a one-time, roughly five-minute binding between your tenant and Google that every Android Enterprise enrollment profile, every app deployment, and every managed Play store experience depends on. There is no renewal calendar — nothing about the binding expires — but treat it with more ceremony, not less: it is effectively permanent infrastructure, and losing it is a fleet-level event.
Applies toEvery Android Enterprise enrollment and app deployment
RequiresA dedicated Google service account, credentials vaulted
Console pathTenant administration > Connectors and tokens > Managed Google Play
RenewalNone — the binding never expires
Prerequisites
A dedicated Google service account — androidenterprise@yourorg.com or similar, backed by a shared mailbox. Never a personal account and never an individual admin's identity: people leave, and the account that anchors your Android Enterprise must not leave with them.
The account must be a plain Google account not already bound to another Android Enterprise or Google Workspace organization — Google enforces one enterprise per account, and an account with history will either fail to bind or bind to the wrong thing.
Credentials and recovery options vaulted before you bind: password, recovery email, and recovery phone documented, with two named owners. The recovery path is part of the infrastructure, not an afterthought.
An Intune role with rights to Tenant administration (Intune Administrator or Global Administrator) for the console side of the binding.
Step-by-Step: Creating the Binding
Open the connector page. In the Intune admin center: Tenant administration > Connectors and tokens > Managed Google Play.
Grant Microsoft permission to send user and device information to Google — the consent that lets the two management planes talk to each other.
Select Launch Google to connect. Use a private browsing session so a logged-in personal Google identity can't bleed into the binding; sign in with the dedicated service account, name your organization, and accept the agreement.
Confirm the connector shows Active. That status is the whole ceremony — there is nothing to download, nothing to schedule, nothing to renew.
Approve a test app in Managed Google Play, press Sync on the connector page, and confirm the app appears in Intune's app list — that round trip proves the binding end to end. Remember the Sync button: when an approved app "isn't showing up," this is the first click.
What "Losing It" Means
Disconnecting (or deleting the enterprise from the Google side) retires every Android Enterprise device and removes every MGP app from Intune. There is no "reconnect and resume" — it's a fleet rebuild. Accordingly:
Protect the binding
Put the MGP connection under formal change control. Nobody touches Disconnect without a written plan, and the service account's recovery path is tested annually — quietly, by the owners, not during an incident.
Do
Bind with a dedicated service account backed by a shared mailbox
Vault password and recovery options with two named owners
Test the recovery path annually — quietly, not during an incident
Don't
Bind with a personal account or an individual admin's identity
Reuse an account already bound to another enterprise
Touch Disconnect without a written, reviewed plan
Insights
One Intune tenant binds to one Android Enterprise. Multi-tenant consultancies: one service account per customer tenant, clearly labeled in the vault — see the same discipline in Sovereign Clouds and GCC.
Nothing here requires Google Workspace. The service account is free, and MGP app licensing is free — there is no license pool or token lifecycle to manage in the app supply chain, which leaves the binding itself as the only artifact worth guarding.
The decision that determines everything else on Android — work profile, COPE, fully managed, dedicated, or AOSP.
On Android, management mode determines capability — every control surface in this section flows from the mode a device enrolls into, and the mode is fixed at enrollment. Changing your mind means a re-enrollment (and for corporate modes, a factory reset), so make the decision deliberately, per fleet, before the first device ships.
the user owns the hardwarePersonally-owned work profileThe only respectful — and practically available — option for BYOD.
the org owns it and personal use is sanctionedCorporate-owned work profile (COPE)Org authority with a personal space — the take-home phone default.
the org owns it and one user carries itFully managedThe locked-corporate 1:1 device.
no single user — kiosk, shared scanner, signageDedicatedNo user affinity; pairs with kiosk configuration or shared device mode.
the hardware ships without Google servicesAOSP modeReduced management surface; confirm Intune's supported-device list first.
The Decision Tree
Who owns the device?
User owns it → Personally-owned work profile. Full stop — it's the only respectful (and practically available) option for BYOD.
Org owns it → continue.
Is personal use sanctioned?
Yes (take-home phones, field staff) → Corporate-owned work profile (COPE) — org authority with a personal space.
No → continue.
Does one user carry it?
Yes → Fully managed — the locked-corporate 1:1 device.
No Google services on the hardware? → AOSP mode (userless or user-associated) — reduced management surface for rugged/specialty devices; confirm Intune's supported-device list before committing.
Default corporate phones to COPE, not fully managed. Modern COPE (Android 11+) gives the org everything it operationally needs while the privacy separation dramatically reduces user resentment and shadow-IT workarounds. Reserve fully managed for regulated fleets and devices with no personal-use case.
Never enroll BYOD as anything but a work profile. The architectural privacy wall is your legal story and your adoption story.
Decide modes per fleet, in writing, before the first device ships — the enrollment profiles you create next encode this decision into tokens that are painful to walk back.
Managing Android without Google services — what works, what doesn't, and the hardware it exists for.
AOSP mode is Intune's answer for Android devices without Google Mobile Services — rugged handhelds, specialty hardware, and headsets that ship Android the operating system without Android the Google ecosystem. It's a deliberately reduced management model, and knowing the reductions before procurement is the entire game.
Applies toGMS-less rugged, specialty, and headset hardware on Intune's supported list
EnrollmentQR into corporate-owned AOSP modes — user-associated or userless
AppsLine-of-business APKs you host and version — no Managed Google Play
Compliance signalsOS version, encryption, password — no Play Integrity attestation
What's Missing Without GMS
No Google services means no Managed Google Play (apps deploy as line-of-business APKs you host and version), no Play Integrity (compliance leans on OS version, encryption, and password signals instead), and no Google-dependent push plumbing (check‑in behavior differs; plan for polling rhythms).
What Works
Enrollment via QR on supported devices into corporate-owned AOSP modes (user-associated or userless), core restrictions, Wi-Fi and certificate profiles, password policy, encryption enforcement, and LOB app deployment. For its target hardware — scanners, kiosk controllers, headsets on Intune's supported-device list — that set covers the actual requirements.
The Decision Discipline
Check Intune's supported AOSP device list first — AOSP support is device-cooperative, not universal; gray-market GMS-less hardware that isn't listed is unmanageable, full stop.
Prefer GMS-certified hardware when the use case allows — dedicated device mode with Managed Google Play beats AOSP on every operational axis; AOSP is for when GMS genuinely isn't on the device, not a style choice.
Design the app pipeline early: LOB APK hosting, versionCode discipline, and update cadence are your job here — there is no store doing it for you.
Insights
OEM tooling matters double in AOSP land — OEMConfig (where the OEM ships a GMS-less-compatible DPC extension) and vendor update services carry weight that Google services would otherwise carry.
Compliance expectations need recalibrating with your security team up front: an AOSP fleet cannot attest hardware integrity the way Play Integrity fleets can — document the compensating controls (network isolation, app allow-listing) as part of the architecture, not as an audit surprise.
Device Lifecycle and Android Enterprise Recommended
Procurement to retirement — AER, update commitments, and the lifecycle math that keeps an Android fleet healthy.
Android fleet health is decided at purchase time more than at policy time. This page is the lifecycle discipline: what to buy, how long it lives, and how it leaves.
OperateHold the patch lineUpdate policy, monthly patch-age buckets, the EOL ledger
RetireClean exitWipe, FRP release, zero-touch/KME deregistration, record cleanup
Buy: AER and the Update Commitment
Android Enterprise Recommended is Google's certified-hardware directory — devices validated for enterprise deployment with published OS-update and security-patch commitments. The procurement rules that follow:
Patch commitment ≥ your refresh cycle: a device promising 3 years of security updates on a 4-year refresh plan spends a year violating your own patch-floor compliance. Do this arithmetic per model, in the purchase decision.
Verify zero-touch reseller availability for the model and channel — supply-chain enrollment is bought, not retrofitted.
For Samsung fleets, the Knox roadmap (E-FOTA, KSP features) is part of the spec sheet.
Operate: the Mid-Life Rhythm
System update policy holds the patch line; the inventory report's patch-age buckets prove it monthly; and the EOL ledger — a simple table of model → last-patch date → device count — turns "are we exposed" into a lookup. Build the ledger the day the fleet deploys; it's miserable to reconstruct later.
Retire: the Exit Checklist
Wipe appropriate to mode (profile removal vs factory reset)
FRP release for devices leaving the org — resale/recycling with FRP armed creates e-waste and angry buyers
Intune device-object cleanup on the stale-device rhythm
Insights
The lifecycle KPI set: average fleet age, % within patch commitment, % past EOL. Three numbers, charted quarterly, and refresh budgeting becomes evidence instead of negotiation.
A two-model fleet (one rugged, one knowledge-worker) ages better than a six-model zoo — every model is a separate update-commitment clock, OEMConfig schema, and troubleshooting matrix. Standardization is a security control wearing a procurement costume.
What the OEM layer adds on top of Android Enterprise — Knox, rugged-vendor services, and when to pay for them.
Android Enterprise is the platform floor; OEM service layers — Samsung Knox foremost — sell capabilities above it. Knowing what lives in each layer keeps you from buying twice or assuming a feature your hardware doesn't carry.
The Knox Stack, Mapped to Layers
Knox Platform for Enterprise (KPE): the hardware-backed security substrate baked into Samsung devices — much of it surfaced to Intune free via the Knox Service Plugin OEMConfig app: granular USB/radio policy, firmware-adjacent controls, dual-DAR options. If your fleet is Samsung, KSP is table stakes, not an upsell.
Knox E-FOTA: licensed firmware version control — pin, schedule, and stage OS/firmware updates per group, beyond what system update policy expresses. The firmware-control page covers when this is worth money (short answer: validation-gated and frontline fleets).
Knox Manage/Asset Intelligence and friends: Samsung's own EMM/analytics — generally not purchased alongside Intune; know they exist so vendor decks don't confuse the meeting.
The Rugged-Vendor Equivalents
Zebra, Honeywell, and the rugged cohort ship the same shape: an OEMConfig schema exposing device-specific policy (scanner wedges, battery thresholds, boot behavior) plus a licensed firmware-update service (Zebra LifeGuard-class). The evaluation template is identical: free OEMConfig surface first, paid firmware service only where update-pinning is a genuine requirement.
The Decision Discipline
OEM services bind you to the OEM — that's the price under the price. Buy them for capabilities you'd otherwise build badly (firmware staging, hardware-level controls); skip them where standard Android Enterprise already covers the need, and keep the fleet-standardization math straight: every OEM layer adopted is one more reason the next hardware bid has one bidder.
standard Android Enterprise already covers the needSkip the OEM layerEvery layer adopted is one more reason the next hardware bid has one bidder.
your fleet is SamsungKnox Service Plugin — freeKPE controls surfaced via OEMConfig; table stakes, not an upsell.
update-pinning is a genuine requirementLicensed firmware controlKnox E-FOTA or the rugged-vendor equivalent — validation-gated and frontline fleets.
Insights
The KSP schema updates faster than documentation — the Test DPC-style lab habit applies: load the current schema on a bench device quarterly and skim what's new; Samsung ships admin-relevant controls mid-cycle that never get a blog post.
Workspace ONE, MaaS360, SOTI, and friends — the Android-specific mechanics of switching EMMs.
The DA-to-AE migration covers the legacy-mode move; this page covers the vendor move — an Android Enterprise fleet leaving Workspace ONE, MaaS360, SOTI, or another EMM for Intune. The universal choreography applies; these are the Android-specific facts that decide the plan.
The Mechanics That Shape Everything
One DPC per device: Android Enterprise binds the device to its EMM's device policy controller — there's no coexistence. Corporate-owned modes (fully managed/dedicated) migrate by factory reset + re-provisioning; work profiles migrate by profile removal + re-enrollment, personal side untouched.
The enrollment plumbing re-points, devices don't: zero-touch and KME configurations switch their default EMM to Intune in minutes — which flips future boots, while existing devices still need their reset wave. Re-point plumbing first so every reset lands in the new world.
Managed Google Play follows the binding: your MGP enterprise ties to the EMM connection — app approvals, private apps, and track configurations get re-established on the Intune side. Private-app ownership (the Play Console developer account) is the artifact to secure before the old EMM contract ends; orphaned publisher accounts are the classic migration hostage.
BYOD first (cheapest re-enrollment), knowledge-worker corporate second, frontline/dedicated last with spare-pool buffering — and Conditional Access gated on Android compliance as the deadline once the new world is proven. Track the only KPI that matters: old-EMM device count → zero, dated.
Wave 1BYOD work profilesCheapest re-enrollment, fastest wins
Wave 2Corporate knowledge workersCloud-synced data; reset and re-provision
Wave 3Frontline and dedicatedSpare-pool buffering protects operations
GateConditional Access deadlineCompliance-gated access converts the stragglers
Insights
Run both consoles in parallel longer than feels tidy: the old EMM is your rollback and your inventory-of-record until the last wave lands — decommissioning it to save a month of licensing while 400 devices remain is the false economy every migration post-mortem features.
Do
Re-point zero-touch/KME to Intune before the reset waves
Secure the Play Console publisher account before the old contract ends
Keep the old console alive until the last wave lands
Don't
Import old profiles wholesale — audit and rebuild from intent
Decommission the old EMM while devices remain on it
What each management mode writes into Entra ID, which app does the writing, and why Conditional Access lives or dies by that record.
Every Android enrollment produces two records: a device object in Intune (the management record) and a device object in Microsoft Entra ID (the identity record Conditional Access consults). Most "compliant device, blocked sign-in" mysteries are a disagreement between the two — know what each management mode writes, which app writes it, and how the records age.
One Identity Type: Microsoft Entra Registered
Android produces exactly one kind of Entra device identity: Microsoft Entra registered (Graph exposes it as trustType: Workplace). Registration happens during enrollment and provisions a client certificate; presented by a broker app — or via a certificate prompt on the first browser sign-in — it's how Entra recognizes which device record a sign-in comes from. The record carries the device ID, an enabled/disabled flag, the isCompliant bit Intune stamps, and the activity timestamp staleness cleanup keys on.
Microsoft Authenticator, via its shared-mode managed configuration
A shared device that rotating workers sign in and out of
User-less AOSP enrollments follow the dedicated pattern: a device record, no user affinity, device-group targeting downstream.
The Three Apps and Their Jobs
Company Portal is the BYOD agent: enrollment and Entra registration for personally-owned work profiles. On corporate-owned devices it still installs, but launching it redirects to the Intune app and its icon hides — its job there is brokering Conditional Access, not UI.
Microsoft Intune app is the corporate-owned front end (fully managed and corporate-owned work profile): the setup-time sign-in that completes registration, plus the compliance and remediation screens those users see.
Microsoft Authenticator is the broker — auto-installed and non-removable on corporate-owned modes, and on Shared Device Mode fleets the component that performs the shared device registration itself.
All three arrive on purpose
Corporate-owned provisioning installs the Intune app, Authenticator, and Company Portal as required apps — the trio that makes Conditional Access work. Don't spend a change request trying to strip the "extra" ones.
How Compliance and Conditional Access Bind to the Record
The chain: the compliance policy evaluates → Intune reports the verdict to both its own record and the Entra device object → a Conditional Access policy with Require device to be marked as compliant reads it at sign-in, after authentication. Two consequences. Conditional Access only credits a device it can recognize: if the sign-in can't present the registration (broker missing, certificate gone, wrong profile), a perfectly compliant device still gets blocked. And the verdict is the last reported state — a device inside its noncompliance grace period still evaluates as compliant.
Compliance policyevaluates the device
→
Entra device recordisCompliant stamped by Intune
→
Conditional Accessgrants or blocks the session
On work-profile devices the registration artifacts live inside the work profile: badged apps and browsers can prove device identity, personal-side apps cannot. That's the privacy boundary doing its job — "works in badged apps, blocked in the personal browser" is expected behavior, not a defect.
User-Less Identity and Why Conditional Access Misses It
Conditional Access evaluates at user sign-in. A standard dedicated device has no user affinity, which cuts both ways: user-targeted policies never evaluate for that hardware, and users can't sign in to CA-protected resources from it at all — even when the device is compliant. So target compliance at device groups, watch fleet health through inventory monitoring, and where rotating humans genuinely sign in, enroll with Entra Shared Device Mode — the signed-in worker is then evaluated normally, and the compliant-device grant works in SDM-aware apps.
Duplicates, Stale Records, and Safe Cleanup
A factory reset destroys the registration certificate with everything else, so a re-provisioned device cannot reclaim its old identity: re-enrollment mints a fresh Intune record and a fresh Entra record while the old pair goes stale. The same happens when a BYOD user removes and re-creates the work profile. Every re-enrollment leaves a corpse — duplicates that confuse the helpdesk, skew dynamic groups, and carry frozen compliance state.
Identify the live record first. Last check‑in in Intune and the activity timestamp (ApproximateLastSignInDateTime) on the Entra object separate the active record from its ancestors. Duplicate names are the confusion; timestamps are the truth.
Clean the Intune side before the Entra side. Deleting a genuinely stale Intune record is safe — no live device answers to it. But check timestamps twice: on corporate-owned Android, deleting an active record issues a wipe to a device that is still listening.
Disable, wait, then delete in Entra. Disable the stale object, leave a grace period for false positives, then delete. Deletion is unrecoverable, and deleting an Entra record never un-registers a live client — order matters.
When Conditional Access blocks a "compliant" device, compare device IDs before touching policy: the sign-in log names the record the token presented; Intune names the record it stamped. If they differ, it's a stale or duplicate registration — re-enroll cleanly rather than loosening the policy.
Build the stale-record cleanup job the same week you turn on device-based Conditional Access: enforcement raises the cost of every stale record, because stale registrations are exactly what sign-ins trip over.
On BYOD, identity follows the work profile, not the hardware. A user who removes and re-adds the profile is a brand-new device to Entra — access re-gates through compliance automatically, the model working as designed.
Personally-owned work profile — the only right answer for user-owned Android.
The personally-owned work profile is Android's BYOD story, and it's a good one: a sealed corporate container on the user's own device, created in about three minutes, with privacy separation the OS enforces rather than promises.
Applies toUser-owned devices — the only BYOD enrollment
RequiresManaged Google Play connected; GMS-certified device on a supported OS
Enrollment appIntune Company Portal from the public Play Store
Wipe scopeWork profile only — the device itself is never reset
Devices > Android > Enrollment: personally-owned work profile enrollment allowed (it's the default; enrollment restrictions can scope who may use it)
A GMS-certified device on a supported Android version
The User Flow
User installs Intune Company Portal from the public Play Store and signs in with their work account.
Company Portal walks them through work profile creation — the OS builds the container; takes a minute.
Done. Badged (briefcase) copies of work apps appear; the managed Play store inside the profile offers your Available apps; compliance evaluates and Conditional Access opens the door.
What the Org Controls — and Provably Can't See
Org can
Org cannot
Everything inside the work profile: apps, config, Wi-Fi/VPN/cert profiles scoped to the profile, profile passcode
See personal apps, photos, messages, browsing
Wipe the work profile ("Retire"/"Wipe" both remove only the container)
Put that table in your enrollment comms verbatim. Work profile adoption fights are almost always perception fights, and the architecture is on your side.
Insights
The personal side's Play Store keeps working normally; only the badged store is curated. Users who "can't find the app" are usually in the wrong store — teach the briefcase badge on day one.
Pair with App Protection Policies for defense-in-depth on the data layer — APP travels with the apps even here.
A user can remove the work profile anytime (it's their device) — which simply removes corporate access and data. That's the model working, not a gap: access is re-gated by Conditional Access the moment the profile dies.
Org-owned devices with a personal space — the modern default for take-home corporate phones.
COPE is the grown-up middle path: the org owns the device and holds real authority, the user gets a genuinely private personal profile, and Android 11+ enforces the boundary architecturally. For corporate phones that ride home in pockets, this should be your default.
Applies toOrg-owned take-home devices with sanctioned personal use
RequiresFactory-fresh device — Android 11+ enforces the boundary
Console pathDevices > Android > Enrollment > Corporate-owned devices with work profile
EnrollmentToken + QR, or zero-touch/KME at scale
How Modern COPE Works
Since Android 11, COPE means: Intune fully manages the work profile and holds a device-wide guardrail set (security baseline, FRP, update policy, a curated list of device-level restrictions) — but cannot inventory or inspect the personal profile. The org's reach is real but bounded, and the bound is OS-enforced.
Personal-side guardrails you do get: block/allow lists for the personal Play store (e.g., block sideloading-adjacent risk apps device-wide), camera/screenshot controls where justified, and personal-app installation policy. Use them sparingly — every personal-side restriction spends goodwill.
Enrollment
Devices > Android > Enrollment > Corporate-owned devices with work profile → create a profile; it generates a token + QR code.
On a factory-fresh device: tap the welcome screen six times → scan the QR (or type afw#setup at Google sign-in and follow into the token) → device provisions, work profile lands, user signs in.
At scale, skip the taps entirely: zero-touch or Samsung KME pre-stage the enrollment so the box-open experience is sign-in-and-go.
Factory reset required
All corporate-owned modes (COPE, fully managed, dedicated) can only be established during device setup. An in-use device must be wiped to cross over — plan fleet conversions as migration waves.
Insights
Wipe semantics: corporate actions can reset the whole device (it's org property) — but day-to-day "remove corporate data" operations target the work profile. Document both for the helpdesk.
COPE + Managed Google Play + a sane restrictions baseline covers 90% of corporate phone fleets; resist escalating to fully managed because one stakeholder wants to "see everything" — what they want is usually compliance reporting, which COPE provides.
Whole-device corporate control for single-user devices — COBO, the locked-down 1:1.
Fully managed is total device ownership: one corporate user, no personal profile, every setting yours. It's the right call for regulated environments, devices handling sensitive workloads, and anywhere the personal-use answer is a flat no.
Applies toOrg-owned 1:1 devices — one corporate user, no personal profile
EnrollmentSix-tap QR, afw#setup, or zero-touch/KME at scale
Account modelManaged Google Play accounts — no personal Google identities
Enrollment Paths (Pick by Scale)
QR code — factory-fresh device, tap the welcome screen six times, camera opens, scan the QR from your enrollment profile (Devices > Android > Enrollment > Corporate-owned, fully managed). The bench-tech workhorse.
afw#setup — at the Google sign-in step of setup, enter afw#setup as the account; it pulls the Android Device Policy flow and asks for the QR/token anyway. Useful when the six-tap gesture is awkward (no camera, odd OEM skin).
Zero-touch / Samsung KME — the device enrolls itself out of the box, enforced and wipe-persistent. The only sane path past a few dozen devices.
OEMConfig reaches deepest here — Samsung Knox Service Plugin and friends assume whole-device authority.
Insights
Fully managed devices use Managed Google Play accounts under the hood — users don't need (and shouldn't add) personal Google accounts; restrictions can block account modification to keep it that way, which also keeps FRP deterministic.
The user-experience tax is real: no personal space means users carry two phones or resent the one. If you're deploying fully managed and hearing "can I just put Spotify on it," the honest answer was COPE.
COSU — user-less corporate devices for kiosks, scanners, signage, and frontline fleets.
Dedicated devices (Google's COSU — corporate-owned, single-use) are Android's appliance mode: no user affinity, devices enrolled as equipment rather than as someone's phone, purpose-built for kiosks, warehouse scanners, point-of-sale, signage, and shared frontline hardware.
Applies toKiosks, scanners, point-of-sale, signage — equipment, not phones
Token typesStandard, or with Microsoft Entra Shared Mode for sign-in/out fleets
User affinityNone — no user signs in during enrollment
Enrollment
Devices > Android > Enrollment > Corporate-owned dedicated devices → create the profile. Decide token validity deliberately (long-lived tokens suit rolling deployments; treat the QR like a credential either way).
Choose the token type: standard dedicated, or with Microsoft Entra Shared Mode if humans will sign in and out (Shared Device Mode explains when).
Provision factory-fresh via six-tap QR, or — at fleet scale — zero-touch/KME with this profile's token embedded.
No user signs in during enrollment; the device belongs to a function, not a person.
Then Make It Do Its Job
A dedicated enrollment is just the chassis. The behavior comes from:
Device restrictions tuned for appliances: status bar, volume/power button behavior, safe-boot block, factory-reset block.
OEMConfig for the rugged fleet: scanner wedge settings on Zebra/Honeywell, Knox controls on Samsung.
System update policy with maintenance windows so the kiosk doesn't reboot at noon.
Insights
Group dedicated devices by function from day one — KIOSK-LOBBY, SCAN-DC01 — via enrollment-profile-based dynamic groups (the enrollmentProfileName trick works identically on Android). Every assignment downstream gets simpler.
Devices with no user have no one to notice problems: build Graph-based monitoring for last-check‑in and battery/storage anomalies before the fleet ships, not after the first dead-kiosk weekend.
Sequence enrollment → app install → kiosk lockdown when imaging: locking the launcher before the kiosk app lands strands the device in an empty cage. The Managed Home Screen page covers the ordering.
Supply-chain enrollment for Android — ship sealed boxes that enroll themselves, with wipe-persistent management.
Google zero-touch enrollment and Samsung Knox Mobile Enrollment (KME) are Android's supply-chain enrollment programs: devices registered at the reseller level enroll automatically at first boot — and re-enroll after every factory reset, which is the property that makes corporate management genuinely sticky. Past a few dozen devices, this is the only enrollment approach that scales.
RegisterReseller uploads devicesIMEI/serial registered to your portal account at purchase
ConfigureDefault configurationDPC extras carry the Intune enrollment token
First bootSelf-enrollmentDevice discovers its assignment and provisions into Intune
Every resetRe-enrollmentWipe-persistent — management survives factory reset
Prerequisites
A fully managed, COPE, or dedicated enrollment profile already created in Intune — supply-chain enrollment delivers devices into one of these modes; it doesn't replace them.
Devices purchased through a participating reseller or carrier that can register them to your account — confirm participation at procurement time, not after delivery.
Access to the relevant portal: the zero-touch portal (partner.android.com/zerotouch) and/or the Samsung Knox portal.
Step-by-Step: Zero-Touch (All Modern Android)
Get devices registered. A participating reseller/carrier registers your purchases into the zero-touch portal at the supply-chain level, keyed by IMEI/serial. Registration is a purchasing-channel feature — write it into the procurement contract so it happens automatically on every order.
Create a configuration in the portal. The DPC is Android Device Policy, and the DPC extras JSON carries your Intune enrollment token (from the fully managed, COPE, or dedicated profile). Intune's enrollment profile page surfaces the exact JSON to paste — don't hand-build it.
Set it as the default configuration so newly registered devices map automatically. First boot on network → device discovers its assignment → provisions straight into Intune. Sealed-box shipping to end users becomes routine.
You can link the zero-touch portal inside Intune (Android enrollment > zero-touch) to manage configurations without leaving the admin center.
Samsung KME
Same concept, Samsung's pipeline: devices land in the Knox portal via Samsung-authorized resellers; profiles carry the Intune enrollment payload. Two Samsung-specific superpowers:
The Knox Deployment App can capture retail-purchased Samsung devices into KME via Bluetooth/NFC — your escape hatch when devices weren't bought through a registered channel, and the capture path carries no purchase-window deadline.
KME pairs naturally with Knox Service Plugin for deep Samsung control post-enrollment.
Samsung-heavy fleets often run KME for Samsung and zero-touch for everything else — both can coexist pointing at the same Intune enrollment profiles. Keep the profile content identical across the two portals so every box lands in the same world; the KME deep dive covers the divergences.
Verification
Factory-reset a registered lab device and watch first boot: it should announce management during setup and provision into the intended mode with no human decisions along the way.
Reset it again to confirm wipe-persistence — it must come back enrolled. If it boots into a normal consumer setup instead, the device isn't registered or no default configuration matched it.
Insights
Wipe-persistence is the point. A stolen or wiped device boots straight back into forced enrollment — pair it with FRP configuration and the resale value of stolen corporate hardware approaches zero.
Get device registration written into the procurement contract — "all Android devices registered to our zero-touch/KME account before shipment." Retrofitting registration across an already-deployed fleet is misery.
Test the unhappy path in the lab: wrong default config, expired token in a config, device sold before deregistration. Each is a five-minute fix when rehearsed and a field incident when not.
Controlling who enrolls what — platform gates, mode gates, ownership gates, and device limits.
Enrollment restrictions are the bouncer at the door: they decide which devices, users, and management modes get in at all. Unconfigured, every licensed user can enroll personal devices into a work profile — which is either your BYOD program or your shadow-IT surface, depending on whether you decided it.
Block/allow Android Enterprise work profile — the BYOD on/off switch per population
Minimum/maximum OS version — keep museum-piece Androids out at the door rather than catching them in compliance later
Block personally owned devices — for the corporate-only crowd; pairs with corporate identifiers so your devices still pass
Manufacturer allow-listing where the fleet standard is contractual
Device limit restrictions — devices per user (default 5; right-size it). Frontline users hitting the limit during device swaps is a classic ticket; so is one user quietly enrolling nine.
Priority matters: restrictions evaluate top-down per user's group membership — keep the list short and the priorities documented, exactly the discipline you'd apply to Conditional Access hygiene.
Corporate Identifiers
Pre-registering serials/IMEIs as corporate identifiers lets a "block personal" posture coexist with corporate enrollment paths that look user-driven — the device matches the list, gets stamped corporate, and passes. Zero-touch and KME devices are inherently corporate; identifiers cover the procurement long tail.
What Restrictions Don't Do
They gate enrollment, not access — an unenrolled device still hits your apps until Conditional Access requires a compliant device or App Protection wraps the data. The complete posture is restrictions (who may enroll) + CA (what unenrolled gets) + APP (data control either way). One without the others is a fence with two open sides.
Enrollment restrictionswho may enroll what
→
Conditional Accesswhat unenrolled devices get
→
App Protectiondata control either way
Insights
Audit quarterly: the enrollment report's mode split against intent. Work-profile enrollments in a "fully managed only" org means a restriction priority is leaking — find it before the fleet forks.
Restriction changes are forward-looking — they don't evict already-enrolled devices; pair policy changes with a bulk-action cleanup of the now-out-of-policy stock.
What the user actually sees creating a work profile — and the communications that cut tickets in half.
Work profile covers the architecture; this page covers the human: the screens, the consent moments, and the messaging that decides whether your BYOD launch generates adoption or a helpdesk queue.
1Company Portal + sign-inFrom the public store; MFA and terms via Conditional Access
2Profile consentAndroid's own screens; the container builds in ~1–2 minutes
3Badged apps appearWork tab populates; personal side visibly untouched
4Compliance, then accessUnder ten minutes total on healthy Wi-Fi
The Flow, Screen by Screen
Company Portal from public Google Play (their personal store) → sign in with Entra credentials → Conditional Access does its dance (MFA, terms).
Work profile creation consent — Android's own OS screens explain the container; the user accepts and the profile builds (~1–2 minutes).
Badged apps appear: the work-badge versions of Play, Outlook, Teams populate the work tab/folder. Personal side: visibly untouched.
Compliance evaluates; access flows. Total: under ten minutes on healthy Wi-Fi.
The Three Questions Every User Has (Answer Them First)
"Can IT see my stuff?" No — and say it with the architecture, not policy promises: the work profile is a sealed container; the organization manages inside it and is structurally blind to your personal apps, photos, and messages. This single paragraph is the highest-ROI sentence in your comms.
"What happens if I leave?" The work profile is removed; the phone and everything personal stays exactly as-is. (What "wipe" means per mode — for BYOD, it means the container only.)
"What's the battery/storage cost?" Modest and bounded — the honest answer that pre-empts the forum thread.
Launch Mechanics That Work
A one-page visual guide (six screenshots, the three answers above) linked from the CA block screen — users hit the wall and the wall hands them the door.
Pilot with the vocal skeptics, not the friendly early adopters: their converted testimony is the launch asset.
Watch enrollment failures daily for week one — early failure patterns (OS minimums, restriction collisions, personal-account edge cases) are launch-tuning data.
Insights
The work profile's visibility is its adoption superpower — users can see the wall (two app instances, the badge, the profile pause toggle). Teach the pause feature proactively: "evenings off" being user-controlled converts the privacy conversation from suspicion to feature.
Track adoption as % of eligible users, not raw enrollments — and let the APP-only tier exist for the refusers; access tiers beat mandates for personal devices.
Retiring the legacy DA estate — wave planning, re-enrollment mechanics, and the data users keep (or don't).
Legacy device administrator management is dead platform walking — gutted since Android 10, incompatible with the modern feature set, and every quarter it lingers the migration gets harder. The move to Android Enterprise is a re-enrollment project, and re-enrollment projects are won with wave logistics.
Step 1Inventory and segmentSplit the DA population by ownership; map each segment to a target mode
Step 2Build the AE targetMGP, policies, apps, compliance — finished before anyone moves
Step 3Wave by re-enrollment costBYOD first, knowledge workers second, frontline last
Step 4Force the stragglersA dated Conditional Access policy sets the deadline
The Hard Truth First
There is no in-place conversion. A DA-managed device becomes AE-managed by unenrolling and re-enrolling into its target mode — and for corporate-owned modes (fully managed/dedicated) that means a factory reset with provisioning from setup. BYOD-pattern devices have it gentler: DA removal + work profile enrollment preserves the personal device intact. Set expectations accordingly; sugar-coating this is how migrations stall at 60%.
The Playbook
Inventory and segment — the Android inventory report splits the DA population by ownership and user; each segment maps to a target mode (DA-on-personal → work profile; DA-on-corporate → fully managed via zero-touch registration where the hardware supports it).
Build the AE target first — MGP connected, policies and apps staged, compliance ready. Migrating into an unfinished destination doubles the pain.
Wave by re-enrollment cost: BYOD-pattern first (lowest friction, fastest wins), corporate knowledge-worker devices second (data primarily cloud-synced — Outlook/Teams/Drive re-sign-in covers it), frontline/dedicated last with bench or self-service KME flows.
Force the stragglers with Conditional Access, the universal migration lever: a dated CA policy requiring AE-compliant enrollment converts "when I get around to it" into a calendar.
Data Reality Check
Corporate-owned resets lose local-only data — which modern fleets shouldn't have, but verify: photos outside synced storage, app data without cloud backing, authenticator apps (pre-stage the Authenticator migration explicitly or the helpdesk learns about TOTP re-registration at scale).
Do
Build the AE destination completely before the first wave moves
Pre-stage the Authenticator migration explicitly
Measure weekly — DA count trending to zero is the KPI
Don't
Promise an in-place conversion — there isn't one
Sugar-coat the factory reset corporate-owned modes require
Port DA configs verbatim instead of re-expressing them in AE policy
Insights
The DA estate's config doesn't port — it gets re-expressed in AE policy, which is the audit opportunity: most DA configs accumulated a decade of contradictions that the restrictions rebuild forces you to resolve.
Measure weekly: DA count trending to zero is the only KPI; everything else is commentary.
What's actually inside the enrollment QR — the provisioning extras that pre-stage Wi-Fi, settings, and behavior.
The QR enrollment flow scans a code and devices provision; this page is what's in the code — because the provisioning payload is configurable, and the right extras turn a fiddly bench process into tap-and-walk-away.
FormatJSON provisioning document, consumed at device setup
Trust anchorDPC component name + download URL + signature checksum
BindingEnrollment token — your tenant and management mode
TransportsQR scan or NFC bump — same payload
The Payload Anatomy
The QR encodes a JSON provisioning document the factory-reset device consumes at setup: the DPC identity (component name + download URL + signature checksum — the trust anchor that makes a QR safe to scan), the enrollment token binding the device to your tenant and mode, and the provisioning extras — the operationally interesting part:
Embedded Wi-Fi (SSID/auth): the device joins the provisioning network from the QR, no thumb-typing PSKs on a bench of forty units — the single highest-ROI extra
Locale, time zone, and setup behavior flags: skip the panes your fleet design already answers; system-app enablement posture per the system-apps decision
Mobile-data / activation options where the flow supports cellular-first provisioning
Zero-touch configurations carry the same extras server-side — the QR is the local expression of the same provisioning contract, which is why the bench QR and the supply-chain config should be maintained as one documented artifact, not two drifting ones.
Operating Notes
Version the payload in the repo like the production config it is; regenerate QRs on change rather than hand-editing JSON into posters
Provisioning-network hygiene: the embedded Wi-Fi is a credential printed on paper — use a dedicated provisioning SSID with bounded reach, rotate it on schedule, and treat lobby-taped QR posters as the secret-disclosure they are
NFC provisioning rides the same payload for the bump-to-provision pattern where hardware supports it — same JSON, different transport
Insights
The triage value is real: when enrollment fails at provisioning, decode the QR (it's just JSON) and check the three trust fields first — a stale DPC checksum after a Company Portal update explains a whole bench of failures in one look.
Knox Mobile Enrollment beyond the basics — reseller flows, profile design, and where it diverges from zero-touch.
The zero-touch and KME overview establishes supply-chain enrollment; Samsung-heavy fleets deserve the KME specifics, because the program has its own console, its own reseller mechanics, and a few behaviors zero-touch doesn't share.
Step 1Reseller uploadSamsung-authorized reseller registers IMEIs/serials to your KME tenant
Step 2MDM profileKnox console profile carries the Intune DPC identity and provisioning extras
Step 3First bootDevice calls Samsung's enrollment service and provisions — wipe-proof
The Pipeline
Reseller participation: devices enter KME via a Samsung-authorized reseller uploading IMEIs/serials to your KME tenant — the procurement-time decision that, like all supply-chain enrollment, is bought rather than retrofitted. Direct manual addition exists (the Knox Deployment App's bump/Bluetooth capture) for the long tail, with device-count realities that make it a bench tool, not a strategy.
The MDM profile: your KME console profile carries the Intune DPC identity, enrollment endpoint, and the provisioning-extras payload — keep it content-identical to your zero-touch config so a Samsung box and a Pixel box land in the same world.
First boot: the device phones Samsung's enrollment service, receives the profile, and provisions into the assigned mode — wipe-proof, like zero-touch: a factory reset re-enrolls, which is the theft-deterrence and FRP story's supply-chain anchor.
KME vs Zero-Touch, Honestly
Samsung devices generally support both; pick one per fleet and document it. KME's distinctives: Samsung-only but reseller coverage runs deep in carrier channels where zero-touch resellers are thin; the Deployment App capture path covers devices bought outside participating channels; and KME profiles sit adjacent to the rest of the Knox console family (E-FOTA, KSP licensing) — one vendor portal if you're deep in the ecosystem. Mixed-OEM fleets usually standardize on zero-touch where possible and run KME for the Samsung-carrier-channel remainder — fine, as long as the profile content is one artifact.
the fleet is Samsung, bought through carrier channelsKMEReseller coverage runs deep where zero-touch is thin; Deployment App capture covers the long tail.
the fleet mixes OEMsZero-touch firstRun KME only for the Samsung carrier remainder — and keep profile content one artifact.
Insights
The classic KME mystery — "new devices aren't enrolling" — is almost always uploaded-but-unassigned: the reseller delivered IMEIs to your KME tenant, nobody assigned the MDM profile to the batch. One console screen, checked on every PO receipt, deletes the ticket class.
The Android restrictions surface — per-mode profiles, the cross-profile boundary, and a baseline worth stealing.
Android restrictions come in two distinct profile types matching the management modes — and applying the wrong type to the wrong fleet is the most common Android configuration mistake on record.
Leave camera/Bluetooth alone unless a regulation says otherwise — blanket blocks generate workarounds, not security
Document the why per setting in the profile description — six months from now, "who set this and what breaks if we relax it" should be answerable from the profile itself. The Android hardening baseline applies the same discipline at full scale.
Do
Block factory reset, safe boot, developer options, and USB debugging
Block account modification — it keeps FRP deterministic
Require Play Protect threat scanning
Document the why per setting in the profile description
Don't
Blanket-block camera or Bluetooth without a regulation behind it
Keep one setting in multiple policies — conflicts resolve most-restrictive
Apply a device-wide template to BYOD — settings silently no-op
Insights
Restriction conflicts resolve predictably: most restrictive wins across profiles — keep each setting in one policy and conflicts stay theoretical.
Some settings silently no-op outside their mode (a device-wide key on a BYOD work profile, for instance) — "policy applied, nothing happened" usually means mode mismatch, not a bug. Check the template before opening the ticket.
OEMs layer their own toggles on top; when a setting needs to bite below the Android API surface (Samsung/Zebra hardware behavior), that's OEMConfig territory.
PSK and EAP-TLS Wi-Fi, always-on VPN, and the per-mode delivery details that trip people up.
Connectivity profiles are enrollment-critical plumbing: devices should land on corporate Wi-Fi during provisioning and authenticate with certificates rather than passwords someone can leak. Android delivers that with per-mode profile templates and a handful of delivery quirks worth knowing before the first profile ships.
Devices > Android > Configuration > Wi-Fi (pick the template matching the management mode — corporate-owned vs personally-owned work profile):
Basic (PSK): SSID, auto-connect, WPA2/WPA3 key. Fine for utility segments (printers, scanners-only VLANs, guest-adjacent networks); a shared secret is not an identity, so corporate data doesn't belong behind it.
Enterprise (EAP-TLS): certificate-based authentication, the gold standard — no password to phish, expire, or write on a whiteboard. Built as a three-profile chain (below).
MAC randomization: Android 10+ randomizes the MAC per-SSID by default, and the profile exposes the behavior for managed networks — pin the hardware MAC where NAC or DHCP reservations key on it; leave randomization on for guest segments.
Work-profile-scoped Wi-Fi lands device-wide in practice (radios are shared) but is managed through the profile — removal semantics follow the container.
Step-by-Step: the EAP-TLS Chain
Certificate-authenticated Wi-Fi is a three-profile dependency chain. Intune sequences the dependencies for you when the references are wired correctly:
Deploy the trusted certificate profile — your root (and issuing) CA — so the device can validate the RADIUS server's certificate.
Deploy the SCEP identity profile that issues the device its client certificate; Certificates on Android covers the issuance plumbing and per-mode targeting.
Create the Wi-Fi profile referencing both: EAP type EAP-TLS, the SCEP profile as the identity certificate, the trusted-cert profile as the root, and the server certificate names filled in so the device validates RADIUS trust strictly instead of trusting anything with a plausible chain.
Step 1Trusted certificate profileRoot and issuing CA — validates the RADIUS server
Step 2SCEP identity profileIssues the device its client certificate
Step 3Wi-Fi profile references bothEAP-TLS plus server certificate names for strict trust
VPN
Android VPN is client-app-centric: deploy the vendor's app (Managed Google Play), then configure it via app configuration policy (most modern clients) or a VPN profile (where templates exist). The capabilities worth knowing:
Always-on VPN (corporate-owned modes): designate the VPN package in device restrictions/configuration — with optional lockdown ("block connections without VPN") for regulated fleets. The operational warning is structural: gateway outage = fleet outage; pilot accordingly and write the break-glass procedure before you need it.
Per-app VPN behavior is delivered through the VPN vendor's managed configuration (package allow-lists in the app config) rather than an OS-level assignment association — read your vendor's Intune integration doc; they all differ slightly.
Microsoft Tunnel supports Android via the Defender app — one client covers MTD and tunnel duty, which is one fewer agent to deploy, update, and explain.
Verification
Enroll a lab device and confirm it joins the corporate SSID during provisioning — that is the test that matters, because production devices need the network before any user can intervene.
For EAP-TLS, confirm the work credentials are present on the device and perform an 802.1X join against production RADIUS. When 802.1X fails, triage in this order: server-trust names first, expired identity certificate second, WLAN infrastructure a distant third.
Insights
Sequence Wi-Fi into the enrollment-critical set (filter-shaped, not dynamic-group-gated) so zero-touch devices land on corporate Wi-Fi during provisioning — dynamic group membership lags enrollment by minutes you don't have at the setup screen.
Trusted root, SCEP, and PKCS for Android Enterprise — same chain, Android-flavored delivery.
The certificate architecture is platform-agnostic infrastructure: trusted roots anchor the chain, SCEP issues device identities, PKCS covers escrow scenarios, and the issuance backends — Microsoft Cloud PKI, the Certificate Connector in front of your AD CS, or third parties like SCEPman — serve every fleet you manage from one issuance plane. Build the PKI once; let each device estate consume it through its own profiles.
Profile typesTrusted root, SCEP for identity, PKCS for escrow
BackendsMicrosoft Cloud PKI, Certificate Connector + AD CS, or third party
StorageDevice KeyChain on corporate modes; inside the container on BYOD
RenewalIntune-automatic ahead of expiry — failures are silent, alert on backend health
The Android Specifics
Profiles are per management mode — a trusted-cert/SCEP profile targets either the corporate-owned template family or the personally-owned work profile template. BYOD certs live (and die) inside the container; corporate-mode certs are device-resident in the Android KeyChain.
Subject/SAN variables behave as you'd expect — {{DeviceName}}, {{AAD_Device_ID}}, {{UserPrincipalName}} on user-affinity modes — keep certs traceable to the Intune objects they were issued for.
App access to certificates: Android apps must be granted a KeyChain identity. Wi-Fi/VPN profiles that reference the SCEP profile handle their own binding; line-of-business apps doing client-cert auth typically take the certificate alias via app configuration policy (the common certificate alias-style keys) so users never see a chooser dialog. Silent cert selection is configuration, not luck.
Renewal is Intune-automatic ahead of expiry — but renewal failure is silent at fleet scale. Alert on connector/backend health and watch for 802.1X failure spikes as the canary: a dead issuing backend looks like "Wi-Fi is broken" three weeks later.
Step-by-Step: Practical Build Order
Trusted certificate profile (root + issuing) per mode family you operate — trust comes first; everything else references it.
SCEP profile referencing it — one identity can serve Wi-Fi and VPN and app auth; don't issue triplicates that triple your renewal surface for no security gain.
Consumers last: Wi-Fi/VPN/app-config profiles referencing the SCEP profile.
Verification
On a lab device, Settings > Security > Encryption & credentials shows the installed work credentials.
An EAP-TLS join against production RADIUS proves the chain end-to-end — root trust, identity issuance, and server validation in a single test.
Insights
A work-profile wipe (BYOD retire) destroys the container's certs instantly — cert-gated access dies with enrollment, by design. Corporate-mode wipes likewise. Write it into the offboarding runbook as the feature it is.
If you manage more than one device platform, share the PKI deliberately: same CA, same template philosophy, parallel profiles per estate — divergent PKI stacks are how orgs end up with four expiring things nobody owns. The Architecture Corner's RBAC model keeps issuance centrally owned either way.
The manufacturer back-channel — controlling Samsung, Zebra, and Honeywell hardware below the Android API surface.
OEMConfig is Android's pressure valve for hardware diversity: manufacturers ship a schema-driven companion app exposing their device-specific knobs, and Intune renders that schema as a configuration UI. It's how you reach the settings Google's APIs don't cover — and on rugged and Samsung fleets, it's not optional knowledge.
Step 1Approve the OEM appKSP, Zebra OEMConfig, Honeywell UEM Connect — via Managed Google Play
Step 2Deploy as requiredAssignment filter on manufacturer/model keeps schemas on their hardware
Step 3Build the profileDevices > Android > Configuration > OEMConfig — Intune renders the schema
Step 4App applies itManaged configuration lands with OEM privileges — typically instantly
The Mechanism
Approve the OEM's config app in Managed Google Play — Knox Service Plugin (Samsung), Zebra OEMConfig, Honeywell UEM Connect, and equivalents from most enterprise OEMs.
Deploy it as a required app to the matching hardware (an assignment filter on manufacturer/model keeps Zebra config off Samsungs).
Create the profile: Devices > Android > Configuration > OEMConfig, select the app — Intune renders the OEM's schema (hundreds of settings on KSP) as a navigable form.
The app receives the configuration as a managed configuration and applies it on-device with OEM privileges — typically instantly.
What Lives Here
Samsung KSP: firmware-control hooks, advanced Knox restrictions, DeX behavior, hardware-key remapping, granular USB/network controls — the deep Samsung surface.
Generally: anything the OEM considers theirs rather than Android's.
The Rules That Keep You Sane
One OEMConfig profile per app, per device
A device should receive exactly one profile for a given OEMConfig app. Multiple profiles targeting the same app on the same device produce undefined, last-writer-ish results — structure assignments so they can't overlap, and build variation inside one profile rather than stacking profiles.
Precedence discipline: an OEMConfig setting and an Intune-native restriction can disagree (two hands on one knob). Decide per setting which layer owns it, write it down, and never configure the same control in both.
Changes apply fast and device-side — there's no "deployment ring" safety net inherent to the channel. Pilot OEMConfig edits on a lab unit with the seriousness you'd give firmware.
Schemas version with the OEM app: after a KSP/Zebra app update, re-open the profile and review new/renamed settings before assuming continuity.
Do
Keep exactly one profile per OEMConfig app per device
Decide which layer owns each setting and write it down
Pilot schema edits on a lab unit with firmware-level seriousness
Re-review the schema after every OEM app update
Don't
Stack multiple profiles on the same app — results are last-writer-ish
Configure one control in both OEMConfig and a native restriction
Assume a deployment-ring safety net — changes land fast and device-side
Insights
KSP behind KME enrollment is the canonical Samsung stack — enrollment, deep config, and (with licensing) Knox E-FOTA update control in one vendor lane.
Treat OEMConfig profiles as code: export/document via IntuneCD — they encode tribal hardware knowledge that otherwise lives in one engineer's head.
The fragmentation truth, the policies that actually work, and patch-level compliance as your enforcement lever.
Start with the uncomfortable truth: Intune cannot push an Android OS update. Nothing in the management stack downloads and installs an OS build on demand — updates ship from each OEM/carrier on their own cadence, and the device installs what it's offered. Your control surface is scheduling, pressure, and procurement. Used together, they work.
Lever 1SchedulingSystem update policy: windows, postpone, freeze
Lever 2PressurePatch-level compliance wired to Conditional Access
Lever 3ProcurementAER hardware with committed support windows
Automatic — install when offered (good default for phones)
Maintenance window — install only inside a daily window (kiosks, scanners — no noon reboots)
Postpone — defer up to 30 days per update
Freeze periods — block updates entirely for defined date ranges (up to ~90 days each, with a required gap between) — your retail-holiday / exam-season / harvest-window control
30 daysmaximum postpone per update
~90 daysmaximum freeze period — gap required between freezes
2. Pressure — Patch-Level Compliance
The strongest lever in the Android update story: every device reports its security patch level as a date, and compliance policy can require a minimum patch level. Set it on a rolling window (e.g., no older than 60–90 days), wire it to Conditional Access, and devices that don't take updates lose access — converting "please update" into a self-resolving condition. Drive the window from data: the inventory report computes patch age across the fleet.
3. Procurement — Where the Battle Is Actually Won
Update availability is decided when you choose hardware:
Buy from the Android Enterprise Recommended directory and check the OEM's committed support window — current flagships (Pixel, Samsung's premium lines) commit to many years of OS + security updates; bargain hardware commits to roughly nothing.
Rugged fleets: Zebra LifeGuard and Samsung Knox E-FOTA (licensed services) add what the platform lacks — version pinning, tested-firmware targeting, and scheduled rollout of specific builds. If your dedicated fleet runs the business, one of these belongs in the budget.
Insights
Mixed-OEM fleets will straddle Android versions for years — keep app minimums and policies tolerant of N-1/N-2, and let patch-level compliance (not OS-version compliance) carry the security requirement; patch dates normalize across OEMs far better than version numbers.
Watch the long tail quarterly: when an OEM's support window closes, those devices' patch age only grows — the inventory report's aging buckets are your replacement-budget evidence.
The post-reset account lock built into Android — configure it deliberately or meet it for the first time during an incident.
Factory Reset Protection is Google's theft deterrent: after an untrusted factory reset, the device demands credentials of an account that was on it before the wipe. It is superb against thieves — and equally indiscriminate against IT departments that didn't plan for it, because the lock has no way of knowing whether the reset came from a pawn shop or from your own helpdesk bench. On corporate Android, you manage FRP explicitly — never leave it to whatever Google account happened to be present on the device.
Applies toCorporate-owned modes only — BYOD FRP belongs to the user
Key decisionDesignated unlock accounts vs documented disable
Pairs withAccount modification: block, plus zero-touch/KME persistence
Prerequisites
Devices enrolled in a corporate-owned mode — fully managed, dedicated, or COPE. BYOD work profiles are out of scope: the device is the user's, so the FRP accounts are theirs too.
A decision on who holds the post-reset key: one or more dedicated Google accounts (your Android Enterprise service-account family or purpose-built frp-unlock@ accounts) with credentials stored in the team vault.
Access to the corporate-owned device restrictions template, which carries the Factory Reset Protection settings.
Step-by-Step Configuration
Create or designate the corporate unlock accounts. Keep the list short and purpose-built — dedicated frp-unlock@ accounts beat personal admin accounts because they survive staff turnover and their credentials can live in the vault without exposing anyone's working identity.
Designate those accounts in the Factory Reset Protection settings of the corporate-owned device restrictions profile, so that only they can activate a device after reset. This is the recommended posture: theft protection stays on, and IT always holds the key.
Or disable FRP entirely where the trade-off genuinely favors it — dedicated kiosk fleets living behind physical security, where re-provisioning velocity beats theft deterrence. Make this an explicit, documented exception rather than a default you drifted into.
Pair with account modification: block in the same baseline so users can't add personal Google accounts that would otherwise enter the FRP picture. Without this, the unlock-account list you just configured competes with whatever accounts appear on the device later.
Document which accounts unlock FRP in the same vault entry as the MGP binding, so the person doing 2 a.m. incident response can actually find them.
Verification
Test the full unlock flow once in the lab, not first during an incident: factory-reset a lab device through an untrusted path, confirm the FRP challenge appears, and confirm a designated unlock account activates the device. An unlock procedure that has never been exercised is a hope, not a control.
How It Plays With Wipes and Enrollment
An Intune wipe of a corporate device with configured FRP leads to a reset that your designated accounts can always activate — clean redeploys.
Zero-touch/KME devices add the best layer: post-reset, the device also forces re-enrollment into your tenant regardless — FRP + wipe-persistent enrollment together is the strongest theft-resale deterrent Android offers.
Returning or selling devices: release them from zero-touch/KME and ensure a clean FRP state (a managed reset with FRP handled) before hardware leaves the fleet — a locked device in a buyer's hands is a support call and a refund waiting to happen.
Do
Designate dedicated frp-unlock@ accounts with vaulted credentials
Exercise the full unlock flow on a lab device
Release zero-touch/KME and clear FRP before hardware leaves the fleet
Don't
Leave FRP to whichever Google account happens to be on the device
Use a personal admin account as the unlock key
Sell or return devices with FRP still armed
Insights
The classic incident: a departed employee's personal Google account on a (mis-deployed) corporate device + a helpdesk factory reset = bricked hardware and an awkward phone call. Every line of the baseline above exists to make that sentence impossible.
BYOD work profiles don't involve corporate FRP — the device is the user's, their accounts, their FRP. Scope this whole page to corporate-owned fleets.
Device locks, work profile challenges, biometrics, and the two-password model BYOD users actually live with.
Android's lock story has a structural twist worth designing around deliberately: on work profile devices, there are potentially two locks — the device lock (the user's own) and the work profile challenge (yours). Designing them as a pair is the whole skill.
The Two-Lock Model
Device password policy applies to the whole-device lock. On BYOD you can require a lock of minimum strength — reasonable — but heavy-handed device-lock rules on personal phones generate justified resentment.
Work profile challenge: a separate unlock gating only the work container. The defensible BYOD posture: modest device-lock floor + real work-profile challenge — your strong auth protects your data; their phone stays theirs. On fully managed devices there's one lock and it's yours: set it like you mean it.
the device is BYOD with a work profileTwo-lock pairModest device-lock floor + real work-profile challenge — strong auth on your data, their phone stays theirs.
the device is fully managedOne corporate-grade lockThere's one lock and it's yours — apply the full corporate standard.
the fleet is dedicatedWorkflow-tolerant lockWhatever the workflow tolerates, with short timeouts doing the heavy lifting.
Step-by-Step: Building the Lock Policy
Decide the posture per enrollment mode before touching settings. BYOD gets the two-lock pair (light device-lock floor, real work-profile challenge); fully managed gets one corporate-grade device lock; dedicated devices get whatever the workflow tolerates, with short timeouts doing the heavy lifting.
Set the device password requirement. On BYOD, a minimum-strength floor is the defensible ask; on fully managed hardware, apply the full corporate standard — the device is yours and this lock is the front door.
Configure the work profile challenge separately. This is the unlock that actually guards corporate data on BYOD — require real strength here, and let the user's whole-device lock remain their business.
Prefer complexity bands over composition rules. Android's password-complexity bands (low/medium/high) beat character-recipe micromanagement — HIGH plus a length requirement is clean, auditable, and survives OS UI changes.
Allow biometrics; govern the fallback. Fingerprint/face unlocking a strong underlying credential is better security and better UX than PIN-typing fatigue — control the fallback credential, not the convenience. Decide trusted-agent features (Smart Lock-style unlocks) deliberately; most corporate postures disable them on managed devices.
Set lock timeout and max-failures-to-wipe per fleet. Timeout short on dedicated devices, humane on knowledge workers; failure-wipe only where the data classification truly warrants the foot-gun.
Verification
Compliance attests the result — policy sets the lock, compliance proves it, Conditional Access enforces it; the standing trio.
Test the lost-biometric path (sweaty-glove frontline reality): the fallback experience under your timeout/failure settings is part of the policy, not an afterthought.
Password changes near enrollment can race profile delivery — a device flapping noncompliant on password rules right after enrollment usually needs one sync cycle, not a ticket.
Insights
The work-profile challenge prompt confuses users exactly once ("why two PINs?") — one comms line fixes it: the second unlock is the door to the work side only; we never see or control your phone's main lock on BYOD.
Always-on, per-app, and Microsoft Tunnel — getting work traffic home without touching personal traffic.
Android VPN under management has one headline capability the personal world lacks: per-app VPN scoped to the work side — corporate apps tunnel, personal traffic never does, and the privacy wall extends to the network layer.
HeadlinePer-app VPN scoped to the work side — personal traffic never tunnels
Client modelVendor app from Managed Google Play + app configuration policy
RequiresCertificate chain in place where auth is certificate-based
Microsoft optionTunnel — Defender for Endpoint as the client app
The Profile Anatomy
A VPN profile pairs the client app (deployed via Managed Google Play) with connection configuration (server, auth, certificates) — most modern clients receive their config via app configuration policy rather than the legacy VPN profile type, so check the vendor's documented keys first.
Prerequisites
The VPN client app approved and ready to assign through Managed Google Play.
Certificate infrastructure in place where authentication is certificate-based — the SCEP chain is the standard.
The vendor's managed-configuration documentation in hand: the keys it publishes define what you can actually configure.
Step-by-Step Deployment
Land the client certificate first. Certificate-based authentication via your SCEP chain is the standard; the cert profile must arrive before the VPN can work — sequence assignments accordingly.
Assign the VPN client app as Required to the target fleet so the tunnel software is present before its configuration arrives.
Deliver the connection configuration — server, identity, routing — through the app configuration keys the vendor documents (or the legacy VPN profile type where that remains the supported path).
Decide the always-on posture. Always-on VPN (device or work-profile scoped) means the OS establishes and maintains the tunnel without user action, with optional lockdown (no traffic outside the tunnel) for high-assurance fleets — lockdown on a misconfigured tunnel is a self-inflicted outage, so pilot it with the escape hatch documented.
Scope per-app VPN deliberately. Enumerate the work apps that tunnel; on work-profile devices this is naturally container-scoped, so personal traffic stays untouched by design.
Microsoft Tunnel
For Microsoft-stack orgs, Tunnel is the Intune-native gateway: a containerized Linux gateway on-prem/cloud-edge, with Defender for Endpoint as the client app doing double duty (MTD + VPN). Per-app and full-device modes, configuration entirely via Intune profiles, and conditional launch ties into the compliance loop. If you're standing up Android VPN fresh and own the Microsoft stack, evaluate Tunnel before buying a parallel appliance.
The Strategic Note
If the VPN's only job is reaching two legacy internal apps, that's an app-modernization conversation (identity-aware proxy, ZTNA) wearing a VPN costume. Per-app VPN is often the bridge, not the destination — build it well, and plan its retirement in the same document.
Verification
The triage chain for "VPN won't connect" doubles as the rollout checklist: cert present? (device-side check) → app config delivered? → server reachable on that network? Three questions, in order, ends most tickets — and walking a pilot device through them proves the deployment before the fleet assignment goes out.
Check 1Certificate present?Device-side credential check first
Check 3Server reachable?Gateway up and routable from that network
Insights
Battery is the silent killer of Android VPN rollouts — always-on tunnels with aggressive keep-alives drain frontline devices; test on the worst battery in the fleet and tune server-side timeouts before the pilot, not after the complaints.
Tuning the wall between work and personal — contacts, copy/paste, notifications, and the connected-apps question.
The work profile wall is absolute by default; these settings poke deliberate, user-serving holes in it. Each hole trades a little separation for a lot of usability — make each trade on purpose.
The Settings That Shape Daily Life
Cross-profile contact search and caller ID: allow it. Without it, incoming calls from colleagues show as bare numbers because the work contacts live behind the wall — the single most complained-about default in BYOD history. Allowing search/caller-ID exposes lookups, not the contact store.
Cross-profile copy/paste: the genuine dilemma. Blocking it (work→personal) is real DLP with real friction; pair the decision with your App Protection cut/copy policy so the managed-app layer and the profile layer agree — users experience the stricter of the two, and disagreement between them produces "it works in Outlook but not Chrome" mysteries.
Cross-profile data sharing / intents: governs share-sheet flows (sharing a personal photo into work apps is commonly allowed; work→personal blocked). Test the actual share-sheet experience — intent rules read abstract and feel concrete.
Work notifications on the lock screen: redact content (show app, hide preview) as the middle path between leaking meeting titles on a personal lock screen and making notifications useless.
Connected apps / cross-profile app pairs: the OS-level mechanism letting specific app pairs (where the developer supports it) see across the wall. Most corporate postures leave this disabled — every pair is a documented exception or it's a hole.
The Design Doctrine
Defaults closed, holes opened by user-experience evidence: contacts/caller-ID immediately (the evidence is universal), clipboard and sharing per data-classification appetite, everything else by exception. Write the matrix once and the BYOD comms can honestly describe the wall — which is what makes users trust it.
Do
Allow cross-profile contact search and caller ID
Redact work notification content on the lock screen
Pair the clipboard decision with the APP cut/copy policy
Test the actual share-sheet experience
Don't
Enable connected-app pairs without a documented exception each
Let the profile layer and the managed-app layer disagree
Copy the BYOD matrix onto COPE unexamined
Insights
These settings interact with COPE's inverted ownership — the same toggles exist but the personal side is the guest; revisit the matrix per mode rather than copying the BYOD profile.
When a cross-profile behavior "stopped working," check OS-version changes first — Android tightens cross-profile defaults across releases, and the annual OS validation pass should include this matrix.
Bluetooth, NFC, tethering, USB data, and Wi-Fi behavior — locking down the side doors on corporate-owned fleets.
Every radio and port is a data path. On fully managed and dedicated fleets, the restrictions catalog gives you each one as a switch; this page is the cookbook for which switches matter and which combinations bite.
The Control Surface
Bluetooth: full disable for the strictest environments; contact sharing over Bluetooth off as the lighter default (blocks the car-kit contact slurp without killing headsets). Configurable on company-owned modes; the work profile on BYOD deliberately can't reach the device's radios — that's the personal side's property.
NFC: disable beam/data-sharing flows where data exfil matters; leave NFC itself alive if payment/badge workflows ride it — the distinction between "NFC off" and "NFC sharing off" prevents breaking the door badges.
Tethering/hotspot: off on dedicated fleets (a kiosk does not need to be a router); on knowledge-worker devices it's a policy decision with a real-world cost — field staff tether laptops legitimately.
USB: USB file transfer/data off is the high-value, low-friction control on corporate devices (charging unaffected); USB debugging blocked is non-negotiable outside the lab — and Play Integrity plus compliance backstop devices where someone tried.
Wi-Fi behavior: lock Wi-Fi config changes on dedicated devices (the kiosk stays on its deployed profile); allow user networks on 1:1 devices — people work from homes and hotels.
Airplane/cellular toggles: lockable on dedicated hardware where "the scanner went offline" usually means a curious finger.
Do
Turn off USB file transfer and block USB debugging
Prefer contact-sharing off over disabling Bluetooth outright
Distinguish NFC off from NFC data-sharing off
Keep the posture table in the tier-1 runbook
Don't
Disable NFC where payment or badge workflows ride it
Leave tethering on for kiosks — a kiosk is not a router
Expect work-profile policy to reach BYOD radios — they belong to the personal side
Posture by Fleet
Knowledge worker (fully managed)
Dedicated/kiosk
Bluetooth
On; contact-share off
Off unless peripheral-required
Tethering
Decide per field reality
Off
USB data / debugging
Off / Off
Off / Off
Wi-Fi changes
Allowed
Locked
Insights
Radio restrictions are where OEMConfig earns its keep — Knox and rugged-OEM schemas expose port and radio controls beyond the standard catalog (USB host-mode policy, specific-peripheral allow-lists) when the standard switches are too blunt.
Every disabled radio is a future mystery ticket ("scanner won't pair") — keep the posture table above in the runbook so tier-1 checks policy before hardware.
Owner identification, support messaging, and the small-surface branding that pays for itself in returned hardware.
Android's branding surface is deliberately small — but the pieces that exist are the ones that matter operationally: lock screen identification and management transparency messages. Spend the effort where it pays: the string that gets lost hardware returned, and the policy messages users actually read.
Lock Screen Message (Device Owner)
On fully managed and dedicated devices, policy sets a persistent lock screen message — the corporate-asset string visible to whoever finds the device:
Property of <Org> — if found: <helpdesk number / email>
This is the recovered-hardware play: a finder acts on what the lock screen tells them, and "property of, call here" measurably converts lost devices into returned ones. Template the string with real, answered contact details — a branding message pointing at a dead mailbox helps no one and quietly advertises that nobody is watching.
Management Transparency Strings
The restrictions surface carries short/long support messages — the text Android shows when a user hits a managed boundary ("this action is disabled by your organization" moments). Customize them: the default OS phrasing is cold and uninformative; "Disabled by <Org> IT policy — questions? helpdesk@…" turns a frustration moment into a routed question. Cheap goodwill, permanently deployed.
Wallpaper and Visual Identity
Whole-device wallpaper control is mode- and OEM-dependent rather than universal — where the fleet is Samsung, Knox Service Plugin exposes wallpaper/boot-animation controls the standard catalog doesn't; on dedicated devices, Managed Home Screen's theming (logo, colors, layout) is the visual identity and does the branding job properly. Knowledge-worker fully-managed fleets mostly skip wallpaper enforcement — the lock message carries the asset-ID value without the "IT redecorated my phone" energy.
Insights
Work profile BYOD branding is deliberately near-nil — it's the user's device and the wall works both ways; the badge on work apps is the brand presence, and that's correct.
Treat the lock message as managed data, not set-and-forget: helpdesk numbers change. An annual policy-review pass that re-validates the contact string costs a minute and saves the embarrassment of branded devices advertising a disconnected line.
Personal accounts, managed identities, and the Play Protect settings underneath your app-source story.
Account policy decides whose Google lives on the device — and on Android, the account model quietly defines the app-source and data-path story.
Accounts by Mode
Work profile (BYOD): the personal side keeps the user's own Google account untouched (their device); the work side runs on the managed Google Play account Intune provisions invisibly per the MGP binding — no user-visible Google identity to manage, which is the design's elegance.
Fully managed: the high-leverage control is account-add restrictions — block adding personal Google accounts and the device cannot sideload an identity that brings consumer Play, consumer sync, and consumer data paths onto corporate hardware. The defensible default: blocked, with the managed account doing all the work.
Dedicated: no user accounts at all, by design — account-add blocked is implicit in the mode's posture.
The account-restriction setting accepts allow-list nuance (specific account types) for the genuine exceptions; treat each as documented architecture.
Play Protect and App Source Integrity
The restrictions catalog carries the app-source integrity stack — set it as a unit:
Play Protect verify-apps: enforced — Google's on-device scanning stays on; compliance can attest it
The classic confusion ticket: a fully-managed user trying to add their personal Gmail and reading the block as "my email is broken." One line in onboarding comms — corporate devices run corporate identity; personal mail lives on personal devices — converts the ticket into a policy the user already heard.
Auditing account posture fleet-wide is a Graph query away — the device-account surface plus restriction-policy reporting answers "could anyone have added an account" with evidence rather than assumption.
Pre-deciding the permission prompts — global defaults, per-app grants, and the frontline case for silence.
Every Android app's first run is a parade of permission prompts — location, camera, notifications — and on managed fleets you can answer them by policy instead of by user: globally, and per-app per-permission.
the fleet is dedicated or frontlineAuto-grant the workflow app's permissionsNo personal context — prompts stall shifts and protect nothing.
knowledge workers carry fully managed devicesPrompt globally, pre-approve the security stackAuto-grant only what the security tooling needs to activate silently.
the device is BYOD with a work profileLighter touchGovern work-side grants to match the BYOD social contract.
The Two Levels
Global default (device restrictions, corporate-owned modes): what happens when a managed app requests a runtime permission — prompt (consumer behavior), auto-grant, or auto-deny.
Per-app overrides (app configuration policies): the surgical layer — this app gets location auto-granted, that one gets camera auto-denied — overriding the global default for the named permission on the named app.
The Right Call per Fleet
Dedicated/frontline: auto-grant the workflow app's required permissions, full stop — a kiosk scanner asking a warehouse picker to approve camera access is a workflow stall, not a privacy win. The device has no personal context; the prompts protect nothing and cost minutes per shift.
Fully managed knowledge workers: keep prompt as the global default (the prompts carry real signal on a device a human lives with), auto-grant only the corporate stack's table-stakes permissions (Defender's requirements, the VPN client's notification rights) so security tooling activates without a consent scavenger hunt. The principle: pre-approve what the security stack needs to function silently, and leave the judgment calls with the human holding the device.
Work profile BYOD: lighter touch by design — the work-side apps' grants are governable; the posture should match what the BYOD social contract promised.
The Edges Worth Knowing
A few permission classes sit outside the auto-grant reach by platform design — the special-access tier (overlay, usage access, and kin) follows its own rules, and location on newer Android versions carries extra user-consent ceremony even under management for certain grant types. Test the actual first-run on a bench device per OS release; the permission model is one of Android's most actively renovated rooms.
Insights
Auto-deny is the underused half: a corporate fleet whose policy auto-denies camera/microphone for the long tail of apps — granting only the named exceptions — converts the hardening baseline's intent into per-app reality without touching the OS-level radio switches.
The preinstalled layer — enable, disable, and govern what shipped on the device before you did.
Every Android arrives carrying a payload you didn't choose: OEM utilities, carrier additions, Google's suite. On corporate-owned modes, system apps are policy surface — and the defaults matter more than they look.
The Baseline Decision
Provisioning establishes the posture: corporate-owned enrollments can start with system apps broadly disabled (the lean default — the device exposes only what you enable) or left enabled (consumer-familiar, everything present). The provisioning payload and enrollment profile carry the choice; changing philosophy later means touching the fleet, so decide it with the mode decision, not after.
the fleet is dedicatedDisabled-by-defaultEnable the named few — every visible icon is workflow or distraction.
knowledge workers carry the devicesEnabled-by-default + block listBlock the genuinely objectionable; disabling the OEM gallery buys resentment, not security.
The Per-App Layer
Above the baseline, Intune's app surface manages named system apps: adding a system app entry (by package name) with a Required-style assignment enables it on devices where the baseline disabled it — how a lean dedicated fleet gets exactly the OEM camera and nothing else. The restrictions side carries the inverse muscle for blocking what must not run.
What to Do per Fleet
Dedicated: disabled-by-default + enable the named few — every visible icon on a kiosk is either workflow or distraction, and the lean posture is also the attack-surface posture
Fully managed knowledge workers: enabled-by-default with a block list for the genuinely objectionable (carrier bloat with data-path implications, duplicate stores) — disabling the OEM gallery on someone's daily phone buys resentment, not security
The carrier dimension is real: identical models from different channels carry different preloads — the two-model fleet discipline extends to channels, and the preload diff belongs in procurement acceptance
Insights
Package names are the whole game and OEMs don't advertise them — the bench technique: provision one device per model/channel, dump the package list via adb on a lab unit, and build the enable/block lists from observed reality rather than vendor documentation. Thirty minutes per model, versioned in the repo, done per hardware generation.
"The camera disappeared" tickets after enrollment are this page in disguise: lean-baseline fleets must enable the obvious utilities in the same change that disables the world — the gap between the two is your ticket volume.
Android app deployment is refreshingly low-ceremony: no licenses to count, no annual token expiry, no location juggling. Approve, sync, assign. Here's the full loop and the few places it still bites.
Step 1ApproveApps > Android > Add — pick from the embedded storefront
Step 2SyncAutomatic on a cadence; the Sync button for right now
Step 3AssignRequired installs silently; Available populates the managed store
Step 4ConfigureManaged configuration rides alongside most enterprise apps
The Loop
Approve: Apps > Android > Add > Managed Google Play app — Intune embeds the MGP storefront; search, open the app, Approve/Select. (Permission-change handling: choose to keep the app approved when permissions change, or you'll re-approve every update cycle.)
Sync: approved apps appear in Intune after a sync — automatic on a cadence, immediate via the Sync button (Apps list, or the MGP connector page). "I approved it and it's not in Intune" = press Sync.
Assign: Required installs silently on corporate modes and into work profiles; Available populates the managed Play store (the badged store in a work profile; the only store on fully managed/dedicated). Filters shape per-fleet.
Google Play updates managed apps using its own logic (idle + Wi-Fi + charging heuristics). Two controls worth knowing:
Update priority per app (in the app's Managed Google Play settings): High priority pushes the update as soon as Google publishes it — reserve for security-critical apps; Postpone holds ~90 days for change-controlled fleets.
App update pace is otherwise Google's; if a kiosk must run a pinned version, that's an argument for private app channel control, not a setting you're missing.
What About Paid Apps?
The honest answer: Managed Google Play's enterprise distribution is built around free apps and your own private apps. There is no bulk purchase-and-assign mechanism for paid consumer Play titles — in practice, enterprise Android runs on free clients + LOB. Plan procurement accordingly (vendors with paid consumer apps almost always offer an enterprise/private build), and see paid apps and licensing for the full procurement map.
Insights
Collections (store layout, edited in the MGP iframe) turn the managed store from an alphabet soup into a curated storefront — "Core", "Field Tools", "HR" — ten minutes of effort, outsized adoption payoff.
Permission auto-grant policy (in app assignment/config) silences runtime permission prompts on corporate fleets — kiosk and frontline apps especially should never be waiting on a tap for camera access.
The App Install Status script is platform-agnostic — point it at an Android app's display name and the same failure triage applies.
Managed configurations — pre-configuring apps so they open ready to work.
Android's managed configurations follow a clean contract: the app publishes a schema of admin-settable keys; Intune delivers values; the app launches pre-configured. The mechanism is native to Android Enterprise and powers everything from Outlook account setup to OEMConfig itself (which is literally a managed configuration with a huge schema).
Step 1App publishes its schemaAdmin-settable keys, declared by the app version
Step 2Intune delivers the valuesConfiguration designer or JSON, with tokens resolving per user and device
Step 3App launches pre-configuredFirst open is already set up — no helpdesk onboarding call
Creating One
Create the policy under Apps > App configuration policies > Add > Managed devices (platform Android Enterprise):
Target the app. Point the policy at the MGP app — the Configuration designer renders the app's published schema as a form; the JSON editor exists for schemas the designer renders poorly or for source control.
Set the values, tokenized where possible. Tokens make values dynamic: {{userprincipalname}}, {{mail}}, {{DeviceName}}, {{AAD_Device_ID}} — one policy configures every user correctly.
Assign alongside the app. Assignment follows the app's groups; the config arrives with (or right after) the install. Deploy app and policy together so first launch is already configured.
The Managed apps channel variant targets APP-protected apps instead — the MAM-without-enrollment path for configuring, say, Edge on an unenrolled BYOD device.
The Greatest Hits
Outlook: account auto-setup from UPN tokens, default signature posture, contact-sync policy — the difference between "open and work" and a helpdesk onboarding call.
Microsoft Launcher / Managed Home Screen: the entire kiosk experience is one big app config.
Certificate alias keys on LOB and vendor apps — silent client-cert auth wiring, per the certificates page.
VPN clients: per-app routing and connection definitions ride this channel on Android, as covered in Wi-Fi and VPN.
Insights
The schema belongs to the app version — after major app updates, revisit the policy for new/renamed keys (same discipline as OEMConfig schema versioning).
Config arriving after first launch can leave an app half-set-up; for required apps with critical config, deploy app and policy together and verify on a lab device before fleet assignment.
When a key seems ignored: confirm the app actually received the config (most Microsoft apps expose a diagnostic view listing applied managed config) before blaming Intune delivery.
Publishing your own APKs through Managed Google Play — minutes to deploy, private to your org.
Your in-house Android app doesn't need the public Play review gauntlet. Managed Google Play private apps publish an APK/AAB to your organization only, live in minutes, updated through the same pipe as everything else. It has fully replaced the legacy sideload-style LOB pattern for Android Enterprise.
Applies toAndroid Enterprise — visible to your MGP enterprise only
Console pathApps > Android > Add > Managed Google Play app > Private apps
Publish timeMinutes — plan ~10, not days
UpdatesUpload a higher versionCode to the same listing
Publishing a Private App
Apps > Android > Add > Managed Google Play app → in the embedded storefront, open Private apps (the lock icon) > +.
Name it, upload the APK/AAB, save. Google runs a light automated pass; the app is typically deployable in minutes (plan ~10, not days).
It now behaves like any MGP app: sync, assign Required/Available, attach managed config, done.
Updates = upload a new artifact with a higher versionCode to the same listing; Google Play delivers it fleet-wide on its update cadence. Your CI can do this through the Play Developer publishing path once the app graduates to a real release pipeline.
Web Apps
Same Private apps panel, web apps tab: give a URL, title, icon, and display mode — MGP wraps it into an installable app users get like any other. Best for intranet portals, dashboards, and line-of-business web tools that deserve a real icon in the launcher rather than a bookmark nobody finds.
What About Direct LOB APK Upload?
Intune's "Line-of-business app" (direct APK) type is the legacy device-admin-era path. On Android Enterprise, prefer MGP private apps every time: real update delivery, store presence, managed-config support, no sideload posture. If a vendor hands you a bare APK and shrugs, publish it as your private app — that's the supported pattern.
Insights
Private apps are bound to your MGP enterprise — one more reason that Google service account binding is crown-jewels infrastructure.
versionCode discipline saves weekends: monotonically increasing, mapped to your release tags, recorded in the repo. "Why didn't the fleet update" is almost always a versionCode that didn't increase.
Need the same app public later? A private listing can graduate via the Play Console — design package naming as if the app might someday escape.
MAM on Android — the data-layer shield that protects corporate data with or without device enrollment.
App Protection Policies put the control on the data rather than the device: policy travels with the app's corporate identity and data, enrollment or not. On Android the framework is mature, deeply wired into the work-profile and device-integrity stack, and carries controls that make security teams genuinely happy. This page covers what APP does on Android and how to layer it per fleet.
Applies toEnrolled and unenrolled devices — policy travels with the app
ProtectsCorporate identity and data inside managed apps
OffboardingSelective wipe — instant, surgical, no device touch
The Android Capability Set
Screenshot blocking works. APP can block screen capture of protected-app content on Android. Regulated-data orgs: it belongs in the same posture conversation as the hardening baseline.
Conditional Launch carries device gates: minimum OS, minimum security patch level (the patch-pressure lever reaching even unenrolled BYOD), rooted-device block, Play Integrity verdict requirements, and Defender-reported max allowed threat level. For MAM-only fleets, Conditional Launch is your compliance engine.
Encryption/backup: APP enforces app-data encryption posture and blocks protected data from Google backup paths — corporate data stays out of consumer cloud backups by policy rather than by trust.
Approved keyboards: optionally restrict protected apps to specified keyboard packages (third-party keyboards are a real exfil vector this policy exists for).
High-priority, postponed, and default update behavior — controlling when Managed Google Play moves your apps.
Managed Google Play keeps apps current automatically — the gift of the model — but when matters: a VoIP app updating mid-shift on a dedicated fleet is an outage with release notes. Update modes give you the throttle.
Set wherePer app, in its Managed Google Play configuration
ModesDefault · High priority · Postponed
Postpone window90 days — a deferral, not a pin
The Three Modes (Per App)
Set in the app's Managed Google Play configuration:
Mode
Behavior
Use for
Default
Updates on Play's normal logic — device idle, on Wi-Fi, charging-friendly windows
Most apps, most fleets
High priority
Updates pushed as soon as the developer publishes, constraints relaxed
Postponed is a deferral, not a pin — the window expires and the update lands; permanent version-freezing isn't the model (and fights the platform). For true pinning needs, the answer is process: coordinate with the vendor's release tracks, or own the app via private publishing where you control publish timing outright.
The Doctrine by App Class
The doctrine, by app class:
Security agents → high priority. A stale sensor is the one update lag with a blast radius.
The business-critical workflow app on dedicated devices → postponed, with a standing monthly validation rhythm so the 90-day clock never expires unvalidated.
Everything else → default, and stop thinking about it — that's the MGP value proposition.
Insights
Postponed mode pairs naturally with the developer-side track strategy: vendors and your own apps using closed testing tracks give you the pre-release gate; postponed gives you the post-release buffer. Together they're a full change-control story without owning a packaging pipeline.
Update timing on dedicated fleets also rides device state — kiosks that are never idle/charging per Play's heuristics can lag even on default mode; the maintenance-window thinking from OS updates applies to app updates too. A custom compliance or inventory check on the critical app's version closes the verification loop.
Closed testing through Managed Google Play — ringing your own APKs like you ring everything else.
Your private apps deserve the same ring discipline as OS updates and policies — and Google Play's track system provides it natively: production, plus closed-testing tracks, selectable per Intune assignment.
How It Works
Publisher side (Play Console, for apps published via the full console rather than the iframe quick-path): the developer maintains tracks — production and one or more closed tracks (alpha/beta-style) — uploading candidate builds to the testing track first.
Intune side: the Managed Google Play app's assignment surface exposes track selection — assign the closed track to your pilot group and production to the fleet. Same app, two populations, two versions, native plumbing.
Promotion is publisher-side: build proves out in the closed track → promote to production → the fleet's update mode takes it from there.
Stage 1Upload to the closed trackPublisher side — the candidate build lands in testing first
Stage 2Assign the track to ring-1Intune assignment — pilot group on closed, fleet on production
Stage 3Bake and verifyA versionCode check proves the pilot runs the candidate
Stage 4Promote to productionPublisher side — the fleet's update mode takes it from there
The Operating Pattern
Pilot group = the same ring-1 humans as your OS update rings — IT plus volunteer power users of the actual app; a dynamic group keeps it stable.
Bake time matched to risk: a UI tweak needs days; a scanning-workflow change on frontline hardware needs a representative site for a full cycle.
The track is for builds, not configuration — config experiments ride app configuration policies on the same build; don't fork builds to change settings.
The Iframe-Published Caveat
Apps published through the Managed Google Play iframe's quick private-app path get simplicity at the cost of the full track surface — fleets that outgrow single-track publishing graduate to a proper Play Console developer account for the app. That graduation moment is usually "the first time a bad build hit everyone at once."
Insights
Track assignments are the answer to the perennial "can we test the new version with just the warehouse team first?" — yes, natively, without sideloading, parallel app IDs, or unknown-sources heresy.
Close the loop with verification: a custom inventory check on versionCode per population proves the pilot is actually running the candidate before anyone calls the bake done.
Edge and Chrome under management — app configuration, the default-browser decision, and where web data lives.
The browser is the most-used app on the device and the leakiest if unmanaged. Android gives you real levers: managed app configuration for the major browsers, plus the policy context of whichever management mode frames it.
Microsoft Edge (the MAM-Native Choice)
Edge on Android is deeply App Protection-aware — corporate-identity tabs live inside the APP boundary (cut/copy/save-as rules apply to web content), making it the natural default where MAM is the data-control layer. Its app configuration surface covers homepage, bookmarks set, the identity behaviors, and the proxy/redirect settings your security stack wants. Deploy via MGP, configure by policy, and the BYOD web story is handled without touching the personal browser.
Chrome (the Managed-Config Heavyweight)
Chrome's managed configuration schema is enormous — URL allow/block lists, homepage/startup control, password-manager and autofill toggles, extension-adjacent and content settings — delivered through the standard app-config mechanism. On fully managed and dedicated fleets where Chrome is the deployed browser, that schema is your web policy engine; the discipline is the usual one: configure by documented intent, version the JSON in the repo, and resist configuring all four hundred keys because they exist.
MAM/APP is your data-control layer (BYOD)Microsoft EdgeCorporate-identity tabs live inside the APP boundary — selective wipe reaches web data.
a corporate-owned fleet needs deep web policyChromeEnormous managed-config schema — URL allow/block lists, startup control, content settings.
The Decisions That Matter
One sanctioned work browser per fleet, set as the work-side default — split browser populations split your policy story and your troubleshooting matrix.
Where does web data live? With APP-protected Edge, corporate web data sits inside the managed boundary and selective wipe reaches it; with unmanaged-context browsing allowed to corporate sites, it doesn't — which is exactly what Conditional Access app-enforced restrictions or APP-required policies exist to prevent.
Kiosk browsing is its own discipline — locked-down single-site browsing on dedicated devices wants the kiosk-browser pattern, not a hardened general browser.
Insights
Browser app config is the highest-leverage app configuration policy you'll write — one JSON shapes the majority of daily interaction surface.
Test config changes against signed-in sync behavior: a managed homepage fighting a user's synced personal Chrome profile produces "policy isn't applying" tickets that are actually identity-context confusion — the work-profile wall usually resolves it once you check which side the browser instance lives on.
What Intune can see, what privacy hides, and how to build the app-truth your security team asks for.
"What apps are on our Android devices?" has a mode-dependent answer — and knowing why it's mode-dependent keeps you from promising reports the architecture forbids.
Full inventory (and it should be a short, boring list)
Write this table into the security team's expectations before the audit request arrives — "we cannot see personal apps on BYOD" delivered proactively is architecture; delivered reactively it sounds like an excuse.
The Reporting Surfaces
Discovered apps (per-device and aggregate): the raw inventory, refreshed on the device-reporting cadence — the "is VLC installed anywhere" answer.
Managed app install status: per-deployment success/failure truth for everything you assigned — the App Install Status script automates it at fleet scale.
App Protection status for the MAM estate: which users' app instances are policy-current — the BYOD-side health metric that is available without device visibility.
Version-floor watching: the inventory's per-app version spread tells you whether update modes are doing their job — chart the critical apps' version distribution monthly, same rhythm as the patch-age buckets.
Unexpected-app triage on corporate modes: anything outside the sanctioned set on a fully-managed device means a source-control hole — investigate the door, not just the app.
Insights
Inventory freshness follows check‑in rhythm: a device asleep in a drawer reports stale truth. Filter inventory analysis to recently-synced devices or the version-spread numbers lie pessimistically.
The most useful "report" is often a delta: this month's discovered-apps set minus last month's — new arrivals fleet-wide surface in one diff, and Graph makes the snapshot trivial.
Do
Deliver the BYOD visibility boundary proactively, before the audit request
Filter inventory analysis to recently-synced devices
Chart critical apps' version distribution monthly
Don't
Promise personal-side app visibility on work-profile devices
Read a stale device's inventory as current truth
Stop at the app — an unexpected install means a source-control hole
The return path — how managed apps report status back, and what to do with the signal.
App configuration is famous as a one-way street: admin pushes JSON, app obeys. Android Enterprise also built the return lane — the managed configurations feedback channel, where apps report keyed app states back up the management stack: named key/value status pairs with severity and timestamps.
Managed appemits keyed app states
→
Management stackcarries the feedback channel
→
Console / Graphwhere you read the states
What Flows Back
A feedback-capable app reports states the developer chose to expose: configuration accepted/rejected per key, signed-in account, sync health, error conditions with messages. The canonical consumer is config validation — you pushed an app config with a malformed server URL, and instead of silence-until-ticket, the app reports the rejected key with a reason. For dedicated fleets running one critical workflow app, keyed states are the closest thing to application-level health telemetry the platform offers.
Two Hard Dependencies
Two dependencies gate the value, and both are outside your console:
The app must implement it — feedback is developer opt-in; Google's own enterprise apps and the better MDM-aware vendors do, the long tail doesn't. The procurement question ("does your app report keyed app states?") belongs in the RFP for workflow-critical apps — and it's a feature your ownprivate apps should implement, since you control both ends.
Surfacing varies by EMM and release — the states ride the Android management stack; how much your console exposes, and where, evolves. Where the UI is thin, the Graph layer is the fallback inspection path; verify current surfacing rather than assuming.
The Operating Pattern
For the apps that report: define the interesting keys with the vendor (config-rejection and auth-failure states first), wire them into the same review rhythm as install-status reporting, and treat a config push without a clean feedback pass as undeployed — the verification-loop habit, now with the app itself as witness.
Insights
The strategic frame: keyed app states turn management from polling into listening — the stack learning to tell you instead of waiting to be asked. Build the habit of consuming declared status now; every management surface is converging on it.
A straight map of paying for Android apps at fleet scale — what Managed Google Play does and doesn't do.
The single most important procurement fact about Android app deployment gets its own page: Managed Google Play has no general paid-app license store. There is no bulk purchase-and-assign mechanism for paid consumer Play titles in the MGP model — free apps distribute beautifully, and everything commercial happens outside the storefront. Plan around that fact rather than discovering it mid-rollout.
Store licensingNone — no bulk purchase-and-assign in Managed Google Play
Dominant modelFree store app + vendor-direct license via app config
License truthVendor portals — reconcile quarterly against install reporting
ReclamationA deactivation step in the offboarding runbook, not a console feature
How Paid Actually Works on Android
The patterns that exist, in order of prevalence:
Vendor-direct licensing + free app: the dominant enterprise model — the app is free on Managed Google Play; the license is a vendor relationship activated by app configuration (license keys, tenant IDs) or sign-in entitlement. Your "paid app" deployment is a free install plus a managed config carrying the proof of purchase.
Private apps for bespoke/contracted builds — the vendor publishes privately to your enterprise; commercial terms live in the contract, not the store.
Subscription-in-identity: licensing follows the user account (the Microsoft 365 pattern) — nothing to manage at the app layer at all.
The corollary for app selection: a vendor whose Android enterprise story is "users buy it on Play" hasn't built an enterprise story — that's a procurement-gate finding, same RFP list.
The Operational Hygiene
License truth lives in vendor portals, not your console — so build the ledger yourself: app → license model → count → renewal date, reconciled against install reporting quarterly. Reclaiming licenses when devices retire is a deactivation workflow, not a console feature: app uninstall and retirement gains a "release the vendor license" step that nothing automates for you, so write it into the offboarding runbook explicitly.
Insights
Write the licensing reality into your app-intake form once: Android = vendor-direct licensing required; no store-side bulk purchasing. One row in a template, and every future "can't we just buy it on Play" conversation is a link instead of a meeting.
Play Integrity, patch-level floors, and root detection — the Android compliance levers and how hard to pull them.
Android compliance plugs into the tenant's Conditional Access engine and brings unusually sharp instruments to the evaluation: hardware-attested integrity verdicts and date-based patch enforcement. Built well, an Android compliance policy leaves a compromised or neglected device very little room to argue its way past the front door.
Console pathDevices > Android > Compliance
ScopeOne policy per enrollment-mode family
RequiresDefender connector first, if gating on threat level
Enforced byConditional Access — compliance informs, CA acts
Prerequisites
Enrollment modes settled per the management-mode decision — corporate-owned and personally-owned work profile fleets get separate compliance policies.
If you intend to gate on threat level, Defender for Endpoint deployed and its connector feeding risk scores into Intune first.
A patch-cadence position you can defend — the minimum patch level works best driven by fleet data, not aspiration.
Step-by-Step: Building the Policy
Create policies under Devices > Android > Compliance, one per enrollment-mode family:
Rooted devices: Block. Non-negotiable, every fleet.
Require a Play Integrity verdict — Google's device-attestation service (SafetyNet's successor). Require device integrity (certified, untampered device); the strong/hardware-backed evaluation option raises assurance further on supporting hardware. This single setting filters out rooted, unlock-tampered, and uncertified devices with Google doing the attestation math.
Set a minimum security patch level — the patch-pressure mechanism: a rolling date floor (60–90 days back is a common production posture). Drive it from fleet data, move it monthly, announce the cadence so it's weather, not surprise.
Set minimum/maximum OS version — the floor to your support reality (N-2 typical); use the max only during controlled major-version validation windows.
Require password and encryption posture. Encryption is default-on for modern Android; require it anyway for the audit line. Password complexity to your standard; on BYOD this evaluates the work profile challenge.
Cap the allowed Defender threat level — if MTD is deployed, this is the live-signal half of compliance: an active threat changes the verdict now, not at the next audit.
Configure actions for noncompliance: grace period (24–72h) → user notification → mark noncompliant. The compliance policy informs; Conditional Access enforces.
Assign per mode family and pilot first — a misjudged patch floor marks half the fleet noncompliant at once, so land it on a known-good ring before broad assignment.
60–90 daystypical rolling patch-level floor
N-2common minimum-OS support floor
24–72 hoursgrace period before noncompliant
Mode-Specific Notes
Work profile (BYOD): compliance evaluates the work container and device-integrity signals — it cannot and does not audit personal-side content; say so in enrollment comms.
Dedicated devices: no user affinity means user-targeted CA isn't the lever — keep dedicated fleets healthy via monitoring and restrict their identities' scope instead.
AOSP: reduced signal set (no Play Integrity without GMS) — compensate with network-level posture and tighter physical control.
Verification
Watch the per-policy compliance report as assignments land: the noncompliant population should be explainable (stale devices, genuinely behind on patches), not surprising. Then validate the enforcement end — a deliberately noncompliant lab device should lose access per your Conditional Access design and regain it after remediation. A compliance policy that never demonstrably blocks anything is decoration.
Insights
Play Integrity failures on legitimate hardware almost always mean uncertified devices (gray imports, some budget OEMs) — a procurement finding wearing a compliance costume. The AER directory prevents it upstream.
Patch-level compliance is the rare control that improves fleet hygiene without admin effort per device — the noncompliant population self-identifies and self-resolves. Pull this lever before buying tooling that does less.
The enforcement layer — turning compliance verdicts and app protection into allow-or-block decisions at every sign-in.
Compliance describes the device; Conditional Access (CA) is the Entra ID engine that acts on the description. Two enforcement families matter on Android — device-based CA for the enrolled estate and app-based CA for the data layer — and one rollout discipline keeps either from locking out the wrong people.
Rollout ruleReport-only first, then rings — break-glass excluded everywhere
Device-Based CA: Enforcing the Compliance Verdict
The chain: the compliance policy evaluates → Intune writes the verdict onto the device's Entra record → a CA policy with the grant Require device to be marked as compliant reads that record at sign-in, after authentication. The chain is only as strong as the verdict — and on Android it's unusually strong, because Play Integrity anchors it in hardware-backed attestation: a tampered device can misreport its passcode posture but can't lie to attestation, so the access decision bottoms out in silicon. Two timing facts: a device in its noncompliance grace period still evaluates as compliant, and verdicts refresh on check‑in — the compliance schedule, not the CA policy, sets enforcement latency.
Compliance policyevaluates the device
→
Entra device recordcarries the compliant flag
→
CA policygrants or blocks access
App-Based CA: Protecting Data Without Claiming the Device
Require app protection policy admits a sign-in only from an app governed by an App Protection Policy — real enforcement for unenrolled BYOD: no device claim, corporate data confined to policy-governed apps. The older Require approved client app grant has reached retirement and is read-only; build anything new on the app-protection grant alone. App-based CA still requires Entra registration (not enrollment): a broker — Company Portal or Microsoft Authenticator — completes it, installing on demand at first sign-in.
Fleet
Grant pattern that works
Corporate-owned (fully managed, corporate-owned work profile)
Require compliant device, evaluated for the signed-in worker in SDM-aware apps
The Work-Profile Boundary and Browser Sign-Ins
On work-profile devices the Entra registration lives inside the container: badged apps and browsers can present device identity; the personal-side browser is an unregistered context and fails the compliant-device check by design. Microsoft Edge and Chrome support device authentication on Android — the first browser sign-in prompts for the device certificate — but never in private browsing, with cookies blocked, or from WebViews inside apps. So deploy a managed browser into the work profile, make it the documented path to corporate web apps, and teach the helpdesk that "mail works, browser blocked" on BYOD usually means the personal-side browser, not a CA failure.
Dedicated and User-Less Devices
CA evaluates at user sign-in, and a standard dedicated device has no user — user-scoped policies never fire for that hardware, and users can't sign in to CA-protected resources from it at all, compliant or not. Don't read an "all users — require compliant device" policy as kiosk coverage; it neither protects nor blocks that estate. The plays: compliance at device groups so the fleet still reports posture, narrowly scoped device-bound identities, and Entra Shared Device Mode where workers genuinely sign in — SDM makes the worker's sign-in evaluable, so the compliant-device grant works in SDM-aware apps.
Prerequisites
Compliance policies deployed per mode family, with a report you can explain — never gate on an unvalidated verdict.
Entra ID P1 licensing for Conditional Access.
A break-glass account excluded from every CA policy — tested before the incident, not during it.
A pilot group spanning your modes, plus comms covering what a block looks like and the way back.
Step-by-Step: First Device-Based Policy, Report-Only First
Create the policy under Endpoint security > Conditional Access. Name it like you'll eventually have fifty: CA-Android-RequireCompliant-Pilot.
Scope users deliberately. Include the pilot group; exclude break-glass and enrollment-operations accounts.
Pick target resources surgically. The Office 365 grouping is the classic first target — not All resources. If you do go all-in, exclude the Microsoft Intune Enrollment cloud app so enrollment sign-ins survive.
Condition on the platform: device platforms → Android only, keeping the blast radius to the fleet you validated.
Set the grant: Require device to be marked as compliant.
Enable in Report-only and create — nothing blocks yet; every matching sign-in records what would have happened.
Soak one to two weeks, then work the report-only results in the sign-in logs: stale registrations, forgotten device populations, service accounts — all cheaper to fix before enforcement.
Flip to On for the pilot, widen in rings, and consider All resources only once ring data is boring.
Verification
Prove both directions. A compliant pilot device signs into a protected app and the sign-in log's Conditional Access detail shows the compliant-device grant satisfied. A lab device forced noncompliant (the patch floor is the easy lever) gets blocked — and the path back through the Intune app or Company Portal actually works. On a work-profile device, the badged browser passes while the personal-side browser is refused. A policy you can't demonstrate blocking something isn't enforcement yet.
The Lockout Pitfalls
Blocking the enrollment apps themselves. Requiring a compliant device on All resources catches the sign-in that happens during enrollment — the device can't become compliant because it can't finish enrolling. The symptom is the Company Portal sign-in loop; the fix is excluding Microsoft Intune Enrollment from compliance-requiring policies.
No exclusion groups. CA applies to the admins who author it; without the break-glass exclusion, a bad policy locks out the only accounts that could repair it.
Grant logic surprises. "Require all the selected controls" with compliant-device and app-protection selected strands unenrolled BYOD; mixed estates almost always want Require one of the selected controls.
Counting the kiosks as covered. User-scoped CA doesn't see the dedicated fleet — its safety net is device-group compliance and monitoring.
Insights
The sign-in log names the policy and the exact grant that failed — splitting every CA ticket into "identity problem" (stale registration, wrong side of the work-profile boundary) or "compliance problem" in one look.
Report-only finds the population nobody modeled: long-enrolled devices with broken registrations, compliant in Intune yet still blocked. Fix those first, or day one buries the project in tickets.
Treat exceptions as debt with a date — every "temporary" exclusion group becomes the permanent bypass an auditor finds later. Review exclusions on the cadence you move the patch floor.
Mobile threat defense for Android — deployment, the risk-score loop, and the BYOD privacy story.
Defender for Endpoint on Android closes the mobile threat defense loop end to end: the device carries a risk score, compliance caps the acceptable score, and Conditional Access acts on the result. Threats change access now, not at the next audit.
Web protection / anti-phishing via a local VPN construct (traffic inspection on-device — not a tunnel to Microsoft), with the option to pair actual tunneling through Microsoft Tunnel in the same app (VPN page).
Malware and unwanted-app detection — meaningful on a platform where sideloading exists; complements (doesn't replace) Play Protect and Play Integrity gating.
Risky-device signal: root and tamper indicators, dangerous configurations, network threats — distilled into the risk score Intune consumes.
Deployment
Approve/assign the Microsoft Defender app via Managed Google Play — required on corporate fleets, required-with-comms on work profiles.
Connect the Defender for Endpoint connector (Endpoint security > Microsoft Defender for Endpoint) so risk scores flow into compliance.
Ship an app configuration policy for Defender — this is where low-touch onboarding and feature toggles (web protection on/off per fleet, VPN behavior) live, trimming the user's setup to nearly nothing.
Add the device risk score rule to Android compliance policies. The loop is closed.
The Work-Profile Privacy Note (Have This Ready)
On BYOD work profiles, Defender installs inside the work profile and scans the work side — the personal profile stays outside its view, consistent with the whole work-profile privacy architecture. The web-protection VPN likewise scopes to the profile. Publish that sentence with your rollout; the "is IT reading my phone" question arrives either way, and the correct answer is reassuring.
Insights
Sequence connector → app → config → then the compliance rule, piloted: flipping the risk-score rule onto a fleet before Defender saturates marks healthy devices noncompliant and turns your rollout into a helpdesk event.
Defender's threat level also feeds APP Conditional Launch — meaning even MAM-only unenrolled devices participate in the risk loop. Few orgs use this; the good ones do.
Verdicts, hardware-backed attestation, and what actually trips integrity failures — the trust signal under Android compliance.
Compliance names Play Integrity as a checkbox; this page is what the checkbox means — because when a device fails it, the triage runs through this anatomy.
The Verdict Levels
Play Integrity evaluates the device and returns layered verdicts; in Intune compliance terms you choose the bar:
Basic integrity: the device isn't obviously compromised — but the check tolerates more (some uncertified or tampered states can pass basic while failing higher bars). A floor, not a posture.
Device integrity (certified): the device is a GMS-certified unit running a genuine, untampered build — the standard corporate bar.
Strong/hardware-backed: the verdict is rooted in hardware-backed key attestation — the TEE vouches, not just software. The bar for high-assurance fleets; older hardware can't always meet it, so check the fleet's capability before mandating it (procurement again).
Pick the level as policy, document why, and apply it through compliance → Conditional Access.
you only need a floor against obvious compromiseBasic integrityTolerates more — some uncertified or tampered states still pass. A floor, not a posture.
you want the standard corporate barDevice integrityGMS-certified hardware running a genuine, untampered build.
the fleet is high-assurance and the hardware supports itStrong integrityHardware-backed key attestation — the TEE vouches. Check fleet capability first.
What Actually Trips Failures
In rough order of real-world frequency:
Unlocked bootloader / custom ROM / root — the intended catch; the device is modified and the verdict says so.
Uncertified hardware — gray-market or non-GMS devices that never could pass; a procurement leak surfacing as a compliance ticket.
Transient evaluation states — fresh enrollments and devices long offline can lag a verdict cycle; one sync and a recheck beats escalation.
OS-level oddities post-update — rare, usually OEM-firmware-specific, and the reason ring-1 exists.
Play Integrity succeeded SafetyNet — older docs, vendor checklists, and audit templates saying "SafetyNet attestation" mean this system; translate silently and move on.
Insights
Integrity is the signal that makes Android compliance more than self-reporting — a rooted device can lie about its password policy but not to hardware-backed attestation. That's the line to use when security review asks why the checkbox matters.
Don't build allow-list exceptions for failing devices "temporarily" — an integrity exception is an attested-compromised device with corporate access. The exception process is replacement, not tolerance.
Plugging third-party MTD — or Defender — into the compliance loop, and running the risk-score economy honestly.
Mobile Threat Defense is the live-threat layer: an on-device sensor scoring the device's risk (malware, network attacks, OS exploits, risky configs), with the score feeding compliance so Conditional Access can act on it. Defender is the Microsoft-native implementation; this page is the pattern — including when the sensor is Lookout, Zimperium, Check Point, or another partner.
Console pathTenant administration > Connectors > Mobile Threat Defense
RequiresA working compliance-to-Conditional-Access loop
Sensor deliveryRequired app via Managed Google Play, zero-touch activation
Hard ruleOne MTD sensor per device — never two
Prerequisites
One MTD vendor chosen per fleet — Defender or a partner (decision guidance below); the non-negotiable is a single sensor per device.
A working compliance-to-Conditional-Access loop — the risk score only matters if it has an enforcement path to land in.
A healthy Managed Google Play pipeline, because the sensor ships to every device as a required app.
Admin access to the MTD vendor's console — activation health and threat detail live there, not in Intune.
Step-by-Step: The Integration Anatomy (Any Vendor)
Establish the connector. Tenant administration > Connectors > Mobile Threat Defense — this creates the Intune↔MTD-vendor trust and is the channel risk scores ride. Enable the Android compliance-policy evaluation for the connector so the vendor's scores are permitted to drive device state.
Deploy the sensor app. Push it via Managed Google Play as required, configure it via app config, and let it enroll to the vendor's backend. Most vendors support zero-touch activation under management — insist on it; manual activation is a coverage hole generator, because every user who never opens the app is an unprotected device that reports as deployed.
Point compliance at the score. Add device threat level at or under X to the compliance policy — the policy line that converts detection into enforcement. Without it, the sensor is a dashboard, not a control.
Optionally, extend to the MAM-only population.App Protection conditional launch consumes MTD signals for devices you don't manage — threat defense for the unenrolled tier.
Verification
Measure coverage before any threat metric: % of fleet with a healthy, activated sensor — an MTD program at 60% activation is a coin-flip control. Inventory the sensor app's status like the security agent it is, and reconcile it against the vendor console's activation list.
Rehearse the response path end-to-end once per quarter: plant a test detection, watch score → compliance → CA block → remediation → restoration. The loop you've rehearsed is the loop that works at 2 a.m.
Choosing the Threat-Level Bar
The vendor scores Low/Medium/High-style; your compliance bar decides the trigger. The honest calibration: start at High (act on confirmed-bad), watch the alert economy for a quarter, tighten to Medium when the false-positive rate proves the vendor's tuning. Starting strict on day one converts every vendor heuristic hiccup into a user lockout — and lockout fatigue is how security tools get politically killed.
Defender vs Partner: the Decision
Microsoft-stack orgs default to Defender (one connector, Tunnel co-residency, one console). Partners win on specific strengths — existing enterprise agreements, specialized detection claims, multi-MDM estates. What doesn't work: two MTD sensors on one device — they fight, drain, and double-report; one sensor per fleet, chosen deliberately.
you run a Microsoft-stack shopDefenderOne connector, Tunnel co-residency, one console.
an enterprise agreement, specialized detection, or a multi-MDM estate points elsewherePartner MTDLookout, Zimperium, Check Point — same connector pattern; threat detail lives in the vendor console.
The restriction set that constitutes "hardened" on corporate Android — assembled, justified, and ready to defend in review.
Scattered across the restrictions, radios, and account-control pages is a de-facto security baseline. This page assembles it into one defensible artifact: opinionated defaults, every line justified, organized so a security review can walk it top to bottom.
Applies toCorporate-owned fleets, with a shorter BYOD counterpart
Five pillarsSource integrity · data paths · crypto · updates · recovery
ArtifactA versioned profile set in the repo, with change notes
The Corporate-Owned Baseline (Fully Managed / Dedicated)
Identity and integrity:
Personal account add: blocked · Unknown sources: blocked · Developer options/USB debugging: blocked · Play Protect: enforced — the source-integrity stack as one unit
Play Integrity at device integrity minimum in compliance
Data paths:
USB file transfer: off · Bluetooth contact sharing: off · Tethering per fleet decision · Backup to personal Google: blocked
Screen capture: per data classification (blocked on regulated fleets; the APP layer covers app-level capture on BYOD)
The work-profile baseline is shorter by design — the wall does most of the work: work-profile challenge required, cross-profile matrix decided, APP policy carrying the data controls, Play Integrity in compliance. Resist porting device-owner controls into the profile; half don't apply and the other half violate the social contract.
Operating the Baseline
Keep one baseline profile set, versioned in the repo. The baseline is an artifact with a history, not a pile of console toggles — exported profiles and change notes make every delta explainable a year later.
Handle deviations as documented variant profiles. The kiosk that needs USB host mode gets a named exception via OEMConfig, not an edited baseline — the moment the baseline itself bends for one fleet, it stops being a baseline.
Run an annual review pass against the new OS release. Each major Android version adds and retires controls; the yearly pass keeps the baseline current instead of fossilized.
Do
Version the baseline in the repo with change notes
Handle deviations as named variant profiles
Re-review against each major OS release
Don't
Bend the baseline itself for one fleet's exception
Port device-owner controls into work profiles
Let the baseline fossilize as console toggles with no history
Frameworks & Benchmarks: CIS + Android Enterprise
Read this section before you argue Android hardening with an auditor. The single most important fact about Android on Intune is the one Microsoft will never put in a marketing deck: there is no Microsoft security baseline for Android. The Intune security-baselines surface is Windows-only — the overview page is literally titled "security baselines for Windows devices," and every shipping instance is Windows 10/11 MDM, Microsoft Defender for Endpoint, Microsoft 365 Apps, Microsoft Edge, HoloLens 2, or Windows 365. There is no Android (or iOS) entry in Endpoint security > Security baselines, and there never has been. So when someone asks "where's our Android CIS L1 baseline profile," the honest answer is that the authoritative hardening for Android comes from a different stack entirely: the CIS Google Android Benchmark, the Android Enterprise management model (which you already configured above as the corporate/BYOD restriction sets), the Intune App Protection / Data Protection Framework, and OEM hardening such as Samsung Knox. Your Settings Catalog restriction profiles are how you implement those controls — but the control catalog itself lives upstream.
MS Android baselineNone — Intune baselines are Windows-only
CIS Google Androidv1.6.0 — single benchmark, free PDF (non-commercial)
App Protection levels3 (basic / enhanced / high)
AttestationPlay Integrity API (SafetyNet turned down Jan 2025)
CIS Google Android Benchmark — And Why It's Thinner Than Apple/Windows
The CIS Google Android Benchmark is the closest thing to a vendor-neutral, consensus hardening standard for the platform, and the current published version is v1.6.0. Be honest with your stakeholders about what it is and is not. Unlike the CIS macOS benchmarks (which split cleanly into Level 1 and Level 2 profiles and track each yearly OS release alongside Apple's own macOS Security Compliance Project), or the CIS Microsoft Windows benchmarks (with L1/L2 workstation, L1 server, BitLocker and Next-Generation Windows Security profiles per release), the Android coverage is comparatively thin and slower-moving: it ships as essentially one benchmark, it is not partitioned into the same crisp L1/L2 workstation tiers, and it is not re-cut tightly against every annual Android dessert release. Practically, that means you cannot point Intune at a "CIS Android L1" template and call it done. You read the benchmark PDF, map each recommendation to a Settings Catalog or device-restriction setting under the relevant Android Enterprise profile (work profile vs fully managed change which controls even exist), and you own the drift.
Operational gotchas a real fleet hits: (1) profile surface differs by management mode — a personally owned work profile cannot enforce most device-wide controls, so a CIS recommendation that assumes full device ownership simply has no knob in BYOD; budget for two mappings, not one. (2) Version skew is brutal on Android — a setting present on a Pixel running current Android may be absent or behave differently on a two-year-old OEM build, so validate per device family before you assert compliance. (3) Audit evidence doesn't come from Intune's baseline reporting (there is none for Android) — you build it from device-configuration profile assignment status, compliance-policy state, and exported Graph reports, then reconcile that back to the benchmark line items by hand or with a script.
For the implementation side of mapping benchmark items to actual profiles, see Android device restriction profiles (the same Settings Catalog authoring model applies) and the platform-level compliance policies that gate access on the controls you set.
Android Enterprise: The Real Hardening Model (Work Profile Separation)
Where CIS gives you settings, the Android Enterprise management model gives you the isolation architecture those settings sit inside — and this is genuinely strong, often stronger than the equivalent on other platforms. The whole point is work-profile separation: on a personally owned device, Android Enterprise provisions a cryptographically separated work profile with its own encrypted storage, its own managed Google Play instance, and a hard data boundary the OS enforces — IT manages everything inside the badge and nothing outside it. For corporate-owned hardware you escalate to fully managed (COBO), dedicated/kiosk (COSU), or corporate-owned work profile (COPE), each exposing progressively more device-wide control. (These four modes are exactly the corporate/BYOD restriction sets configured earlier on this page — the framework context here is why they exist, not a re-listing of their settings.)
Two hard truths for operators: Android device administrator (DA) management is deprecated and is no longer available on devices with Google Mobile Services — if you still have DA enrollments, migrate them to an Android Enterprise mode now, because you are running on borrowed time. And the device-quality floor matters: Google's Android Enterprise Recommended program is the validated shortlist of business devices and EMM solutions that meet elevated requirements. The current knowledge-worker minimum is Android 16.0 (6 GB RAM, 32 GB storage), and OEMs must publish their security-update cadence (commonly every 30 or 90 days) plus a Security Maintenance Release end date and support at least one major OS upgrade. Buying off that shortlist is how you avoid the version-skew and patch-latency problems that otherwise wreck your CIS mapping.
App Protection Framework: Three Levels, Even With No Device Baseline
Even on a device you do not manage at all, you still have a real hardening lever: the Intune App Protection / Data Protection Framework, delivered through App Protection Policies (MAM). Microsoft organizes it into three prescriptive levels — Level 1 enterprise basic, Level 2 enterprise enhanced, and Level 3 enterprise high — and each level is additive (Level 2 includes all of Level 1; Level 3 includes all of Level 2). This is the mobile analogue of the Windows security-configuration taxonomy, and it is the one place Microsoft does ship leveled prescriptive guidance for Android.
Level 1 (basic): require an app PIN, encrypt org data, allow selective wipe, block on rooted devices, and turn on Google Play device attestation ("Basic integrity and certified devices") plus the Verify Apps threat scan. This replaces legacy Exchange device-access policy for most users.
Level 2 (enhanced): clamp data transfer to policy-managed apps, block backup and screen capture, require a minimum OS version and minimum security patch date (YYYY-MM-DD), step up to the hardware-backed key attestation evaluation type, and add Samsung Knox device attestation = Block access for Knox hardware.
Level 3 (high): six-digit non-simple PIN, Class 3 biometrics, approved-keyboards only, block printing and open-into-org-documents, escalate Knox attestation to Wipe data, and wire in Mobile Threat Defense (max-allowed-threat-level = Secured) for targeted high-risk users.
The operational payoff: App Protection works on enrolled and unenrolled devices, so it's your enforcement floor for BYOD where you have no MDM authority — gate it with Conditional Access requiring an app-protection policy. For how this ties into device-side enforcement on the platforms that do have baselines, compare against Defender and endpoint security and the Windows security baselines.
Play Integrity: The Attestation Layer Behind Compliance
The trust signal under all of the above is hardware/Google-backed attestation, and the important change for anyone still copying old runbooks: SafetyNet Attestation is gone. Per Google, the SafetyNet Attestation API "was deprecated in 2022 and fully turned down in January 2025" — calls to it now fail with an error. Its successor is the Play Integrity API, which consolidates the old SafetyNet integrity verdict into a single API that attests the app is an unmodified binary installed by Google Play, running on a genuine, untampered Android device. Intune's conditional-launch settings (labeled "SafetyNet device attestation" in the older UI, and the "hardware-backed key" evaluation type) ride on this Play Integrity machinery, and Knox attestation layers OEM-level hardware verification on top for Samsung fleets.
For a real deployment, plumb the attestation result through to compliance: a failed integrity verdict should flip the device non-compliant, and Conditional Access then blocks the corporate resource. That chain — Play Integrity verdict, Intune attestation/compliance evaluation, Conditional Access grant control — is your actual root/tamper defense, and it's worth testing per device family because attestation behavior is exactly where OEM and Android-version skew shows up first. See conditional access for the gating side.
The review-meeting cheat code: this page's structure is the security questionnaire's structure — source integrity, data paths, crypto, updates, recovery. Map your profile export to those five headings and the audit reads itself.
File-based encryption, the work-profile crypto boundary, and where corporate data actually lives.
Android's encryption story is quietly excellent — file-based encryption is mandatory and default since Android 10, hardware-backed on certified devices — which shifts the admin's job from enabling crypto to attesting and bounding it: prove the protection is present, then control where the protected data is allowed to travel.
EncryptionFile-based, mandatory and default since Android 10
Key anchorDevice credentials + hardware keystore
Work profileA separately-keyed encryption domain
Your jobAttest via compliance; keep the unlock credential real
The Encryption Layer
File-based encryption (FBE) encrypts per-file with keys bound to device credentials and hardware keystore — credential-encrypted storage stays sealed until first unlock. Your job: attest it via compliance (require encryption — on certified modern hardware this passes by construction, and the rare failure is a hardware-integrity red flag, not a settings problem), and keep the credential real (passcode policy) since FBE's strength inherits from the unlock secret.
The Work-Profile Crypto Boundary
On work profile and COPE devices, the profile is a separately-keyed encryption domain — the work-profile challenge gates its keys independently. This is why profile removal is cryptographically clean (retire = the keys die with the profile) and why the wall isn't just UI: personal and work data are different key domains on the same flash.
Where Corporate Data Actually Lives (the Boundary Map)
The defense-in-depth map worth drawing once:
Device layer: FBE + lock credential — protects against the lost/stolen-hardware case
Profile layer: the work container's separate key domain — protects the corporate set specifically
App layer: App Protection Policies — protects data in use (cut/copy/save-as/PIN) and survives onto unmanaged devices
Service layer: Conditional Access riding compliance — protects the cloud side regardless of any device's fate
Backups are the classic boundary leak: block backup of work data to personal Google accounts in the account controls — an encrypted device faithfully exporting plaintext-equivalent data to a consumer cloud is the architecture defeating itself politely.
Insights
When security review asks "is the data encrypted at rest," the strong answer is the four-layer map, not "yes" — encryption-at-rest is table stakes; the layered boundary is the design.
Selective wipe's credibility rests on this anatomy: retire kills the profile keys, APP wipe kills the managed-app data — both are key destruction, not best-effort deletion, and that's worth saying out loud in the data-handling document.
What telemetry actually exists — platform capability versus console surfacing, and the audit story you can honestly promise.
"What security logs do we get from the Android fleet?" deserves a precise answer, because the platform's capability and your console's surfacing are different layers — and audit promises built on the wrong layer become findings. The discipline below is tier-by-tier honesty: name each telemetry layer, what it actually emits, and which promises it can carry.
Never promise"Full device logging" — structurally false for BYOD
The Layers, Honestly
Android Enterprise's platform capability: the management framework defines security and network logging features for corporate-owned devices — security-relevant events (auth attempts, app installs, ADB/USB activity) and network-level logs (DNS/connection records), retrievable by the device's management stack. Defined is the operative word: how much of this any EMM ingests and exposes varies — verify Intune's current surfacing against documentation before promising it to an auditor, and assume thin until proven.
What Intune reliably gives you today: the management-plane audit trail — enrollment events, compliance state history, policy and app deployment records, admin actions — all Graph-queryable and SIEM-shippable. This is solid audit material; it's fleet truth, not on-device event truth.
The MTD/EDR layer: Defender or your MTD partner is the on-device security-event sensor in practice — threat detections, risky-app findings, network-protection events flowing into its own portal and your SIEM. For most estates, this is the on-device security telemetry story, and sensor coverage % is therefore an audit metric.
The attestation layer: Play Integrity verdicts as point-in-time integrity evidence — not a log stream, but the strongest single signal in the stack.
The Promise You Can Write Down
The defensible sentence for the audit doc: management-plane events from Graph, on-device threat telemetry from the MTD sensor at N% coverage, hardware-backed integrity verdicts in compliance — three named sources, each verifiable. The sentence to avoid: "full device logging," which the work-profile privacy wall makes structurally false for BYOD anyway, by design and for good reason.
Insights
Rehearse one retrieval: pick a question ("what did this lost device's last day look like?"), answer it from your actual sources, time it. The gap between the architecture slide and that stopwatch is your real logging posture.
The Android lost-device playbook — lock-with-message, locate, and the action ladder from misplaced to gone.
Corporate-owned Android carries a complete lost-device kit — remote lock with a message, a formal lost mode with locate, and the escalation ladder beyond — and the playbook deserves to be written before the first frantic call.
Applies toCorporate-owned — fully managed and dedicated
BYOD reachThe work profile only — no device locate, no device wipe
LocateAn incident power in lost mode, not a standing one
Remote lock (+ message): the immediate move — screen locked, and the lock-message capability (the branding page's recovered-hardware play) carrying "Property of <Org> — call helpdesk" to whoever finds it. Reversible, costless, fire it early.
Lost mode (corporate-owned, where supported by mode and OS): the formal state — device locked into a lost posture with your message/callback, and location retrieval permitted in this state on devices where it's otherwise restricted; the privacy architecture is the point: locating is an incident power, not a standing one. Exit is admin-driven when the device resurfaces.
Passcode reset where the mode supports it — the recovery path when the device is found but the user's credential isn't.
Wipe/retire: the mode-appropriate end state — factory reset for corporate-owned with FRP standing guard against the thief's fresh start, profile removal for BYOD. Bulk actions carry the Monday-morning batch version.
Rung 1Remote lock + messageReversible and costless — fire it early
Rung 2Lost modeLocked posture; locate becomes permitted in this state
Rung 3Passcode resetDevice found, credential lost
Rung 4Wipe or retireFRP stands guard against the fresh start
BYOD reality check: the work profile's wall means no device locate, no device wipe — your reach is the profile. Say so in the BYOD policy before someone's personal phone goes missing, not after.
The Playbook Mechanics
Write the one-pager before you need it, in four sections:
Authority per rung: who may invoke each action — locate especially, which should be RBAC-scoped, logged, and justified per use; an incident power that quietly becomes a standing habit is a privacy finding waiting to be written.
User-comms templates: the "we've locked your device, here's what happens next" messages, drafted calmly in advance rather than improvised mid-incident.
The deterrence facts: FRP plus zero-touch re-enrollment make a stolen corporate Android nearly worthless to fence — write that down where the security team and the insurer can both cite it.
The evidence trail: for the devices that were taken rather than lost — action history, timestamps, and any lawfully captured location data — assembled the same day, while the record is fresh.
Insights
The deterrence story compounds: lock-message + FRP + supply-chain re-enrollment + Play Integrity catching tampered returns means a corporate Android resists theft at four layers — worth one slide in security review, because the layers were configured on four different pages and nobody's seen them as one system.
When system update policy isn't enough — pinning, staging, and scheduling firmware through the OEM services.
System update policy shapes when Google-delivered updates land; it can't pin a fleet to a specific firmware build or stage OS versions through validation gates. That capability lives in the OEM FOTA services — Samsung Knox E-FOTA, Zebra LifeGuard, and the rugged-vendor equivalents — and this page is when they're worth the license.
Driven fromThe OEM's console — pinning, rings and schedules live there, not in Intune
Hard ruleOne update authority per fleet
What FOTA Services Add
Version pinning: the fleet holds build X until you promote — the capability postponed app updates provide for apps, extended to the OS itself
Staged campaigns: target build Y to the ring-1 group, validate, promote by group — real rings for firmware, with scheduling windows that respect shift calendars
Forced currency: the inverse muscle — push the fleet up to a minimum build on your date, closing the stragglers system-update policy can only nag
The Integration Shape
Deploy the FOTA agent and its configuration via OEMConfig and managed config — the agent on the device is what actually executes the campaign.
License and drive campaigns in the OEM's console — build pinning, ring definitions, and schedules live there, not in Intune.
Set your Intune-side update policy to not fight it. One authority owns the update calendar per fleet — two systems steering firmware at once produces deferral conflicts and devices that update on neither schedule.
Who Actually Needs This
The short list: validation-gated fleets — a workflow app vendor certifying against specific builds, regulated environments where OS changes are change-controlled, dedicated devices where a surprise firmware UI shift breaks a kiosk flow. Knowledge-worker fleets on AER hardware generally don't: standard update policy's deferral windows cover their risk, and the FOTA license buys ceremony they won't use.
OS changes are validation-gated or change-controlledOEM FOTA servicePin, stage by ring, schedule around shifts — with a promotion calendar, never indefinitely.
it's a knowledge-worker fleet on AER hardwareStandard update policyDeferral windows cover the risk; the FOTA license buys ceremony you won't use.
The Discipline That Comes With the Power
Pinning is a security loan: every month on build X is a month of unpatched CVEs accruing interest. The operating covenant — pin with a promotion calendar, never indefinitely; track the patch-age buckets against the pin, and let the compliance patch floor define the never-cross line that no validation backlog excuses.
Insights
The procurement tie-in completes the loop: FOTA capability is OEM- and license-bound, so the lifecycle ledger gains a column — firmware-control coverage — and a mixed fleet where only half the hardware can be staged is a half-implemented change-control story; know which half before the auditor asks.
Single-app and multi-app kiosks on dedicated Android — built on the Managed Home Screen launcher.
An Android kiosk is a dedicated enrollment plus a locked launcher. Microsoft's Managed Home Screen (MHS) app is that launcher: a replace-the-home-screen shell showing only what you allow, with branding, PINs, and session behavior all under policy control.
The kiosk profile lives at Devices > Android > Configuration > Device restrictions (corporate-owned template) > Dedicated devices / Kiosk, and the first decision is the mode:
Single-app: one designated app owns the screen — Android pins it (lock task mode); the user can't leave. Signage, check‑in stations, single-purpose scanners.
Multi-app: the device locks to Managed Home Screen, which presents a curated grid of your chosen apps. Frontline and shared-purpose devices live here.
Prerequisites
A dedicated enrollment profile and token — kiosk mode is a corporate-owned, dedicated-device story.
MHS and every kiosk app approved in Managed Google Play, ready to assign as Required.
A device group that captures dedicated enrollments, so apps and policy target the same population from the first boot.
Step-by-Step: Standing Up a Multi-App Kiosk
Assign the apps first. MHS and every payload app go to the dedicated group as RequiredMGP apps. Ordering matters at imaging time: enroll → apps land (MHS + payload apps) → kiosk policy applies. Locking the launcher before apps exist strands the device in an empty shell — stage assignments so the dedicated enrollment group gets apps and policy together.
Create the kiosk profile. In the corporate-owned device-restrictions template, choose multi-app kiosk and select MHS plus every app that should appear in the launcher grid.
Configure MHS through its app configuration policy. The kiosk profile only locks the device to MHS; the experience — branding, PINs, sessions, screensaver — is all app config (next section).
Enroll a pilot device and watch the sequence land: enrollment completes, apps install, launcher locks. Only then widen assignment to the fleet group.
Step 1EnrollDedicated token; the device joins the kiosk device group
Step 2Apps landMHS + payload apps install as Required
Step 3Kiosk policy appliesThe launcher locks — never before the apps exist
Step 4Pilot, then widenWatch the sequence land before fleet assignment
Branding: wallpaper, icon size/grid, app ordering, folder structure — the launcher is the device's entire visual identity, so curate it deliberately
Session PIN / sign-in: require a PIN to use or to exit kiosk for maintenance; integrate sign-in for Shared Device Mode fleets
Screensaver with inactivity timeout (brand it; it's free signage)
Auto-launch an app on session start; exit-kiosk maintenance access for technicians (guard it with a strong PIN, rotate it like a credential)
Virtual home/back button behavior, status-bar exposure, Wi-Fi/Bluetooth user toggles — every one a deliberate decision on a public-facing device
Verification
On the pilot unit, confirm the lock holds: home, recents, and notification-shade escapes should go nowhere the profile didn't allow.
Walk the maintenance path end to end — exit PIN in, service action, return to kiosk — before the first field incident needs it.
Insights
Keep a documented maintenance path (exit PIN + what techs may touch) or field staff will factory-reset their way out of problems — and with zero-touch + FRP configured, that's recoverable, but it shouldn't be the workflow.
Entra Shared Device Mode — one tap signs a frontline worker into every app, one tap signs them out of everything.
Shared hardware with rotating humans is the frontline reality — and per-app sign-in/sign-out across a shift change is how shared devices fail. Microsoft Entra Shared Device Mode (SDM) fixes the identity layer: a worker signs in once at the device level, every SDM-aware app picks up the session, and sign-out is global and data-clearing. The handoff problem is solved at the account layer, so the hardware itself never needs re-provisioning between workers.
RequiresDedicated enrollment with the Entra Shared Mode token — set at enrollment
BrokerMicrosoft Authenticator, deployed as required
LauncherManaged Home Screen with sign-in enabled
App requirementSDM-aware apps — MSAL shared-device support in vendor asks
Prerequisites
Corporate-owned hardware destined for dedicated enrollment — the mode is set at enrollment time, so plan it before devices are provisioned.
Microsoft Authenticator ready to deploy as a required app; it brokers the device-level account state.
Managed Home Screen as the launcher, with its app configuration prepared to enable sign-in.
An honest app inventory: which of your frontline apps are SDM-aware — and for line-of-business apps, MSAL shared-device support written into the vendor requirements.
Step-by-Step: How It's Built
Create the enrollment profile. A corporate-owned dedicated devices profile with the Microsoft Entra Shared Mode token type. The mode is set at enrollment — existing dedicated devices need re-enrollment to convert.
Deploy the broker.Microsoft Authenticator deploys as required; it brokers the device-level account state.
Deploy the launcher.Managed Home Screen with sign-in enabled in its app config — MHS presents the badge-in screen, drives session start/end, and can auto-sign-out on inactivity.
Deploy the apps. SDM-aware apps deliver the experience — Teams and the frontline Microsoft suite lead the list; line-of-business apps participate by integrating MSAL's shared-device support (a one-line requirement to put in your vendor conversations).
Shift flow: badge in on MHS → Teams and friends are already signed in → work → sign out (or timeout) → every app's session and cached data clears → next worker badges in. No identity residue between humans.
Badge inOne sign-in on MHSEvery SDM-aware app picks up the session
WorkTheir Teams, their tasksFull per-user experience on shared hardware
Sign outGlobal and data-clearingOr the inactivity timeout fires
Next workerClean sessionZero identity residue between humans
SDM vs Plain Multi-App Kiosk
Multi-app kiosk
Shared Device Mode
Who is signed in
Nobody / a device account
The current worker, globally
Per-user experience
None
Full (their Teams, their tasks)
Sign-out hygiene
Per app, trusted to humans
Global, enforced
Fit
Signage, lookup stations
Shift-based frontline work
Verification
Pilot the session boundary hard: badge out, hand the device to a second tester, verify zero residual access in every deployed app — that test is the product. Apps that fail it aren't SDM-aware no matter what the brochure said.
Confirm the inactivity sign-out fires on the schedule the floor agreed to, and that the next badge-in lands in a completely clean session.
Insights
Conditional Access applies to the signing-in user as usual — frontline CA policies (compliant shared device + location) compose cleanly with SDM, and the compliance loop still evaluates the device underneath.
Inactivity sign-out timing is a floor-operations decision, not an IT default — set it with the people running the shift, then enforce it in MHS config.
The MHS configuration cookbook — sessions, PINs, screensavers, virtual buttons, and the settings that make kiosks humane.
The kiosk page establishes Managed Home Screen as the multi-app kiosk launcher; this page is the settings cookbook — MHS has a deep app configuration surface, and the difference between a tolerable kiosk and a great one lives in it.
The Configuration Surface That Matters
Layout and identity:
Grid layout, app ordering, folders — curate deliberately; a kiosk launcher with one screen of exactly-the-workflow beats a corporate app dump
Branding: logo, background, theme colors — the visual identity layer for dedicated fleets lives here
Session and sign-in:
Session PIN / sign-in behavior: the complexity dial for shared-pattern kiosks — auto sign-out on inactivity, session PIN for quick re-entry, the end-of-shift reset rhythm
Auto-launch: single-dominant-app fleets can auto-open the workflow app while keeping MHS underneath as the escape-hatch frame
Screen behavior:
Screensaver/media mode: idle-time branding or instructions — the lobby kiosk's attract loop is an MHS setting, not a separate signage product
Virtual home/back buttons where hardware buttons are blocked — without them, some workflows trap users in sub-screens
Admin exit: the PIN-protected path out of MHS for the tech servicing the device — set it, vault the PIN, and the bench visit stops requiring a wipe
Controlled access to specific settings (Wi-Fi picker for travel carts, volume) without opening Settings wholesale
Operating Notes
MHS config is JSON via app configuration policy — treat every change to it like a production release:
Version it in the repo like the production UI definition it is — each key change gets a commit and a reason.
Stage changes through a pilot device group and let them soak through a real shift; a bad MHS push redecorates every kiosk in the fleet simultaneously.
Promote to the fleet group only after the pilot survives contact with real users — and keep the previous config version archived as the rollback.
Do
Version every MHS config change in the repo with a reason
Soak changes through a real shift on a pilot group
Watch a real user at the device for ten minutes
Keep the previous config archived as the rollback
Don't
Push MHS config straight to the fleet — a bad push redecorates every kiosk at once
Let the launcher update mid-shift — postponed/validated track for dedicated fleets
Treat MHS config as console toggles rather than a production release
Insights
The highest-ROI hour in any kiosk program: stand at the device and watch a real user for ten minutes — the missing back button, the too-short timeout, and the un-findable Wi-Fi picker all reveal themselves immediately, and every one is an MHS key away from fixed.
MHS updates itself via Managed Google Play — put it on the postponed/validated track for dedicated fleets; the launcher updating mid-shift is the one app update users can't ignore.
One app, locked tight, running forever — the configuration and operations of Android's appliance mode.
Multi-app kiosks get Managed Home Screen; when the device's entire existence is one app — signage, a queue display, a single-workflow scanner — single-app kiosk mode is the cleaner instrument: the app is the device.
Hardware dialsBrightness and charge behavior via OEMConfig
Prerequisites
A dedicated-enrolled device — single-app pinning is part of the corporate-owned kiosk profile.
The target app deployed via MGP (or as a private app), assigned as required to the kiosk device group.
For hardware-level screen control (brightness schedules, charge behavior), the OEM's OEMConfig app on hardware that exposes those dials.
Step-by-Step: The Configuration
The kiosk profile pins the single app via Android's lock-task plumbing:
Designate the kiosk target. The deployed app is selected in the kiosk profile; it launches at boot and the OS confines the session to it.
Set the lock-task features deliberately. These are the granular dials — status bar visibility (system info yes/no), keyguard off for signage, home/recents suppressed, notifications hidden. Signage wants everything suppressed; interactive kiosks may keep the status bar for connectivity truth.
Tune screen and power for 24/7 duty. Screen always-on plus power behavior: stay-awake-while-powered for plugged signage, and brightness/schedule via OEMConfig where the hardware exposes it.
For web-content signage, pin a managed kiosk-browser app single-app, with its URL and refresh behavior set via app config — signage-as-a-URL without a CMS purchase.
Verification
Power-cycle the pilot unit and confirm the app relaunches and re-pins at boot with no human touch — boot-to-app is the whole contract.
Try to escape: home, recents, notification shade, status-bar pulls — every suppressed path should go nowhere.
Pull the network and watch the app's offline behavior; signage that dies into an error screen needs a cached fallback before rollout.
The 24/7 Operations Reality
Appliances fail silently — there is no user to notice, complain, or file the ticket, so the operations design has to do the noticing:
Check-in alerting: a dedicated device missing its sync rhythm is your only smoke signal — wire the stale-device query into an alert, not a monthly report
Update windows: OS and app updates in maintenance windows, because a signage screen showing a Play update dialog is the brand experience nobody designed
Remote recovery ladder: sync → restart action → reprovision — and because zero-touch makes reprovisioning unattended-ish, the ladder's last rung is "unplug it and plug it back in" performed by whoever's nearest, with enrollment doing the rest
Rung 1SyncThe check‑in rhythm is the only smoke signal
Rung 2Restart actionThe remote power-cycle
Rung 3ReprovisionPower-cycle by whoever's nearest — zero-touch enrollment does the rest
Insights
The single-app vs MHS decision is reversible but disruptive (it's a provisioning-profile matter) — when in doubt, MHS with auto-launch gives single-app behavior with multi-app headroom.
Burn-in is real on always-on displays: signage apps with static corporate chrome want pixel-shift/screensaver behavior — a hardware-lifecycle line item (AER again) masquerading as a software setting.
Shared scanners, shift sign-in, and the blueprint that combines Shared Device Mode, MHS, and APP into a working frontline fleet.
Frontline is where every Android capability composes or collapses: shared hardware, shift rhythms, gloves, drops, and users who measure IT by sign-in seconds. This page is the blueprint, assembling pieces documented elsewhere into the three patterns that cover most frontline reality.
Pattern 1 — Shared Workflow Device (the warehouse scanner)
Dedicated enrollment + Entra Shared Device Mode + MHS with the curated app set. Worker signs in once at shift start (Shared Device Mode's single sign-in/sign-out across participating apps is the whole UX win), works, signs out at handoff — next shift, next identity, zero residue. Hardware via zero-touch/KME so spares provision themselves; session timeouts tuned with the supervisors who actually run the shift, so the security posture matches how the floor works.
Pattern 2 — Personally-Assigned Frontline (the store associate's device)
Fully managed, one user, the hardening baseline, and the workflow apps required-installed. Simpler identity story, richer per-user accountability — choose it when devices genuinely live with one human.
Pattern 3 — BYOD Frontline (scheduling and comms only)
hardware is shared and workers rotate by shiftPattern 1 — Dedicated + SDM + MHSOne badge-in per shift, global sign-out, zero identity residue.
the device genuinely lives with one humanPattern 2 — Fully managed 1:1Hardening baseline plus required workflow apps; richer per-user accountability.
there's no corporate hardware — schedules and comms onlyPattern 3 — APP-only BYODProtected apps, no enrollment; the personal phone stays personal.
The Cross-Cutting Disciplines
Spare-pool math: frontline availability = (devices − broken − charging) ÷ shifts; the spare pool plus self-service provisioning is the SLA
Update windows aligned to shift calendars — the 2 p.m. reboot during peak picking is a self-inflicted incident
Accessory reality: cases, holsters, and charging cradles decided with the hardware (AER ruggedness) — fleet damage rates are a procurement variable wearing an ops costume
Ten-minute floor test before any rollout: gloves on, real lighting, real Wi-Fi dead spots — the MHS layout and Wi-Fi roaming behavior that survive the floor are the ones that ship
Insights
Pick the pattern per workflow, not per org — most frontline estates run all three simultaneously, and the mode-decision matrix plus this page's blueprints keep the fleets coherent rather than accidental.
Charging discipline, battery telemetry, and the hardware-health rhythms that keep frontline fleets on shift.
Frontline Android dies by battery before it dies by anything else — and battery is manageable: charging behavior by policy, health by telemetry, replacement by rhythm instead of by emergency.
Control layerOEMConfig — charge-limit thresholds, dock/USB behavior
Charge capNear 80-85% on dock-resident devices — the biggest longevity lever
ReplacementBy cohort at the curve's knee, not one emergency at a time
The Charging Discipline
The OEM layer carries the real controls (OEMConfig, per the Knox/rugged services map): charge-limit thresholds (capping charge near 80-85% on dock-resident devices — the single biggest battery-longevity lever for signage and cradled kiosks that would otherwise float at 100% for years), dock/USB behavior, and on rugged lines, battery cycle and health attributes exposed as readable state. The facility side is policy too: pooled-device programs live or die on charging-cradle discipline — slots per shift, the spare-pool math, and the end-of-shift cradle habit enforced by supervisors, not scripts.
The Telemetry Loop
What you can watch, watch: device battery health/cycle attributes where the OEM exposes them (Graph-collected into the inventory rhythm), and the behavioral proxy everywhere else — devices that die mid-shift show up as check‑in gaps and shortened active windows. Chart per-model battery-health distribution by fleet age and the replacement curve writes itself: batteries (or devices, on sealed hardware) replaced by cohort at the curve's knee, not one emergency at a time.
The Configuration Adjacencies
Battery burn is partly your policy diet: always-on VPN keep-alives, aggressive sync, bright kiosk screens without idle behavior — the same audit that tunes performance tunes endurance. And exempt the management stack from battery optimization where the platform allows, or the OS's power saver becomes your sync-health mystery.
Insights
Sealed-battery hardware turns battery policy into procurement policy: the AER spec-sheet review should price replaceable-battery rugged units against the fleet's real cradle reality — a warehouse that can't enforce cradle discipline needs swappable batteries more than it needs another policy.
The recurring enrollment failures by mode — and the five-minute fixes for each.
Android enrollment failures cluster tightly by management mode. Identify the mode, then work the matching list — the fix is almost always in the first two entries.
Step 1Identify the modeFailures cluster tightly by management mode
Step 2Work the matching listThe fix is almost always in the first two entries
Step 3Capture evidence, then escalateExact error + mode + logs; a lab-device test splits device from profile
Corporate-Owned (QR / token / zero-touch)
"Device not factory-fresh." All corporate modes provision only during setup. Any prior setup progress — even a skipped Google sign-in — taints it. Factory reset, start clean. This is half of all corporate enrollment tickets.
Expired or wrong token. Enrollment tokens have validity windows; QR codes circulate longer than they should. Regenerate from the enrollment profile and reissue — and check the QR maps to the intended profile (a dedicated token on a 1:1 phone enrolls fine and behaves "wrong" forever).
Date/time skew. A device that sat in a warehouse boots with a stale clock → TLS to enrollment endpoints fails with opaque errors. Set time, retry.
No GMS / uncertified hardware. Gray-import or uncertified devices can't reach Android Enterprise provisioning. Verify certification; see the GMS dependency.
Zero-touch device skipped enrollment. It isn't registered (reseller miss), or no default configuration is set in the zero-touch portal, or it was registered after first boot — re-check registration, set the default config, factory reset.
Network can't reach Google/Microsoft provisioning endpoints — provisioning Wi-Fi behind aggressive filtering breaks setup; stage on a clean VLAN.
Work Profile (BYOD)
"Couldn't create work profile." Leading causes: a leftover device-admin or old MDM remnant (Settings > check for stale device admin apps / work profiles — remove, retry), critically low storage, or an OEM skin quirk (reboot, retry — genuinely).
Blocked by enrollment restrictions. Personally-owned Android blocked or the user's group excluded under Devices > Enrollment restrictions — the error users report is generic; the cause is policy.
"Device already enrolled." A stale Intune record from a previous life — delete the old object, retry.
Company Portal sign-in loops — usually Conditional Access requiring compliance from a device that can't become compliant until enrolled; confirm your CA exclusions for the enrollment flow.
When the List Fails
Capture evidence before escalating: exact on-screen error + the mode + Company Portal logs, and test the same token/flow on a known-good lab device to split "this device" from "this profile."
Where the evidence lives — Company Portal logs, bug reports, MHS diagnostics, and adb.
Android troubleshooting rewards knowing exactly where each log lives — because there are several, and the right one resolves the ticket while the wrong one wastes an afternoon.
First reachCompany Portal / Intune app > Help > send logs — returns an incident ID
Portal sideThe device's Troubleshooting + support pane
Kiosk fleetsMHS built-in diagnostics — enable before the first incident
Deep cutsBug report, adb logcat, OEM tools
First Reach: Company Portal / Intune App Logs
On the device: Company Portal (or the Intune app on fully managed) > menu > Help > send logs — uploads diagnostics to Microsoft and returns an incident ID to attach to support cases. For self-service triage, the same menu surfaces sync status and applied-policy state. This covers most enrollment and policy-delivery questions.
Portal-side, the device's Troubleshooting + support pane (per-user) shows enrollment status, policy and app assignment results — correlate device-side logs with what Intune thinks it delivered.
Managed Home Screen Diagnostics
MHS ships a built-in diagnostics surface (enabled via its app configuration) for kiosk fleets — applied configuration, sign-in state, and logs without exiting kiosk. Turn it on for your dedicated fleet before the first incident; retrieving logs from a locked kiosk without it means a maintenance-PIN visit.
Deep Cuts: Bug Reports and adb
Full bug report: Settings > Developer options > Take bug report (or adb bugreport) — the everything-dump OEM and Microsoft support ask for on gnarly device-behavior cases. On corporate fleets where developer options are rightly blocked, remote-collect via Intune's collect diagnostics device action instead.
adb logcat on a lab device streams live system logs — filter by tag/package to watch an enrollment or app-config delivery in real time. Transformative for "what exactly happens when…" questions, because it shows the platform's side of the conversation rather than the console's.
OEM tools (Samsung dumpstate et al.) add manufacturer detail when an OEM escalation demands it.
Insights
Log with a question: "did the device receive policy X" (Company Portal applied-state + portal Troubleshooting pane) is a different hunt from "why does app Y crash" (logcat/bug report). Naming the question first picks the log and halves the time.
For app config disputes, most Microsoft apps expose an in-app diagnostic view listing the managed configuration they actually received — check the receipt before debugging the sender.
Profiles that won't create, profiles that vanish, and forgotten work-profile passcodes — the BYOD failure catalog.
Personally-owned work profile enrollment is the highest-volume Android flow in most orgs, so its failures get their own page. Almost every ticket is one of three things: the profile won't create, a working profile disappeared, or the user forgot the work-profile passcode. Identify which, then work the matching section.
Device-side first moveCompany Portal > Settings > Sync, then check the work-profile pause toggle
Passcode recoveryReset passcode device action (resets the work-profile challenge, not the device lock)
1. The profile won't create
Enrollment runs, the user signs in, then it fails at the "creating work profile" step. Work these in order, cheapest first:
A leftover work profile from a previous employer. Android allows exactly one work profile per device, so an old one the user forgot about blocks the new one. Have them remove it: Settings > Accounts (or Settings > Passwords & accounts, varies by OEM) > Work profile > Remove work profile, then retry enrollment. This is the single most common cause.
A leftover device-admin or old-MDM agent. A device that was previously managed via the deprecated device-admin API can refuse profile creation. Check Settings > Security > Device admin apps, deactivate and uninstall the old agent, then retry.
Storage or battery starvation. Profile creation needs free space and a charged battery; a 98%-full budget phone fails with a vague error. Free space and charge above ~20% before retrying.
The device can't host a profile. An OS version below your enrollment-restriction floor, or an uncertified/gray-market build with broken Android Enterprise support. Rare on AER-certified hardware; common on imports.
An enrollment restriction or licensing block. Personally-owned Android blocked, or the user's group excluded, under Devices > Enrollment > Enrollment restrictions. The user sees a generic "couldn't enroll" message; the cause is policy. Also confirm the user has an Intune license assigned. The enrollment-errors page identity checklist applies.
2. A working profile vanished
Apps that were badged go grey, work mail goes silent, or the work profile is simply gone. Before assuming a defect, check the device's Recent activity in the console (Devices > the device) — most "it disappeared" cases are an action that fired:
The user removed it. Android lets the user delete the work profile by design — that is the consent-based BYOD contract. Conditional Access catches the now-noncompliant device at the next access attempt, which is your detection signal. Re-enroll and coach.
A retire or wipe fired. An admin bulk action, a compliance-triggered retire, or the user's own "Remove device" in Company Portal. The action history names which.
An OS-update casualty. Rare and OEM-specific. If one model sheds work profiles after a specific OS build, that's an OEM support case — attach your ring-1 update evidence.
3. Forgotten work-profile passcode
The user set a separate work-profile challenge (the prompt that gates badged apps) and forgot it. You do not need to reset the device lock or re-create the profile. Use the Reset passcode device action:
In the console, open Devices > the device and select Reset passcode (labeled Remove passcode on some device types). On a work-profile device this clears the work-profile challenge specifically.
The device receives the action on its next check-in — push Sync from the device's Company Portal if it's slow.
The user sets a new work-profile passcode the next time a badged app prompts for it.
This action is gated by the password policy you've assigned, so confirm a reset is permitted for the profile before promising it to the user.
Insights
Half of "my work apps died" tickets are the pause feature working as intended. Android lets users pause the work profile (badged apps grey out, work mail stops) — a paused profile looks identical to a broken one. First move on any profile weirdness: Company Portal > Settings > Sync, then check the pause toggle and have the user un-pause before you debug anything.
Per-device truth lives in the Company Portal logs and the device's Recent activity; fleet-level removal patterns live in enrollment reporting. A removal spike right after a comms change or an OS rollout is a signal worth chasing, not coincidence.
Pending-forever installs, licensing ghosts, and the triage ladder from assignment to APK on disk.
App install triage on Android is a ladder from assignment to APK on disk. An app "not installing" is one of five things — check them in order, because each rung is cheaper to test than the one after it.
Rung 1Assigned here at all?Groups and filters first, always
Rung 2Reached Managed Google Play?Approved and synced publisher-side
Rung 3Can this device take it?API level, architecture, country availability
Rung 4Is the pipe clogged?Storage, doze, Wi-Fi-only constraints
Rung 5Actually failing?logcat names the package-manager error
The Ladder
Was it ever assigned here?Filters and groups first, always — the device not in scope explains the install that never started. The device's managed apps view shows what Intune believes it owes this device.
Did the assignment reach Managed Google Play?MGP apps flow Intune → Google → device; the app must be approved/synced in the MGP connection (setup page) — an app revoked or unapproved publisher-side strands assignments in pending.
Can this device take it? Compatibility gates fail quietly: minimum API level below the device's OS, architecture/feature requirements, or country availability on the Play listing. The Play listing's requirements vs the device's reality answers it.
Is the pipe clogged? Storage-full devices and doze-deep devices defer installs indefinitely; Wi-Fi-only update constraints hold large APKs hostage on cellular fleets. A sync + charge + Wi-Fi session clears the honest backlog.
Is it actually failing? True failures (signature conflicts with a sideloaded copy of the same package, corrupted previous installs) surface in the device-side logs — logcat during an install attempt names the package-manager error precisely.
Private-App Specials
Private apps add two rungs: versionCode discipline (a "new" build with an unchanged versionCode is invisible — the most common private-app "update isn't deploying" cause) and track targeting (the device's assignment track vs where the build was published).
Fleet-Level Reading
One device failing is a device problem; a cohort failing is a pattern — the App Install Status report groups failures by error and device family, and the cohort's common attribute (model, OS, mode, network site) is usually the answer wearing a uniform.
Insights
"Pending" is not "failed" — MGP installs queue politely behind device conditions, and the impatient re-assignment dance accomplishes nothing the next check‑in wouldn't. Diagnose conditions for pending; diagnose errors for failed.
Devices that stopped talking — doze, dead push, network filters, and the rhythm of Android check‑ins.
Half of "policy isn't applying" tickets are actually "device isn't checking in." Understanding Android's check‑in rhythm — and what breaks it — converts those tickets into two-minute closures.
The Rhythm
Managed Androids check in on a periodic schedule plus push-triggered syncs (an admin sync action or pending change nudges the device through Google's push plumbing). Healthy devices show lastSyncDateTime within the expected cadence; everything else on this page explains the unhealthy ones.
Intunesync action / pending change
→
Google push plumbingthe wake-up channel
→
Devicechecks in on schedule + on push
The Usual Suspects, in Order
Power state: Android's doze/battery optimization is the great deferrer — a device idle in a drawer batches its check‑ins aggressively. Not broken; asleep. Wake-and-charge resolves it, and dedicated fleets get exempted-from-optimization treatment for the management components where the OEM/OS surface allows.
Push path blocked: corporate networks filtering Google's push/notification endpoints sever the nudge channel — devices still poll, but "sync now" stops being now. The fix is a network conversation with the firewall team, with Google's published endpoint requirements as the engineering evidence — the connectivity anatomy maps every strand.
Company Portal / Intune app health: force-stopped, battery-restricted, or storage-starved management apps can't do their job — the device-side check is the app's battery/permissions state.
Identity expiry: long-offline devices return with stale tokens; a sign-in refresh through the Conditional Access re-evaluation restores the relationship.
It's actually retired: check the action history before resurrecting a ghost — a wiped/retired device not syncing is the system working.
Reading Fleet Health
lastSyncDateTime distribution is the fleet's pulse: the stale-device query buckets it, and the operational thresholds differ by fleet — a knowledge-worker phone quiet for 5 days is vacation; a signage unit quiet for 5 hours is an outage. Set per-fleet alert thresholds, not one global number.
Insights
Force the question precisely: portal-side Sync proves the server→push→device path; device-side Company Portal sync proves the device→service path. Which direction fails localizes the break in one move.
Seasonal patterns are real — summer drawers and January returns produce stale-device waves that look like incidents and are actually calendars. The cleanup rhythm absorbs them gracefully.
Why a device fails the Play Integrity compliance check, and how to tell a transient lag from uncertified hardware from a genuinely modified device.
A device that fails Play Integrity in a compliance policy is one of three things: a transient verdict that will clear itself, hardware that can never pass, or a genuinely modified device. The response differs completely, so identify which before you act. Play Integrity returns up to three verdicts — device integrity (MEETS_DEVICE_INTEGRITY), basic integrity (MEETS_BASIC_INTEGRITY), and strong integrity (MEETS_STRONG_INTEGRITY) — and Intune's compliance setting maps to one of these; knowing which one your policy requires tells you what a failure means.
Compliance settingDevices > Compliance > the Android policy > "Require the device to pass Play Integrity / SafetyNet"
Per-device stateDevices > the device > Compliance — which setting failed
Failure rate over timeReports > Device compliance, charted monthly
Never the fixAn integrity exception or per-incident lowering of the bar
1. Is it transient?
Fresh enrollments, devices returning from a long sleep, and devices mid-OS-update can lag a verdict cycle. Sync the device, wait one compliance evaluation pass, recheck. A verdict that clears on its own was never a finding, and this step closes a large share of tickets at zero cost. If the device isn't checking in at all, fix that first via sync and check-in issues — a device that can't talk to the service can't report an attestation either.
2. Could the device ever pass?
Pull the device's identity (model, OEM, source) from Devices > the device > Hardware. Uncertified hardware fails device integrity by design, not because it's compromised:
Gray-market imports without Google Mobile Services certification.
Non-GMS / AOSP devices accidentally enrolled into a GMS-managed fleet — these have no Play Integrity at all.
White-label or budget hardware never submitted to Google for certification.
The fix is procurement-side: the device leaves the GMS-managed fleet (replacement, or honest reclassification to AOSP mode where Intune supports it). Tightening the AER procurement discipline prevents the next one. Confirm against Google's Android Enterprise Recommended directory and Intune's supported-device list.
3. Is the device modified?
What's left is the case the check is meant to catch: unlocked bootloader, custom ROM, or a root framework (Magisk and similar). Corroborate before accusing anyone — on a bench, check the OS build string, the reported security-patch level against the model's norms, and the bootloader state; a real modification tells a consistent story across all three. Then handle by ownership:
Personal device in a BYOD program: a policy conversation, not an accusation. The device can't meet the access bar as configured; offer the app-protection-only tier or a corporate device.
Corporate-owned device returned modified: an HR / security incident, handled through that process — corporate hardware should not be rooted.
What not to do
Do not create an integrity exception. An allow-listed failing device is attested-untrustworthy hardware holding corporate access — exactly what the control exists to stop. Pressure to grant one tends to arrive with a senior title attached; the answer is still no.
Do not lower the bar per incident. If strong integrity fails across a swath of older hardware, that's a deliberate policy-calibration decision made in a review, with the model list in hand — not an ad-hoc Tuesday change.
Insights
Chart the integrity-failure rate monthly (Reports > Device compliance). A stable trickle is normal BYOD reality; a step change correlates with something concrete — an OS rollout, a procurement batch of a new model, or a verdict-system change Google shipped — and your ring-1 canary fleet usually felt it first.
When the OEM layer misbehaves — schema drift, apply-order races, and the silent-failure patterns unique to vendor schemas.
OEMConfig is powerful precisely because it's a vendor app applying vendor schema — which gives its failures a flavor standard policy doesn't have. The triage map:
The Failure Families
The OEMConfig app itself isn't healthy: it's a Managed Google Play app like any other — not installed, stale version, or install-pending means no schema applies, however perfect your config. First check, always: app present and current on the failing device.
Schema drift: the vendor shipped a new app version with a changed schema; your saved configuration references keys that moved or retired. Symptom: settings that "stopped applying" after an invisible app update — the reason the update-modes guidance puts OEMConfig apps on validated tracks, and why config reviews belong in the same change as app-version promotions.
Apply-order races: OEMConfig settings landing before their dependencies (a KSP policy referencing a certificate not yet issued, a scanner profile racing the workflow app's install) — classic sequencing discipline, vendor-schema edition: deploy the dependency first, then the OEMConfig payload that references it.
Silent per-key rejection: vendor schemas often apply what they can and skip what they can't (unsupported on this model/firmware tier, license-gated features without the license) — the config "applied" while the one key you cared about didn't.
Where the Truth Lives
Three layers, checked in order: Intune's app-config deployment status (did the JSON reach the app), the OEMConfig app's own debug/status surface (most vendors ship one — KSP's feedback reporting, rugged vendors' result screens; learn yours, it's the per-key truth), and the keyed-app-states channel where the vendor implements it — OEMConfig apps are exactly the class that should, and the better ones do. Bench-side, adb-level inspection closes what consoles can't.
Layer 1Intune deployment statusDid the JSON reach the app at all?
Layer 2The vendor app's debug surfacePer-key truth — feedback reporting, result screens
Layer 3Keyed app states + adbWhere implemented; the bench closes what consoles can't
Insights
Maintain a schema-version ledger per OEMConfig app: app version → schema snapshot → your config version, in the repo. When drift hits, the diff is a lookup; without the ledger it's archaeology against a vendor changelog that may not exist.
The endpoints Android management must reach, how a blocked path presents, and the allow-list to hand the firewall team.
Android management depends on three groups of services — Google push, Google Play / Managed Google Play, and Intune/Entra — plus the provisioning endpoints a device touches at first boot. A network that filters aggressively tends to break one group at a time, and each break has a distinct symptom. Match the symptom to the group, then hand the firewall team the matching endpoint list. The authoritative lists are Microsoft's Intune network endpoints and Google's Android Enterprise network requirements — review both on a calendar, because both move.
Apps pend, policy flowsGoogle Play / Managed Google Play path blocked
Nothing until device-side SyncGoogle push (FCM) path blocked
Check-in / compliance deadIntune or Entra endpoints blocked
Google push (FCM-class). The wake-up channel that tells a device to check in now. Blocked, devices still poll on their periodic schedule but stop responding to immediate nudges. Signature: sync from the console does nothing; sync from the device works. See sync and check-in issues.
Google Play services + Managed Google Play. The entire transport for app delivery. Blocked or mangled by a proxy, installs sit in pending forever while policy applies normally, and Play Integrity verdicts go stale or fail transiently at scale.
Intune / Entra endpoints. The management conversation itself — check-in, compliance reporting, and Company Portal / Authenticator authentication. Blocked, the device looks dead to the service entirely.
Provisioning-time dependencies. At first boot, before any of your config exists, a device contacts Google's provisioning services (play.google.com, android.com provisioning hosts) and Intune enrollment endpoints. The strictest network in the building is often the one new devices boot on, so keep an enrollment hedge: a lightly-filtered provisioning SSID or VLAN. The provisioning payload reference covers the first-boot sequence.
Diagnose by symptom, before touching a device
Localize by the symptom pair. Policy applies but apps don't → Play group. Nothing moves until a device-side manual sync → push group. Everything is dead → Intune/Entra group or identity. The pair names the firewall conversation before anyone picks up a device.
Suspect TLS inspection first. Google services use certificate pinning, so a decrypting proxy breaks them even when the hostnames are allowed. The fix is a documented bypass (no SSL inspection) for the Google and Microsoft endpoint ranges, handed to the proxy team as standing architecture — not a per-incident exception.
Confirm site shape. One location's fleet lagging together is a network finding. Prove it in five minutes: filter the device list or a lastSyncDateTime query by site and look for a cluster of stale devices in one place.
What to give the firewall team
Don't hand them per-host tickets. Hand them the two published endpoint documents above as a standing allow-list, with these specifics called out:
Allow Google's Play, FCM, and provisioning endpoints and exempt them from TLS/SSL inspection.
Allow the Intune service and Entra/login endpoints from the Microsoft list.
Keep a lightly-filtered enrollment SSID/VLAN for first-boot provisioning.
Schedule a recurring review of both lists, since Microsoft and Google add ranges over time.
Insights
Build a bench probe once: a script on a lab device that exercises each group from inside the corporate network — receive a push, run a test Managed Google Play install, force a check-in. Run it whenever networking insists "nothing changed"; the group that fails names the change they made.
Twenty-plus vetted open-source projects for the Android Enterprise admin — Google's own lab tools to app-vetting heavyweights.
The Android Enterprise admin's open-source shelf — Google's reference tooling, app vetting and reverse-engineering, the Intune app SDK and wrapper, plus the cross-platform tenant core.
Looking for everything across platforms? Browse the central Open-Source Toolbox — all 144 tools in one filterable, searchable place.
🧰 Intune core & tenant automation
Tenant-wide Graph automation, config-as-code, backup, and assignment analysis.
ugurkocde/IntuneAutomation — Curated library of ready-to-run Microsoft Graph PowerShell scripts (and Azure Automation runbooks) for Intune device operations, app management, compliance reporting, and monitoring.
MG-Cloudflow/Intune-Toolkit — WPF/PowerShell GUI to view and bulk-manage Intune policy and app assignments, audit what a security group has assigned, and back up/restore/document configurations.
Microsoft365DSC/Microsoft365DSC — PowerShell Desired State Configuration module that extracts, deploys, and continuously monitors full-fidelity Microsoft 365 (including Intune, Entra, and CA) tenant config as code, flagging and remediating drift.
Azure/enterprise-azure-policy-as-code — EPAC manages Azure Policy and policy assignments/exemptions as code in Git with CI/CD plan-and-deploy pipelines, giving admins desired-state governance and compliance enforcement at scale.
merill/graphxray — Browser DevTools extension that captures the Microsoft Graph calls behind clicks in the Entra/Intune portals and auto-generates equivalent PowerShell, C#, Java, or Go, so admins can script any portal action.
microsoft/EntraExporter — Microsoft PowerShell module that exports an entire Entra/Azure AD tenant configuration to versionable JSON files for Git-based backup, change tracking, and audit of identity and CA policies.
microsoftgraph/msgraph-bicep-types — Microsoft Graph Bicep extension that lets admins declare Entra/Graph resources (groups, apps, service principals) as Infrastructure-as-Code in Bicep templates alongside Azure resources.
microsoftgraph/msgraph-sdk-python — Microsoft's actively maintained Python SDK for Microsoft Graph, used to script tenant-wide Intune/Entra automation and reporting from Python instead of PowerShell.
DanielChronlund/DCToolbox — PowerShell module for Microsoft 365 security work, with cmdlets to export/import and bulk-deploy Conditional Access policies as JSON for managing CA as code across tenants.
fleetdm/fleet — MIT-licensed open-source cross-platform device management platform built on osquery and Apple's native MDM/DDM, letting admins manage profiles, OS updates, software, and CIS-benchmark compliance from one GitOps/API workflow alongside (or instead of) Intune.
🛠️ MDM internals & provisioning
MDM servers, enrollment, Autopilot/ADE, imaging, and profile authoring.
googlesamples/android-testdpc — Test DPC, Google's reference device policy controller: every Android Enterprise policy as a toggle on a lab device. The single best way to learn what the platform can do before Intune's UI mediates it
android/enterprise-samples — Google's official collection of Android Studio sample projects (Kotlin/Java) demonstrating Android Enterprise features like managed configurations and device-policy APIs, a reference for admins testing app behavior under management.
googlesamples/amapi — Google's reference Kotlin sample app showing how to integrate the AMAPI SDK so an EMM extension app can send Android Device Policy management requests on-device, useful for admins validating Android Management API extensibility.
📦 App packaging & delivery
Build, package, wrap, and ship apps — Win32, PKG, VPP, winget, and CI pipelines.
ennnbeee/IntuneAppAssigner — Interactive PowerShell tool for bulk-assigning or replacing app assignments (including Apple VPP/license assignment) across Android, iOS, macOS, and Windows apps in Intune.
🛡️ Security, hardening & identity
Baselines, hardening, app vetting, Conditional Access, and identity posture.
iBotPeaches/Apktool — decode APK resources and manifests; the permissions-and-components first look
skylot/jadx — APK-to-readable-source decompiler for the deeper look
androguard/androguard — scriptable APK static analysis in Python; the automation layer when vetting at fleet scale
OWASP/mastg — the Mobile App Security Testing Guide; the standard your vetting process should cite
maester365/maester — PowerShell test-automation framework that runs hundreds of curated security checks (EIDSCA, CISA SCuBA, CIS) against a tenant's identity, device, and app config and alerts on drift via GitHub Actions or Azure DevOps.
cisagov/ScubaGear — CISA's PowerShell tool that assesses a Microsoft 365 tenant against the SCuBA secure-configuration baselines (incl. Entra/CA) using Open Policy Agent and outputs HTML/JSON/CSV compliance reports.
Cloud-Architekt/EntraOps — PowerShell/DevOps project that classifies and monitors privileged access across Entra RBAC systems using Microsoft's Enterprise Access Model, helping admins identify and protect over-privileged identities.
dafthack/MFASweep — PowerShell script that logs a test account into many Microsoft endpoints (Graph, ARM, EWS, web, ActiveSync, ADFS) to reveal protocols and Conditional Access gaps where MFA is not actually enforced.
CompassSecurity/EntraFalcon — Lightweight PowerShell tool that enumerates Entra ID privileged objects, risky role/app assignments and misconfigurations into interactive HTML reports, letting admins audit identity attack surface with no extra modules or Graph consent.
silverhack/monkey365 — Self-contained PowerShell security-assessment framework with 200+ checks for M365, Azure and Entra ID, scoring tenant configuration against CIS and best-practice benchmarks in a single HTML report for admins.
kayasax/EasyPIM — PowerShell module that manages Entra PIM role, group and Azure-resource settings and assignments as code, with drift detection, WhatIf and audit reporting so admins can govern privileged access without raw ARM/Graph calls.
🔬 Diagnostics & device control
Logs, device queries, remote control, and lab / emulation.
Genymobile/scrcpy — flawless screen mirror/control over ADB; the remote-support and documentation workhorse for frontline device walkthroughs
PeterCxy/Shelter — an open-source work-profile manager; instructive for understanding the profile model from the inside (lab insight, not a fleet tool)
📊 Reporting & monitoring
Dashboards, KQL packs, Power BI, and inventory reporting.
SMSAgentSoftware/IntuneAssignmentsReport — Azure Automation + Power BI reporting solution that pulls all Intune assignments (25+ item types) from Graph into a dashboard so admins can audit what is assigned where.
merill/idPowerToys — Generates a PowerPoint document of a tenant's Conditional Access policies so admins can review, share, and audit CA design without granting portal access.
AzureAD/AzureADAssessment — Microsoft's PowerShell tooling that collects Entra/Azure AD tenant configuration and hybrid component data and produces Power BI assessment reports on identity, app, and Conditional Access posture.
petripaavola/IntuneDeviceDetailsGUI — PowerShell tool that produces searchable HTML 'Resultant Set of Policy' reports for a device, surfacing assigned apps, policy conflicts, Win32 detection scripts, BitLocker keys, and LAPS for fast troubleshooting.
ugurkocde/IntuneMonitoring — Deploy-in-seconds Azure Workbook that gives a single-pane-of-glass view of device health, enrollment, compliance and app deployment across the tenant without an app registration.
ugurkocde/KQL_Intune — Curated library of KQL queries and Azure Workbooks (Audit, Compliance, Device, Operational) for analyzing Intune diagnostic data piped into a Log Analytics workspace.
haavarstein/intune-dashboard — Client-side browser dashboard that inspects a live tenant via Graph (managed devices, app deployments, BitLocker, compliance, Win11 readiness) or visualizes CSV exports with no backend.
JayRHa/PowerBiDashboards — Ready-made Power BI (.pbix) dashboard templates for Microsoft Intune endpoint analytics and device-management reporting.
PowerStacks-BI/BI-for-Intune — Open-source Power BI template collection (Intune KPI, Support Desk, Windows 11 Migration Tracker, Windows Update for Business) for building Intune executive and operational reports.
microsoft/intune-tenant-doc — Microsoft-published PowerShell script that connects to any tenant via read-only Graph and exports a full Intune configuration inventory as per-platform and combined Markdown documentation.
Insights
Adoption rule for anything on this shelf: read the source of what you run before you run it, pin versions, and treat community tooling with tenant write-access like the privileged code it is — repo-versioned, reviewed, least-privilege app registrations.
Windows · Fundamentals
Windows Management Overview
How Intune manages Windows — the MDM stack, join types, and where ConfigMgr and Group Policy fit (or don't).
Windows is where Intune started competing with twenty years of incumbent tooling, so the first job is a clean mental model of what manages what — because in most orgs, three management planes coexist during the cloud transition.
The Stack
Intune speaks to Windows through the MDM stack: policies map to CSPs (Configuration Service Providers) — the OS-native policy surface that the Settings Catalog exposes. Apps and scripts ride a second channel, the Intune Management Extension (IME) — a lightweight agent that handles Win32 apps, PowerShell scripts, and Remediations. MDM for policy, IME for payloads: two channels, both yours.
Intunepolicy authority
→
CSPsOS-native policy surface
→
Windowssettings enforced
Intuneapp & script source
→
IMEon-device agent
→
WindowsWin32 apps, scripts, Remediations
Identity Decides Everything
Every management behavior on Windows hangs off the join type — the identity relationship between the device and your tenant. Decide it first; enrollment, authentication, and policy scope all inherit the decision:
Join type
Identity
Use
Entra joined
Cloud-native
The target state for corporate Windows — Autopilot builds these
Hybrid joined
AD + Entra
Transitional; carries on-prem dependency forever — see the strategy page
Group Policy: still authoritative on hybrid devices for whatever it already manages — but every new policy should be born in Intune. The Settings Catalog covers the vast majority of GPO territory (ADMX-backed settings); Group Policy analytics in Intune scores your existing GPOs for migratability.
Configuration Manager: coexists via co-management — workloads (compliance, updates, apps…) slide from ConfigMgr to Intune one at a time. The realistic enterprise path is co-management with workloads migrating cloud-ward, ending (someday) with ConfigMgr retired.
The cloud-native endpoint — Entra joined + Autopilot + Intune-only — is the design target for new fleets and the migration destination for old ones.
Operational Realities
Device onboarding authority lives in Autopilot registration — devices become known to your tenant through OEM registration at purchase or hardware-hash import, and that registration list deserves the same auditing rigor as any identity store.
Windows policy has latency personality: MDM sync cadence plus IME check‑ins mean "applied" can take a sync cycle or three — the troubleshooting page covers reading the actual state.
The update model is its own discipline — deferrals and deadlines per ring, and the deadlines genuinely enforce: polite installs during deferral, scheduled restarts at deadline, forced restarts once the grace period expires.
Autopilot, bulk provisioning, GPO auto-enrollment, co-management — the Windows decision tree.
The governing rule: the enrollment path sets the ceiling — capabilities you skip at enrollment are capabilities you re-enroll to regain. Pick per fleet, in writing, before hardware ships.
you're buying new corporate hardware for a cloud-native fleetAutopilot user-drivenEntra join, sealed-box self-deploy — the default answer.
IT preps devices first, or no user existsPre-provisioning / self-deployingTech phase plus reseal, or kiosk and signage builds.
an AD-joined fleet with ConfigMgr is already in placeCo-management + GPO auto-enrollmentSlide workloads cloud-ward; no user touch, no reimage.
you're covering labs, shared carts, and odd cornersProvisioning packageQuick and limited — fine for what it is.
the hardware is personal (BYOD)Entra registration + App ProtectionMAM and Conditional Access cover the data without claiming the laptop.
The Decision Tree
New corporate device, cloud-native target? → Autopilot user-driven (Entra join). The default answer for modern corporate Windows — ship sealed boxes, users self-deploy.
Same, but IT preps devices or no user exists? → Autopilot pre-provisioning (tech phase + reseal) or self-deploying mode for kiosks/signage.
Existing AD-joined fleet, ConfigMgr in place? → Co-management: enable cloud attach, slide workloads to Intune; GPO auto-enrollment brings hybrid-joined devices into Intune without touching users (bulk page).
Labs, shared carts, odd corners? → Provisioning package (bulk enrollment via Windows Configuration Designer) — quick, limited, fine for what it is.
BYOD? → Don't device-enroll it. Entra-register + App Protection (MAM for Windows) + Conditional Access covers the data without claiming the laptop.
Autopilot + Entra join is the default; treat every exception as debt with a retirement date.
Don't reimage your way into Intune — the existing fleet's path is co-management + GPO auto-enrollment today and attrition-replacement with Autopilot devices over the hardware cycle. Migration patterns apply.
Get OEM Autopilot registration into the procurement contract — devices should land in your tenant already registered, with your Group Tag convention applied at the source. Hash-harvesting deployed machines is the fallback, not the plan.
The identity decision under your Windows estate — and why hybrid is a bridge, not a destination.
This is the Architecture Corner-grade decision of the Windows world: it shapes enrollment, authentication, app access, and how long you keep domain controllers in the blast radius.
What Each Actually Means
Entra joined: the device's identity lives in Entra ID, full stop. Sign-in with Entra credentials (+ Windows Hello), policy from Intune, no line of sight to a DC ever required. Cloud-native.
Hybrid joined: computer object in AD and registered in Entra. Sign-in against AD; GPO still applies; the device needs DC connectivity rhythms. It exists to keep legacy estates coherent during transition.
The On-Prem Resource Myth
The reason orgs cling to hybrid — "we need AD for file shares and printers" — is mostly obsolete: Entra-joined devices access on-prem AD resources fine. The user's Entra sign-in obtains Kerberos tickets for on-prem services via cloud Kerberos trust (Hello for Business formalizes it). SMB shares, print servers, and most AD-integrated apps just work. The genuine hybrid-forcing dependencies are narrower: machine-account-authenticated services, some legacy NPS/802.1X designs, and apps doing computer-object lookups — enumerate yours honestly before declaring hybrid necessary.
Entra sign-incloud credentials on an Entra-joined device
→
Kerberos ticketsissued for on-prem services
→
AD resourcesfile shares, print servers, AD-integrated apps
Keep hybrid on those devices; auto-enroll them to Intune; replace with Entra-joined at refresh
Autopilot hybrid join
Exists; avoid for new design — it reintroduces DC dependencies into a cloud workflow and Microsoft's own guidance has moved decisively toward Entra join
BYOD
Entra registered only — registration isn't a join, and that's the point
Insights
Run dsregcmd /status on any contested device — the AzureAdJoined / DomainJoined pair tells you exactly what you have, ending many meetings.
Mixed estates should make join type visible everywhere: dynamic groups and filters on join/ownership properties keep hybrid-only policy (GPO-overlap guards) off cloud-native machines, and the Windows inventory report reports the split as a migration KPI.
The hybrid endgame is measured in hardware cycles, not projects: every refresh quarter shifts the ratio if procurement defaults are set correctly. Set them once and the estate migrates itself.
The reference architecture — every Windows page on this site, composed into one coherent design.
Individual pages teach components; this page is the composite — the cloud-native Windows endpoint as one design, the way you'd draw it for an architecture review.
Every layer is declarative and recoverable: the device's entire state derives from tenant configuration, so the device itself is disposable — lost, stolen, or broken hardware is replaced by any Autopilot-registered unit and the user is whole within the hour. "Reset it" becomes a legitimate tier-1 fix because nothing of value lives only on the endpoint. That property — not any individual feature — is what "cloud-native" buys.
Tenant configurationthe single source of truth
→
Device statederived, disposable, rebuildable
→
Conditional Accessholds the keys
The Honest Deltas From Most Real Estates
Real orgs run this blueprint minus two or three layers — usually hybrid join lingering, local admins surviving, or update deadlines unset. The blueprint's value is making the deltas visible: each gap is a named project with a named page, and the inventory report's KPIs measure the closure.
Insights
Present this composite as one slide in design reviews — component-by-component approval invites component-by-component exceptions; the architecture defended as a whole survives contact with stakeholders far better.
EPM, Enterprise App Management, Advanced Analytics, Remote Help, and Cloud PKI — the paid tier, honestly assessed.
The Intune Suite is the add-on tier above the Plan 1 license most orgs run — a bundle (also sold à la carte) of capabilities that each replace a category of third-party spend or manual toil. The honest evaluation, capability by capability:
The Lineup
Endpoint Privilege Management — rule-based elevation for standard users; the missing piece of the no-local-admins trio. Replaces: third-party privilege managers and the "just make them admin" surrender.
Advanced Analytics — deeper device-health telemetry: anomaly detection, battery/boot/app-reliability scoring, resource analytics beyond the included Endpoint Analytics floor. Replaces: digital-experience-monitoring point products, partially.
Remote Help — identity-integrated, RBAC-governed remote assistance with compliance warnings and session audit. Replaces: the consumer remote tool your helpdesk uses that security pretends not to know about.
Cloud PKI — Microsoft-hosted CAs issuing via SCEP, retiring the Certificate Connector + AD CS plumbing for orgs without other PKI needs.
(Microsoft Tunnel for MAM and adjacent capabilities round the bundle out per current packaging — verify the lineup at evaluation time; it has grown release over release.)
The Evaluation Frame
Score each against current spend + current toil, not against features-in-the-abstract: EPM against your privilege-manager renewal and your admin-rights exception count; EAM against packaging hours/month; Remote Help against the incumbent tool's license and its audit gaps. The suite wins where two or more lines replace real line items — and individual add-ons exist precisely for the orgs where only one does.
Do
Score each add-on against current spend plus current toil
Trial with production-shaped pilots — your elevation reality, your app list
Buy à la carte where only one capability replaces a real line item
Don't
Evaluate features in the abstract
Predict the renewal from anything less than a production-shaped pilot
Insights
Suite capabilities are first-class Intune surfaces — same RBAC and scope tags, same reporting, same Graph — which is the operational argument over point products even at feature parity: one console, one permission model, one audit trail.
Trial with production-shaped pilots: EPM rules against your messy elevation reality and EAM against your actual app list are the only evaluations that predict the renewal decision.
The workload dials, the real endgame, and the staged exit from Configuration Manager.
Most Windows estates don't arrive at Intune empty-handed — they arrive co-managed: ConfigMgr and Intune sharing the same devices, with per-capability workload sliders deciding which authority owns what. Co-management is a fine bridge and a terrible destination; this page is the map across.
The Model
A co-managed device runs the ConfigMgr client and enrolls in Intune; the workload dials (compliance, device configuration, Windows Update, endpoint protection, client apps, Office, resource access) move each capability ConfigMgr → pilot collection → Intune, independently. The pilot stage is the gift: move compliance to Intune for one collection, validate, expand — ringed migration built into the product.
ConfigMgrWorkload authority on-premThe dial's starting position for each capability
Pilot collectionOne workload, one bounded groupValidate on real devices before anyone notices
IntuneCloud authority, fleet-wideEach dial moved is infrastructure made redundant
Each dial moved is ConfigMgr infrastructure made redundant; the endgame is Intune-native enrollment for new devices (Autopilot, no client) while the co-managed estate drains by hardware refresh cycle.
What ConfigMgr Still Owns
Some things ConfigMgr still does that cloud-native doesn't replicate one-for-one — complex task-sequence imaging (largely obsoleted by Autopilot + reset, with OSDCloud covering bare-metal), and certain on-prem-only scenarios. Name your residuals explicitly; an exception list with owners beats a server farm kept alive by vagueness.
Insights
The KPI is infrastructure, not devices: site servers, distribution points, and SQL instances decommissioned per quarter — co-management "success" with the full ConfigMgr estate still humming is a bridge you're paying double tolls on.
Education mirrors the ladder for its sector; LTSC is the deliberate exception lane (kiosk-class hardware), not a fleet philosophy
Subscription Activation (the Modern Mechanism)
The cloud-native estate doesn't image Enterprise — it steps up: a Pro device whose signed-in user carries a Windows E3/E5 license activates Enterprise automatically through Entra. The consequences worth internalizing: edition follows the user license, OEM Pro hardware is the correct purchase (stop buying Enterprise media), and a device showing Pro when policy assumes Enterprise is a license-assignment finding — check the user's entitlement before debugging the feature. The inventory report's edition column against your license counts is the standing audit.
Step 1Buy OEM Pro hardwareThe correct purchase — stop buying Enterprise media
Step 2User signs inThe Windows E3/E5 license rides the user, not the image
Step 3Edition steps upEnterprise activates automatically through Entra
Where Licensing Bites in Practice
The repeat offenders: a Credential Guard or advanced-security profile "not applying" on Pro stragglers; Intune Suite capabilities assumed present because Intune is; E5-tier Defender features configured fleet-wide with E3 licensing; and group-based license assignment lag producing day-one devices that activate Enterprise on day two. Each is a five-minute lookup if edition-vs-entitlement is your first check.
Insights
Put one slide in the architecture doc: feature → minimum edition/license → how this org entitles it. Licensing truth decays quietly as Microsoft repackages — date the slide, review it annually, and the security-baseline review stops tripping over entitlement surprises.
The flagship Windows enrollment — sealed boxes that become corporate, compliant endpoints at first sign-in.
User-driven Autopilot is the flagship Windows enrollment: the device is registered to your tenant before it ever boots, OOBE transforms into a corporate onboarding, and the user unboxes a sealed device straight into a managed, Entra-joined machine — no imaging bench, no IT visit.
Applies toNew corporate devices, shipped sealed
RequiresAutopilot registration, Intune license, MDM user scope
Join typeEntra join, standard user
Console pathDevices > Enrollment > Windows > Deployment Profiles
Prerequisites
Tenant plumbing verified: the MDM user scope covers the enrolling users, Intune licenses are assigned, and enrollment restrictions permit the fleet — broken plumbing masquerades as a hundred different OOBE errors.
An Enrollment Status Page profile with a short, security-relevant blocking list — the ESP defines what "ready" means at first boot.
A registration source decided: OEM/reseller registration written into procurement, with hash-harvesting (step 1) as the documented fallback.
Step-by-Step
Register devices by hardware hash. The right way: your OEM/reseller registers devices at purchase (with your Group Tag convention) — contractual, automatic, hands-off for IT; put it in the purchase contract so devices land in your tenant already known. The fallback: harvest hashes yourself — Get-WindowsAutopilotInfo -Online on the device uploads directly with Graph auth, or collect CSVs and import under Devices > Enrollment > Windows > Devices.
Route fleets with Group Tags. Group Tags are your fleet labels (Corp-Standard, Kiosk-Lobby) — build dynamic groups on the Autopilot device attributes (ZTDID/group tag patterns) so each tag routes automatically to the right profile.
Create the deployment profile under Devices > Enrollment > Windows > Deployment Profiles. The decisions that matter:
User account type: Standard — Autopilot is your once-in-a-generation chance to ship a fleet without local admins; pair with LAPS for break-glass
Device name template — CFA-%SERIAL% style; serial-anchored names keep the console object, the asset label, and the purchase record in agreement (see naming discipline)
Assign the profile to the dynamic group from step 2 — assignment is what arms the OOBE transformation for those devices.
Ship the sealed box. First boot: the user connects to a network → OOBE checks in and recognizes the hash → branded Entra sign-in → the device joins, enrolls, and the Enrollment Status Page holds the session until the security baseline and blocking apps land → desktop. Compliance and Conditional Access take it from there.
UnboxUser connects to a networkSealed box, no IT visit
RecognizeOOBE checks in, hash matchesThe device is already yours before first boot
Join + enrollEntra join, Intune enrollmentStandard user, name template applied
ESP gateSession held until readyBaseline and blocking apps land, then desktop
Verification
Prove it on a pilot device before the first pallet ships: dsregcmd /status reports the device as Entra joined, the console shows it enrolled with the name template applied, the signed-in user is a standard user, every ESP-blocking app reports installed, and the Autopilot deployment report shows per-phase timings you could live with on the worst network your users will meet.
Insights
A small note on the newer "device preparation" profile type: Microsoft ships a next-generation Autopilot flavor alongside classic profiles. The classic model above remains the deployed-everywhere standard; evaluate the new one deliberately, not by accident of which blade you clicked.
Pilot the worst network you'll meet — home Wi-Fi behind hotel-grade captive portals is where first boots go to die. The ESP page covers the timeout math.
Deleting a device from Intune does not unregister it from Autopilot — the hash registration persists (that's the theft-deterrent feature: a wiped device boots straight back into your tenant's enrollment, still claimed). Decommissioning means removing the Autopilot device object too.
White-glove tech prep and user-less kiosk deployment — the other two Autopilot flavors.
User-driven covers the mainline; these two cover the edges: devices IT preps before handoff, and devices no user will ever own.
IT preps devices before handoff — heavy app stacks, VIP handoffs, day-one eventsPre-provisioningTechnician phase on the bench, reseal, five-minute user phase.
no user will ever own the device — kiosks, signage, shared labsSelf-deploying modeTPM-attested, Entra-joins as a device, no credentials typed.
Pre-Provisioning (White Glove)
The technician phase runs the device-targeted half of deployment on the bench, so the user later completes only the user half — sign-in plus user-targeted payloads — turning a 40-minute first boot into a 5-minute one. The bench flow:
Boot the device to the first OOBE screen.
Press the Windows key five times to open the deployment menu, and choose pre-provisioning.
Confirm the summary screen — it shows the deployment profile and organization the device resolved to; a wrong or missing profile is cheapest to fix right here.
Run provisioning: the device Entra-joins and applies device-targeted apps and policies while still on the bench.
Reseal the device for handoff once the run completes.
When it earns its keep: heavy Win32 app stacks, VIP handoffs, shipping-day events where 200 people start Monday. Requirements worth knowing: a wired/solid network on the bench, TPM attestation capability, and device-targeted assignments — anything user-targeted waits for the user phase by design, so target the blocking stack to device groups.
The bench flow ends with a green/red status screen — red means fix it now, on the bench, where it's cheap. That screen is the entire ROI of pre-provisioning.
Self-Deploying Mode
No user at all: the device boots, TPM-attests its identity to your tenant, Entra-joins as a device, and applies device policy + apps — nobody types credentials, ever, which is the entire design.
Built for: kiosks, digital signage, shared lab machines fronted by other sign-in mechanisms. Pair with the kiosk configuration profile (assigned-access single/multi-app) and the appliance disciplines unattended fleets demand: no-user monitoring, maintenance-window updates, restrained lock-screen surface.
Hard requirement: physical TPM 2.0 attestation — which is why VMs and some odd hardware fail self-deploying with attestation errors; test your exact SKU before promising a signage rollout.
Insights
Pre-provisioning doesn't change what deploys, only when — if user-driven is broken, white glove is broken with extra steps. Stabilize the ESP-blocking stack first.
Self-deploying devices have no user to blame and no user to notice: a failed policy at 2 a.m. is invisible until the lobby screen is. Alerting on check‑in gaps is part of the deployment, not an afterthought.
The most consequential screen in Windows deployment — tuning what blocks, what doesn't, and how long.
The ESP is the gate between "enrolling" and "desktop": it holds the user while security-critical payloads land. Tuned well, it guarantees no device reaches a user half-built. Tuned badly, it's a 60-minute spinner that defines your project's reputation. Most Autopilot misery is ESP misery.
Applies toFirst boot — the gate between enrolling and desktop
Console pathDevices > Enrollment > Windows > Enrollment Status Page
Timeout60 minutes default — size it to the blocking payload
ScopeGenerally OOBE-provisioned devices only
The Settings That Matter
Devices > Enrollment > Windows > Enrollment Status Page:
Show app and profile configuration progress: Yes — the whole point.
Block device use until these required apps are installed: the crux. Select a short, security-relevant list — Defender bits, VPN client if day-one-required, your core agent. Not Office. Not the 14-app "standard load." Everything else installs post-desktop while the user works.
Timeout: 60 minutes default; the right value is (blocking payload time on bad Wi-Fi) + margin — which is exactly why the blocking list must be short.
Allow users to reset/retry on failure: yes for user-driven fleets; a dead-end error screen creates tickets a retry button wouldn't.
Only show page to devices provisioned by OOBE: generally yes — spares existing devices an ESP surprise after a re-sync.
The Tuning Doctrine
Block the minimum. Every blocking app multiplies failure probability and wait time. The question is never "what should the device have" — it's "what can it not be used without for one hour."
Device-target the blockers so pre-provisioning absorbs them on the bench.
Measure, then trim: Autopilot deployment reports show per-phase timings — the app that costs eight minutes on every enrollment should justify its blocking seat quarterly.
Do
Block the short, security-relevant set — Defender bits, day-one VPN, the core agent
Device-target blockers so pre-provisioning absorbs them
Allow reset/retry on user-driven fleets
Review per-phase timings quarterly and trim
Don't
Block Office or the 14-app standard load
Raise the timeout as the fix — that's tuning the fuse, not the short circuit
Spawn one ESP profile per department
When It Fails Anyway
The classic 0x800705B4 is a timeout, not a cause — something in the blocking list stalled. The diagnosis path lives in Autopilot and ESP Failures: per-app status via IME logs, the MDM diagnostics cab, and the "which app never reported" hunt. Resist raising the timeout as the fix; you'd be tuning the fuse instead of the short circuit.
Insights
One ESP profile per real scenario, not per department — ESP sprawl with conflicting blocking lists produces the least debuggable failures in Intune.
The ESP's perceived speed is brandable: the org name and progress phases are the user's first impression of IT. Sweat the branding and the phase names — a screen that explains what it's doing buys patience a generic spinner never earns.
Bringing the existing estate into Intune — hybrid auto-enrollment, provisioning packages, and co-management.
Autopilot handles new hardware; this page handles the thousands of machines you already have — without reimaging a single one.
the fleet is hybrid-joined and GPO-governed todayGPO auto-enrollmentOne policy; devices enroll silently at next refresh.
ConfigMgr runs the estateCo-managementCloud attach, then workload sliders move per capability.
you're enrolling lab carts or refurb batchesProvisioning packageBulk token in a .ppkg — a utility knife, not a strategy.
the hardware is newly purchasedAutopilotNew devices skip this page entirely.
GPO Auto-Enrollment (the Existing-Fleet Workhorse)
For hybrid-joined estates: one Group Policy and every in-scope device silently enrolls into Intune at next policy refresh, using the signed-in user's Entra identity. No user action, no visit, no reimage.
Prerequisites
Devices are hybrid-joined with Entra Connect sync healthy — auto-enrollment rides the device's existing Entra registration.
Users hold an Intune license — enrollment happens as the signed-in user, and an unlicensed user is a silent no-op.
The MDM user scope is set (Entra ID > Mobility > Microsoft Intune) to cover the enrolling population.
Step-by-Step
Pick the first ring: an OU or security group that defines a bounded population — ring it, don't big-bang it.
Enable the policyEnable automatic MDM enrollment using default Azure AD credentials in a GPO linked to that scope, exactly like any other Group Policy rollout.
Let a policy refresh cycle pass — devices enroll silently as users sign in and policy applies; no reboot ceremony required.
Verify before widening: spot-check dsregcmd /status for join truth and the device's management blade for enrollment truth, then expand ring by ring.
The result is a fleet that's enrolled but still GPO-governed — which is the correct intermediate state. From here, policy migrates Catalog-ward on your schedule, and hardware migrates Entra-join-ward on the refresh cycle.
Co-Management (ConfigMgr Estates)
Where Configuration Manager runs the world, cloud attach enrolls the ConfigMgr fleet into Intune and exposes workload sliders — compliance, device configuration, Windows Update, apps, Endpoint Protection — each movable Pilot → Intune independently. The pragmatic sequence most orgs run: compliance first (unlocks Conditional Access gating via Windows compliance policies), Windows Update second (WUfB beats maintaining ADRs), apps last (the Win32 repackaging effort is real). Each slider moved is ConfigMgr infrastructure you eventually retire.
Provisioning Packages
Windows Configuration Designer builds a .ppkg carrying a bulk-enrollment token — double-click (or apply during OOBE) and the device bulk-joins Entra and enrolls. Honest scope: lab carts, donation/refurb batches, environments without Autopilot registration. Limits to respect: a shared bulk token (treat like a credential, expire it), device-context enrollment without rich user affinity, none of Autopilot's lifecycle glue. It's a utility knife, not a strategy.
Insights
These paths are complementary, not competing: GPO auto-enroll for the standing hybrid estate, co-management where ConfigMgr lives, Autopilot for everything newly purchased. Write the matrix down once and procurement plus attrition execute the migration for you.
Whatever the path in, verify the same way: dsregcmd /status for join truth, the device's management blade for enrollment truth, and the Windows inventory report for the fleet-level join/enrollment split as your migration KPI.
The next-generation Autopilot profile honestly compared with classic — what changes, what's missing, and how to choose.
The user-driven page flagged it; this page gives the newer Autopilot device preparation model its full treatment — because both coexist in the console, and choosing by accident is the common failure.
What Device Preparation Changes
The design goals are simplification and reliability: a single policy object (replacing the profile + ESP + assignment choreography), deploy-time progress with cleaner per-phase reporting, device-group just-in-time membership via a security group the policy owns, and a delivery flow engineered around the classic model's most fragile moments. Devices don't strictly require pre-registered hardware hashes in the same way — corporate identity can establish during the flow — which softens the registration-pipeline dependency that classic deployments live and die by.
What It Doesn't (Yet) Cover
The trade is breadth: feature coverage has lagged classic Autopilot — historically including the pre-provisioning/self-deploying flavors, hybrid-join paths (which you shouldn't want anyway), and assorted edge options — with the gap narrowing release over release. Check current-state coverage against your requirements at decision time; this is the one Autopilot area where a six-month-old blog post is reliably wrong in some direction.
The Decision Matrix
Your situation
Choose
Greenfield, user-driven Entra-join only, standard fleet
Device preparation — the simpler model, built for exactly this
Need white-glove, self-deploying, or other classic-only features
Classic until coverage lands
Established classic estate, working
Stay; migrate deliberately when a device-prep feature you want justifies it — not for novelty
Run both knowingly during transitions — distinct device populations, distinct policies, documented split — rather than discovering the org runs both by archaeology.
Insights
The reporting alone justifies pilots: device preparation's deployment view answers "where did it die" with a precision the classic cab-file hunt only approximates.
Whatever the model, the doctrine constants survive: minimal blocking payloads, standard users, ringed rollout — the profile type changes the plumbing, not the principles.
Personal-device gates, platform restrictions, and the MDM-scope and DNS plumbing enrollments ride on.
Two related disciplines share this page: who may enroll (restrictions) and what enrollment rides on (the tenant plumbing that, when broken, masquerades as a hundred different errors).
Restrictions
Devices > Enrollment > Restrictions, Windows edition:
Block personally owned Windows devices — the high-leverage default for corporate-only programs: Autopilot-registered and bulk-enrolled devices are inherently corporate and pass; the family laptop with a work account doesn't device-enroll. The personal population is served properly by Entra registration + MAM for Windows + Conditional Access instead.
OS version floors at the door — cheaper than catching museum builds in compliance later.
Device limit restrictions — per-user device counts; Windows fleets hit these during hardware refreshes when old devices linger (a standing stale-device cleanup rhythm is the systemic fix).
Priority-ordered, group-assigned, documented — restriction hygiene that future you, and your auditors, will thank you for.
The Plumbing
The unglamorous tenant-side settings every enrollment silently traverses:
MDM user scope (Entra ID > Mobility > Microsoft Intune): the population whose devices auto-enroll — Some vs All, with the GPO-auto-enroll and Autopilot flows both depending on the signed-in user being in scope. The classic "everything's configured but enrollment fails" answer.
MAM user scope interplay: users in both scopes follow precedence rules that have surprised many a pilot — corporate enrollment flows want MDM scope winning for corporate devices.
CNAME records (enterpriseenrollment / enterpriseregistration pointing at Microsoft's endpoints): smooths manual/legacy enrollment paths' server discovery. Modern Entra-driven flows lean on it less, but the records cost nothing and their absence produces vintage error codes worth never seeing.
Licensing: the user needs an Intune license at enrollment moment — group-based licensing lag is a real race condition on day-one new hires.
Check 1MDM user scopeIs the enrolling user actually in scope?
Check 2Intune licensePresent at the enrollment moment, not an hour later
Check 3RestrictionsPersonal-device block, OS floor, device limit
Restriction changes don't evict the already-enrolled — pair posture changes with a deliberate cleanup of the now-out-of-policy stock: retire, wipe, or re-enroll what no longer meets the bar.
When enrollment fails mysteriously, walk the plumbing in order — scope, license, restriction, CNAME — before touching the device; four tenant-side checks, two minutes, and the device-side hunt often never starts.
Cloud PCs and virtual desktops as managed endpoints — what transfers, what differs, and the policies that need forking.
Cloud PCs (Windows 365) and Azure Virtual Desktop session hosts enroll into Intune and look like devices in the console — and mostly manage like them, which makes the deltas the dangerous part. This page is the deltas.
What Transfers Cleanly
Settings Catalog policy, compliance, Win32/Store apps, scripts and Remediations, Defender policy — the management plane is the management plane. Windows 365 enrolls Cloud PCs automatically at provisioning (Entra-joined or hybrid per your provisioning policy); AVD hosts arrive via your image/automation pipeline's enrollment step.
The Deltas That Need Forking
Updates: single-session Cloud PCs ride WUfB like physical; multi-session AVD hosts don't — pooled hosts update via image refresh/host-pool rotation in your AVD pipeline, and pointing deadline-driven update rings at a pooled host is how Tuesday's session host reboots out from under forty users. Filter them out of physical-device rings explicitly (the deviceModel/Cloud PC-pattern and AVD-naming properties make clean filters).
Physical-hardware policy is noise here: BitLocker (platform-managed storage encryption applies), Hello biometrics, power/firmware (DFCI) — exclude virtual fleets from these via the same filters or live with permanent not-applicable clutter.
Multi-session policy semantics: per-user vs per-device settings matter intensely on session hosts — FSLogix owns the profile story, and user-context scripts need multi-session awareness.
Compliance posture: virtual fleets get their own compliance policy — the physical fleet's TPM/encryption checks expressed appropriately for the platform, so Conditional Access gates Cloud PC access on signals that can actually pass.
The Operating Pattern
One management plane, forked targeting: Physical, CloudPC, AVD-MultiSession as first-class fleet dimensions in your group/filter taxonomy, with every update/security/hardware policy consciously aimed. The inventory report split by those dimensions becomes the coverage proof.
the device is physical hardwarePhysical targetingThe full stack applies — updates, encryption, biometrics, firmware.
it's a single-session Cloud PCCloudPC targetingWUfB rides like physical; filter out physical-hardware policy.
it's a pooled multi-session hostAVD-MultiSession targetingUpdates via image refresh and host-pool rotation — never deadline rings.
Insights
The Cloud PC's superpower is the blueprint property taken to its limit — reprovision is the fix, minutes not hours; build runbooks that reach for it early.
Watch the double-management trap on AVD: image-baked configuration fighting Intune policy produces drift archaeology — decide per setting which pipeline owns it, the one-home rule at architecture scale.
Getting user-less and many-user Windows devices into management — self-deploying, provisioning packages, and the populations they create.
Kiosk configuration and shared PC mode are policy stories; this page is the enrollment story underneath them — because user-less and many-user devices can't ride the user-driven flow built around a primary human.
the device is a true kiosk — no user, everSelf-deploying modeTPM-attests, joins as a device; everything targets device groups.
a frontline or lab fleet where Entra users rotateSelf-deploying or pre-provisioning + shared PC modeMany users, no primary user, accounts managed by policy.
quick-turn carts and donation-grade hardwareProvisioning packageBounded ambitions, bounded effort.
Kiosk Devices: Self-Deploying Mode
The canonical path: Autopilot self-deploying — the device TPM-attests, Entra-joins as a device, and applies device-targeted policy and apps with no credentials typed. The resulting device has no primary user, which is exactly right and has consequences worth pre-deciding:
Licensing and compliance posture for user-less devices decided up front (device-based compliance, no user-targeted anything)
Hardware reality: self-deploying's physical TPM 2.0 attestation requirement — validated per SKU before promising the lobby rollout
Shared PCs: the Path Depends on the Population
Frontline/lab fleets with Entra users: self-deploying or pre-provisioning enrollment + shared PC mode policy + guest/account behavior configured — many users, no primary user, accounts managed by the mode's deletion policies
Quick-turn carts and donation-grade hardware: the provisioning package bulk-enroll remains the honest utility path — bounded ambitions, bounded effort
The anti-pattern: user-driven enrolling shared hardware under whoever set it up — that human becomes the accidental primary user, their departure becomes the device's identity crisis, and primary-user cleanup becomes your hobby. Enroll shared as shared from minute one.
Insights
The fleet-dimension discipline from virtual desktops applies: Kiosk and SharedPC as first-class targeting dimensions, consciously included/excluded from every ring and baseline — a kiosk in the knowledge-worker update ring reboots mid-lobby-demo on schedule.
No user means no complainer: alert on check‑in gaps, run updates in maintenance windows, and keep the lock-screen surface minimal — silent fleets need instrumented silence.
Naming templates, rename realities, and why boring names beat clever ones at fleet scale.
Device names look cosmetic until the first audit, the first stale-device sweep, or the first time helpdesk asks a user to read DESKTOP-7G2K9F3 over the phone. Naming is identity hygiene; the tooling is small and the conventions matter.
The Template Mechanism
The Autopilot profile carries the device name template: a pattern with substitution macros — serial-number and random-digit insertions being the workhorses — applied at provisioning. The pattern that survives contact: a short org/fleet prefix + %SERIAL%-style anchor, e.g. a CF- prefix plus serial. The serial anchor is the choice everything else leans on: it makes the name derivable from the asset — laptop lid, purchase record, and console all agree — which is the entire point.
What templates can't carry: per-user or per-department semantics at provisioning time (the device is named before it knows its human). Resist encoding org structure into names anyway — departments reorganize; serials don't. Ownership semantics belong in group/filter dimensions and primary-user data, where they're queryable and mutable.
Do
Anchor names to the serial — lid, purchase record, and console agree
Keep a short org/fleet prefix (CF-%SERIAL% style)
Put ownership semantics in groups, filters, and primary-user data
Don't
Encode site, floor, or department — reorgs outlive clever schemes
Ship names tier-1 can't take over the phone
Renames After the Fact
Existing estates converge via the rename device action — bulk-driven through Graph for fleet-scale standardization — with the operational notes that the rename lands on sync and a restart finalizes the local truth. Hybrid-joined stragglers carry AD-side naming constraints and ceremony; one more argument for the Entra-native endgame.
The Adjacent Hygiene
Naming is one leg of device identity; the others ride along: primary-user correctness (the shared-device anti-pattern's accidental-owner problem), group-tag taxonomy as the real semantic layer, and duplicate-object cleanup so one physical machine isn't three console identities — the stale-cleanup rhythm's sibling chore.
Insights
The test for any naming scheme: can tier-1 go from a user's phonetic reading to the right console object in one search, and from a console object to the physical asset in one lookup? Serial-anchored prefixes pass both; clever schemes encoding site-floor-department pass neither after the second office move.
Four ways to unmake a Windows device — and how to pick the one whose survivors match your intent.
Enrollment has an exit: the lifecycle actions. Each destroys a different slice of device state and preserves the rest, so the skill is knowing the disposition first — reassign internally, leave the org, or end management on a personal machine — and picking the action whose preserve-list matches. Most cleanup pain is an action chosen before the disposition was.
The Four Actions
Action
User data
Enrollment & join
Autopilot registration & group tag
Right tool for
Wipe
Removed (a keep-enrollment-and-user variant exists for reset-in-place troubleshooting)
Removed; device lands back at OOBE
Survives — next boot re-provisions through Autopilot, tag intact
Offboarding, lost/stolen, clean rebuild
Autopilot Reset
Removed — personal files, apps, settings, and the primary user
Kept — Entra join held; re-enrolls when an Entra user signs in
Survives
Troubleshooting rebuild or OEM debloat, files untouched
Retire
Kept — only company data, Intune-deployed apps, and profiles removed (certificates revoked)
Removed at next check‑in
Survives if registered
Ending management on personally owned devices
Two rows carry traps. Retire on a corporate Entra-joined machine unjoins it — afterward no Entra account can sign in; recovery means a local-admin path. Retire is the BYOD tool. And Fresh Start withoutretain user data lands at an OOBE-completed state with the built-in administrator account — for a clean machine, Wipe re-provisions through Autopilot instead.
Encryption and Recovery Keys
Know the disk encryption interactions before, not after. Retiring or deleting the Intune object of an Entra-joined, encrypted device triggers a safeguard that removes key protectors and suspends encryption on the OS volume — capture the recovery key, and anything you need off the disk, first. Recovery keys escrow to the Entra device object: delete the record and the keys go with it. And after any wipe or reset, the rebuilt device silently re-encrypts and escrows a new key — old keys going stale post-rebuild is normal, not an incident.
Step-by-Step: Reassign with Autopilot Reset
Prerequisites: the device is Entra joined (hybrid-joined devices aren't supported — they take the full Wipe path and can need up to a day before redeploying), enrolled, and carrying a healthy Windows Recovery Environment — a disabled WinRE fails the reset immediately.
Capture what departs with the old user: confirm recovery-key escrow and save any local data — the reset removes personal files and the primary user.
Trigger the action from the device's blade under Devices > All devices. The device restarts into the reset; the user watches the machine rebuild and is blocked from the desktop until provisioning packages reapply and an Intune sync completes — no one touches a half-configured machine.
Watch the console: the device record never leaves Intune — same object, name, and group memberships, with the action's state on the device overview. A remote reset clears the primary user.
Hand off: the next person to sign in becomes primary user and Entra owner, their user-targeted apps and policy arriving with that session. Update any assignment metadata your naming and tagging hygiene tracks.
Verification: the device lands at a sign-in screen rather than OOBE, the new primary user populates after first sign-in, and compliance returns to green once first evaluations run. Shared devices stay shared — no accidental owner.
Step-by-Step: Offboard with Wipe
Harvest before you burn: the recovery key and LAPS password if any forensic or data need exists — record deletion later removes both.
Choose the variant deliberately. Default wipe for ordinary offboarding — interrupted, it attempts rollback. The protected wipe ("continue even if the device loses power") overwrites free space and wipes through interruptions — the lost/stolen choice, with a real trade: it can leave hardware unbootable. Data destruction or device survival; pick which you're buying.
Issue the Wipe and wait. The machine resets to factory state and lands at OOBE; the console shows the action pending until the device checks in, then completed.
Then — and only then — clean up: delete the Intune object and the Entra record once the wipe reports complete.
Decide the Autopilot registration's fate: hardware leaving the org gets deregistered (remove the hardware hash), or its first boot at the next owner lands in your tenant's enrollment; hardware staying in the fleet keeps its registration — that's what makes the next provisioning zero-touch.
Verification: completed shows in the device's action status, the records are gone, and — for departing hardware — the Autopilot devices list no longer carries the serial.
Operational Gotchas
Actions queue against offline devices. A Wipe or Retire sits pending until the device next checks in — potentially forever for a laptop in a drawer; the enrollment certificate's yearly lifetime bounds the wait. The honest model: encryption and access revocation protect offline hardware; the wipe executes only if the device returns.
Wipe, confirm, then delete — never delete first. Deleting the record tears down the management channel, so a queued wipe can never deliver; the machine keeps its data and you lose the lever. This ordering mistake is unrecoverable.
Retire doesn't revoke tokens. A retired device's sessions keep working until tokens expire or Conditional Access cuts them off at the next request.
"Who wiped it?" lives in the audit log — Tenant administration > Audit logs, Initiated By column.
Insights
Write the three dispositions into the offboarding runbook as named lanes — reassign (Autopilot Reset), departs (Wipe → delete → deregister), personal (Retire) — and make the ticket template ask which lane before any button is pressed. The actions are irreversible; the decision should be the slow part.
Autopilot registration surviving Wipe is the feature, not a bug: a wiped device that boots straight back into provisioning is how loaner pools and reassignment benches stay fast. Deregistration is an explicit leave-the-org step, not part of "cleaning up."
The Windows policy surface — how the Catalog maps to CSPs, where ADMX fits, and when OMA-URI is the honest answer.
The Windows Settings Catalog is the modern policy surface — per-setting policies with per-setting reporting — and the substrate underneath is worth understanding: every setting resolves to a CSP (Configuration Service Provider), the OS-native MDM policy surface documented in Microsoft's CSP reference. Knowing the CSP layer is what turns "the toggle didn't work" into a diagnosable event.
Settings Catalog (native CSP-backed) — thousands of settings, searchable by friendly name and CSP path. New policy starts here, full stop.
ADMX-backed settings — the Group Policy universe surfaced through MDM: the Catalog carries an enormous ADMX-backed set (Office, Edge, Windows components), and ADMX import lets you upload third-party ADMX templates (Chrome, Adobe, vendors) so their GPO-style settings deploy via Intune. This is how GPO knowledge transfers instead of dying.
Custom OMA-URI — raw CSP paths for the genuinely unexposed corner. Legitimate, occasionally necessary, always documented with the CSP doc link in the profile description — an undocumented OMA-URI profile is a future incident.
Migrating From Group Policy
Run Group Policy analytics (Devices > Group Policy analytics): import GPO reports, get per-setting MDM-mappability scores. Most modern-relevant settings map; the unmappable tail is usually legacy you should retire, not replicate.
Translate by intent, not 1:1 — twenty years of GPO accumulates contradictions the Catalog forces you to confront. Migration is the audit.
Declare the precedence winner for the overlap era: on hybrid devices, GPO and MDM can both apply; the MDMWinsOverGP policy declares the winner for conflicts. Decide it deliberately and ring it — surprise precedence flips are how transitions earn enemies.
Conflict Rules and Hygiene
Per-setting reporting names conflicts explicitly (two profiles disagreeing show the setting and both sources). The discipline that keeps the estate debuggable: one home per setting, intent documented in the description, naming convention Win-<Area>-<Audience>-v<N>, all under IntuneCD version control.
Insights
The Catalog search accepting CSP paths means Microsoft's CSP documentation doubles as your settings index — when a blog cites ./Device/Vendor/MSFT/Policy/Config/..., paste the leaf into Catalog search before reaching for OMA-URI.
MDM policy applies on a sync cadence, not gpupdate-instantly — pair any "why isn't it applying" hunt with the diagnostics workflow before assuming the policy is wrong.
VersioningNew versions never auto-apply — diff, pilot, migrate
Deploying One Without Breaking Friday
Endpoint security > Security baselines > pick (the core Windows baseline; Defender for Endpoint and Edge baselines exist separately) > create profile from the current version.
Read it before assigning it. Every baseline deployment that "broke the app" skipped this step. The classics that bite: legacy authentication shutoffs, attack-surface settings colliding with old agents, UAC/elevation behavior changes.
Pilot ring → department ring → fleet, exactly like update rings. Baselines are hundreds of simultaneous changes; respect the blast radius.
Customize sparingly and document every deviation in the profile — the delta between Microsoft's recommendation and your reality is precisely what auditors and successors need to read.
Versioning and Drift
Baselines version (e.g., as Microsoft revises guidance) — new versions don't auto-apply. The operating rhythm: when a new baseline version ships, diff it (the comparison view shows changed settings), pilot the new version, migrate profiles deliberately. An org running a three-year-old baseline version has quietly opted out of three years of hardening guidance.
Per-setting reporting doubles as drift detection: a device diverging from baseline shows exactly which setting — investigate, because something (a conflicting profile, a local actor, an agent) is fighting you.
Baselines vs. Your Own Catalog Profiles
They coexist: the baseline carries Microsoft's floor; your Settings Catalog profiles carry org-specific policy. Keep them non-overlapping (the one-home-per-setting rule) or per-setting conflict reports become your hobby. The community OpenIntuneBaseline project (tools page) is a strong Catalog-native alternative philosophy — settings as reviewable code rather than a sealed baseline object; many mature shops run that model instead. Either is defensible; neither is "we'll harden later."
Do
Read every setting before assigning
Ring it: pilot → department → fleet
Document every deviation in the profile
Diff and pilot each new baseline version
Don't
Run a three-year-old baseline version
Overlap baseline and Catalog profiles — one home per setting
Exempt by empty assignment — variants are documented, not silent
Frameworks: Microsoft Baselines & CIS
Two distinct things get casually called "the baseline," and conflating them is how fleets end up with conflicting policy. The Microsoft security baseline is a Microsoft-authored, opinionated set of CSP-backed settings shipped inside Intune under Endpoint security > Security baselines. The CIS Benchmark is a separate, community-consensus configuration standard published by the Center for Internet Security that you map onto Intune yourself (usually via the Settings Catalog). Microsoft is explicit that there is no one-to-one mapping between "CIS-compliant" and its own baselines — they consult bodies like CIS and NIST, but the recommendations are not the same artifact. Treat the Microsoft baseline as your floor and CIS as the contractual/regulated overlay.
Critically, Intune security baselines are a Windows-family-only feature. There is no Intune-delivered Microsoft security baseline for macOS, iOS, or Android — for those platforms you build hardening from the Settings Catalog and (on Mac) the macOS Security Compliance Project. See macOS: CIS & MSCP baselines for the parallel-but-different model on the Apple side.
Win 10/later baselineVersions to 25H2 (also 24H2, 23H2)
Format changeMay 2023: CSP-named settings
CIS profilesL1 workstation / L2 defense-in-depth
The Microsoft Baselines Available In Intune
Under Endpoint security > Security baselines the tile list shows each baseline type, how many profiles you have on it, how many version instances exist, and a Last Published date. The Windows-family baselines Microsoft ships are:
Security Baseline for Windows 10 and later (the MDM baseline) — the floor for managed Windows clients. Each Windows feature update can spawn a new version instance (current line runs 25H2, 24H2, 23H2, back through November 2021 / December 2020 / August 2020). It auto-enables BitLocker on removable drives, requires a password to unlock, disables basic authentication, and similar. The settings are pulled straight from the relevant CSPs.
Microsoft Defender for Endpoint Security Baseline — current instance 24H1 (older: v6, v5, v4, v3). Requires an active MDE license/onboarding; the baseline only configures Defender, it does not entitle it. Microsoft flags this one as optimized for physical devices and not recommended on VMs/VDI, because several settings degrade remote interactive sessions. Pair it with the Defender & Endpoint Security work and your ASR rules.
Microsoft Edge Baseline — versioned to track the browser; current instance is version 139 (April 2026), with 128 (Jan 2025), 117 (Nov 2023) and the 112 (May 2023) reformat behind it. Defaults include Basic-auth-over-HTTP Disabled, site isolation Enabled, SmartScreen Enabled, and Application Bound Encryption Enabled.
Windows 365 Security Baseline — current instance 24H1 (plus the legacy November 2021), tuned for Cloud PC. Use this instead of the MDE physical-device baseline on Cloud PCs, since it accounts for the virtualized session.
Microsoft also ships a Microsoft 365 Apps for Enterprise (Office) baseline (v2306) and HoloLens 2 baselines, but for a standard Windows fleet the four above are the operative set. In May 2023 Intune changed the baseline format so each setting now carries its native CSP name and configuration options — which is why a pre-May-2023 profile cannot be edited in-place and instead must be re-created (with a CSV export to map old values forward). Plan that migration deliberately; it is a one-time, side-by-side recreation rather than an in-place version bump.
Operational reality on versioning: when a new baseline version publishes, your existing profiles do not auto-upgrade — their settings go read-only (you can still edit name/description/assignments). Updating runs Update Version, which creates a new side-by-side instance and asks you to either keep your customizations or discard them to defaults. Assignments and scope tags are not carried over, so the classic post-update mistake is leaving the old instance assigned alongside the new one and generating a conflict. Remove the old assignment as part of the cutover.
Security Compliance Toolkit (SCT) And Policy Analyzer
Before Intune, Microsoft's baselines lived as Group Policy Object backups, and that channel still ships: the Security Compliance Toolkit (SCT). It is the right tool when you are still GPO/AD-joined, when you want to diff Microsoft's recommended settings against your live policy, or when you need to reconcile what an Intune baseline actually enforces versus the on-prem world during a migration. The SCT bundles the GPO baselines plus four utilities:
Policy Analyzer — treats a set of GPOs as one unit, highlights redundant or internally inconsistent settings, diffs baseline versions against each other and against current local policy + local registry, and exports to Excel. This is the workhorse for "what does this baseline version actually change" and for capturing a point-in-time snapshot to detect drift later.
LGPO.exe — command-line apply/export of Local Group Policy from Registry.pol, security templates, audit backups, or "LGPO text"; essential for non-domain-joined test rigs.
GPO2PolicyRules — CLI conversion of GPO backups to Policy Analyzer .PolicyRules files (ships inside the Policy Analyzer download).
As of this writing the SCT Download Center package carries the GPO baselines for Windows 11 25H2 / 24H2 / 23H2, Windows 10 22H2 (and older down to 1507), Windows Server 2025 / 2022 / 2019 / 2016, Microsoft 365 Apps 2512, and Microsoft Edge v139. Use Policy Analyzer to capture a baseline snapshot per feature-update ring, then re-run it after each Windows feature update — that diff is your audit evidence that the new build did not silently regress a control. The Intune baseline UI does not give you a clean cross-version diff, so the SCT remains the better forensic instrument even in a cloud-managed shop.
When a contract or regulator says "CIS," they mean the CIS Microsoft Windows Benchmark — currently Windows 11 Enterprise v5.0.1 / Stand-alone v5.0.0 and Windows 10 Enterprise v4.0.0 / Stand-alone v4.0.0. CIS organizes recommendations into profiles:
Level 1 (L1) — "a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact." This is the realistic floor for a workstation fleet: it reduces attack surface while keeping usability and business function intact.
Level 2 (L2) — "defense in depth ... intended for environments where security is paramount." CIS explicitly warns L2 "can have an adverse effect on your organization if not implemented appropriately or without due care." Expect to suppress or document a meaningful number of L2 items (e.g. aggressive lockout, credential-delegation, and removable-media controls) before they ship to general users.
A STIG profile now exists in place of the older "Level 3," for DISA STIG alignment.
For workstations the practical answer is L1 (workstation) as the deployable target and L2 reserved for high-assurance enclaves; the server benchmarks carry their own L1/L2 split for Domain Controller vs Member Server roles. Measure conformance with CIS-CAT Pro Assessor (the scanner that scores a device against the benchmark and produces the report auditors actually want), and accelerate remediation with CIS Build Kits — the GPO-format remediation content. Both CIS-CAT Pro and the Build Kits are gated behind CIS SecureSuite membership; the benchmark PDFs themselves are free for non-commercial use.
Mapping CIS Into Intune, And Reconciling Drift
CIS Build Kits are GPO artifacts, so on a cloud-managed fleet you do not apply them directly — you re-express the benchmark as Intune policy. Two routes: hand-build a Settings Catalog-style profile set in the Windows Settings Catalog (most CIS items map to a CSP that the catalog surfaces), or start from CIS's own CIS Microsoft Intune for Microsoft Windows Benchmark (Windows 11 / Windows 10 both at v4.0.0), which is written specifically against Intune's policy surface rather than GPO. That Intune-flavored benchmark is the cleaner starting point because each recommendation already names the Intune setting, sparing you the GPO-to-CSP translation. CIS also publishes companion Intune benchmarks for Edge, Microsoft Defender Antivirus, and Office.
The hard part is not the initial deploy — it is conflict resolution and drift. Three rules from production:
One owner per setting. A setting managed by both the Microsoft baseline and a CIS catalog profile, with different values, surfaces as Conflict on the device and the last-writer is non-deterministic. Decide which policy owns each contested setting and remove it from the other. Use the per-device Device configuration report (Devices > All devices > device > Device configuration) to find the offending policy pair.
Baseline is the floor, CIS is the overlay. Deploy the Microsoft Security Baseline for Windows 10 and later first, then layer only the CIS deltas that the baseline does not already satisfy. Do not deploy a full CIS L1 catalog on top of the full Microsoft baseline blind — you will create dozens of redundant or conflicting assignments.
Reconcile every feature update. Both Microsoft baselines and CIS benchmarks version per Windows release (24H2 vs 25H2 carry different settings; CIS bumps major versions). After each feature-update ring lands, re-run CIS-CAT Pro (or a Policy Analyzer snapshot diff) to catch settings that became Not applicable on the new build or that the new baseline version now defaults differently. Capture that report as your audit evidence — "matches default baseline" / "matches custom settings" status in the Intune baseline monitor blade is the per-tenant complement.
Note the licensing seam: an Intune baseline only configures a product, it does not grant it — the MDE baseline does nothing useful without MDE onboarding, and CIS conformance reporting needs SecureSuite. Wire baseline state into compliance policies so a device drifting off the floor loses Conditional Access, rather than relying on the baseline blade alone for enforcement.
Compliance policy and baselines are different jobs: baselines set the posture, compliance attests it to Conditional Access. You need both; they should agree.
Exempt-by-exception, never exempt-by-default: the kiosk that "can't take the baseline" gets a documented variant profile, not an empty assignment.
Rings, deadlines, feature-update pinning, expedited patches, and driver policy — the whole WUfB model.
WUfB is Intune-native update control: Windows Update delivers, your policy decides when and what. It replaces WSUS-era infrastructure with four policy types — learn the deadline model and the rest is scheduling.
1. Update Rings (Monthly Quality Updates)
Devices > Windows updates > Update rings — the heartbeat. A sane three-ring structure:
Ring
Quality deferral
Deadline / grace period
Population
Pilot
0 days
2 / 1
IT + volunteers (~5%)
Broad-1
5 days
5 / 2
~30% cross-section
Broad-2
10 days
5 / 2
Remainder
The deadline + grace period model is the part that matters: updates install politely during the deferral, then the deadline enforces — scheduled restarts, escalating UX, eventual forced restart after the grace period. This converts patching from a nagging campaign into physics: the date is policy, not aspiration. Resist deadline-less rings; they're how 90-day-old patches happen.
DeferralUpdate offered, installs politelyPer-ring days of soak before anything is forced
Grace period expiredForced restartThe date is policy, not aspiration
2. Feature Update Policy (Annual OS Versions)
Pin each ring's target version (e.g., hold the fleet on the current release, move rings to the new one on your validation schedule). This is declarative version control — you state "the fleet runs version X" and the service converges on it: devices below the pin move up to it; devices on it hold. Decouples the annual feature-update project from the monthly quality rhythm.
3. Expedited Updates
The break-glass lane: an expedite policy pushes a specific security update now, overriding ring deferrals, for the Patch-Tuesday-gone-critical scenario. Keep one drafted and unassigned; assign it the morning you need it.
4. Driver Updates
Driver update policy ends the wild west: Windows Update's driver/firmware offers flow into an approval queue (or auto-approve with deferral, for the brave). Review monthly; approve known-good; the fleet stops self-installing surprise GPU drivers.
Insights
Windows Update reports (and the update ring report views) are the truth source — per-device update state, failure codes, and the alerting feed for "ring 1 is stuck." Wire them into a standing review rhythm: patch-age buckets, per-ring failure counts, and a stragglers list with named owners.
Ring membership via dynamic groups on stable attributes — and put every Windows device in exactly one ring; the unringed device is the unpatched device.
If maintaining even this feels like undifferentiated toil, that's the Autopatch pitch — next page.
Microsoft-operated update management — what it automates, what it costs you in control, and who should say yes.
Autopatch is Microsoft running your WUfB machinery as a service: ring creation and population, progression decisions, pause/rollback on detected regressions, and reporting — for quality updates, feature updates, and the Microsoft 365 Apps/Edge/Teams update streams. You bring eligible licensing (Windows E3/E5-class entitlements, Business Premium tier included); it brings the operational toil reduction.
Applies toWUfB machinery, operated by Microsoft as a service
RequiresWindows E3/E5-class entitlements; Business Premium included
CoversQuality + feature updates, Microsoft 365 Apps, Edge, Teams
Console pathThe Autopatch blade — per-ring health reporting
What It Actually Does
Auto-rings the fleet — devices distribute across test/first/fast/broad-style rings algorithmically; you stop curating ring membership spreadsheets.
Release management — Microsoft watches update health signals across its service telemetry and pauses or rolls progression when a release misbehaves, often before your own ring-1 ticket would have fired.
Covers the app updaters too — Microsoft 365 Apps channel management rides along, retiring another quiet maintenance duty.
Reports the whole thing in the Autopatch blade with per-ring health.
What You Trade
Control granularity. Autopatch's cadence and ring philosophy are its opinions — orgs with hard change-control calendars, regulated freeze windows, or app-validation gates tighter than the service's rhythm will fight it. The escape valves exist (device exclusions, some schedule shaping), but if you're escaping constantly, you wanted hand-rolled rings all along.
The Honest Decision Matrix
You
Verdict
Lean IT, standard-issue fleet, patching is toil not strategy
Move the update workload to Intune first; choose after the dust settles
Mixed
Autopatch the standard fleet; carve the regulated slice into manual rings — the models coexist by group
Insights
Autopatch consumes the WUfB machinery — understanding the previous page is still mandatory; you're choosing who operates it, not whether it exists.
Whichever path: the fleet-level KPI is identical — time-to-patched and stragglers count — and your inventory reporting should track it the same way across both managed populations so the choice stays evidence-based.
Silent enablement, key escrow to Entra, and the recovery workflow — encryption as a non-event.
The goal state: every Windows device encrypts itself silently at enrollment, escrows its recovery key to Entra ID, and no user ever sees a prompt. BitLocker done right is invisible; this page is the checklist that makes it so.
Applies toEvery Windows device, silently at enrollment
RequiresReady TPM; no third-party encryption owning the disk
Console pathEndpoint security > Disk encryption
Key escrowEntra ID — required before encryption begins
Prerequisites (Where Silent Enable Fails)
Silent enable requires all of: a ready TPM, no third-party encryption already owning the disk, no conflicting prompts required by the chosen settings (any setting demanding user input breaks silence — additional PIN-at-startup, notably, trades silence for that control; choose deliberately), and the standard-user allowance below. The classic failures: a vendor encryption agent half-removed during migration, and TPM-less VMs in the lab confusing the pilot data.
Step-by-Step: the Policy
Endpoint security > Disk encryption > BitLocker policy:
Require device encryption, OS drive with the TPM protector — the TPM is what makes unlock invisible to the user.
Hide recovery options and suppress prompts — the silent-enable posture; the user should never be asked to make an encryption decision.
Allow standard users to enable encryption: Yes — critical on Autopilot standard-user fleets; without it, your no-admin design blocks your encryption design.
Escrow the recovery key to Entra ID and require successful backup before encrypting — keys must land before you need them.
Keep the encryption method consistent (XTS-AES) so compliance reads cleanly across the fleet.
Assign ringed — pilot first, watching for the prerequisite failures above before any broad ring.
Verification
On pilot devices: the console shows the device encrypted, manage-bde -status agrees on-device, the recovery key is visible in the device blade (escrow proven, not assumed), and the compliance policy's encryption check reports green. A pilot that encrypts but doesn't escrow is a failed pilot — escrow is the point.
The Recovery Workflow
Keys escrowed to Entra surface in three places: the device blade (admin retrieval, audited), Graph (automatable; the audit log records every read), and the user's own self-service lookup via the My Account portal — the 2 a.m. road-warrior path that saves a helpdesk shift; publicize it.
Operational habits: rotate the recovery key after every disclosure (Intune exposes rotation as a device action and policy can auto-rotate on use), and treat a key-retrieval spike as the incident signal it is.
Compliance Tie-In
Compliance policy attests Require BitLocker / encryption of data storage — closing the loop: policy enables, escrow protects, compliance proves, Conditional Access enforces. The enable→escrow→attest chain makes the audit conversation a single story: every layer's evidence lives in the tenant, queryable on demand.
EnableSilent BitLocker policyTPM protector, no user prompts
EscrowRecovery key lands in Entra IDBackup required before encrypting
AttestCompliance proves itRequire encryption of data storage
EnforceConditional Access holds the keysThe whole chain, queryable on demand
Insights
Measure escrow coverage, not just encryption coverage: an encrypted disk with no escrowed key is a future data-loss ticket wearing a green checkmark. The inventory report reports isEncrypted; pair it with a key-presence audit via Graph for the real number.
Migrating from McAfee/Symantec-era encryption: decrypt → silent BitLocker is the boring, correct sequence. In-place protector swaps are where weekends go to die.
Passwordless sign-in done properly — enrollment scoping, cloud Kerberos trust, and the rollout that doesn't surprise anyone.
Windows Hello for Business (WHfB) replaces the password at sign-in with a device-bound credential unlocked by PIN or biometrics — phishing-resistant by construction, because the secret never leaves the TPM and never transits a network. It's the credential half of the cloud-native endpoint; Entra join is the identity half.
Applies toPer-device credential — each device enrolls its own
The Two Places It Turns On (Pick One Deliberately)
Tenant-wide enrollment policy — Devices > Enrollment > Windows Hello for Business: applies at enrollment time to every newly enrolling device. Blunt. If you're not ready fleet-wide, set this to Disabled and use…
Targeted policy — an Endpoint security Account protection profile assigned to groups: ringable, pilotable, the recommended path for staged rollouts.
The classic misconfiguration is forgetting #1 exists: orgs "piloting" WHfB via #2 while the tenant policy enrolls everyone anyway. Decide the pair together.
Settings That Matter
PIN complexity: minimum length 6+, allow biometrics (the PIN is the fallback; Face/fingerprint is the daily experience)
TPM required: Yes — the credential's whole security story
PIN history/expiration: leave gentle; the PIN unlocks a device-bound key, it isn't a password and shouldn't inherit password-theater rules
The On-Prem Question: Cloud Kerberos Trust
"But our file shares" — answered: cloud Kerberos trust lets WHfB-signed-in users on Entra-joined devices obtain Kerberos tickets for on-prem AD resources, with near-zero PKI ceremony (no per-device certificates, no key-trust object sync sagas). One Entra Connect-side setup, one policy toggle, and the legacy objection dissolves. If you're designing new in the 2020s, cloud Kerberos trust is the default trust model; the older key/certificate trust paths are for documented edge constraints.
Rollout That Lands Well
Ring it like everything else — and communicate the why: users read "set up a PIN" as a downgrade until told the PIN never leaves the laptop and can't be phished. One paragraph of comms converts the rollout from grumbling to gratitude. Pair with standard-user Autopilot and LAPS and the endpoint identity story is complete: no local admins, no reusable passwords, recoverable break-glass.
Do
Set the tenant-wide enrollment policy to Disabled before piloting by group
Keep PIN history and expiration gentle — it unlocks a device-bound key
Tell users the PIN never leaves the laptop and can't be phished
Don't
Pilot via Account protection while the tenant policy enrolls everyone anyway
Inherit password-theater rules for the PIN
Force per-device credential ceremony onto multi-user shared fleets
Insights
WHfB is per-device by design — a user's desktop and laptop each enroll their own credential. Expect and pre-answer the "why am I setting this up again" ticket.
Multi-user shared PCs are WHfB-awkward — a per-device credential per user multiplies enrollment ceremony. Frontline shared fleets usually want different sign-in patterns entirely: assigned access, FIDO2 security keys, or web sign-in depending on the workload.
SCEP issuance, 802.1X Wi-Fi, and Always On VPN — the Windows certificate chain from trusted root to working tunnel.
Certificate-based access on Windows is one architecture with three consumers: trusted roots anchor the chain, SCEP issues device and user identities from a shared backend (Cloud PKI, the Certificate Connector to AD CS, or third parties), and Wi-Fi/VPN profiles consume the result. Build the chain once, deliberately, and 802.1X and Always On VPN become routine consumers of it.
Issuance backendCloud PKI, or Certificate Connector + AD CS
→
Device & user certsidentities, SAN-traceable
→
Wi-Fi + VPN802.1X and Always On consumers
Certificates
Three profile types carry the chain: Trusted certificate (root + issuing), SCEP, PKCS — created under Windows configuration and pointed at one shared issuance backend. Keep a single PKI behind the whole estate; parallel PKI builds are how orgs grow expiring things nobody owns.
Windows adds the user vs device certificate distinction with real teeth: device certs for machine auth (802.1X before sign-in, Always On VPN device tunnel), user certs for user-context auth. Decide per consumer; SAN variables ({{AAD_Device_ID}}, {{UserPrincipalName}}) keep both traceable.
Renewal is Intune-automatic — and renewal failure is silent at fleet scale: nothing tells you until devices start falling off the network. Alert on issuance-backend health, and watch 802.1X failure spikes as the canary.
Wi-Fi (802.1X)
Deploy the chain in dependency order — each profile consumes the one before it:
Trusted certificate profile first — the root (and issuing) CA the device must trust before anything signed by it means anything.
SCEP profile next — issues the device or user identity certificate against that root.
Wi-Fi (Enterprise) profile last — EAP-TLS, the identity certificate reference from step 2, and server trust names for your RADIUS so clients refuse imposter access points.
The Windows wrinkle worth designing for: machine vs user authentication — machine-auth (device cert) keeps the laptop on corporate Wi-Fi at the sign-in screen, which Autopilot first-boots and pre-logon support flows quietly depend on. If your NAC team asks "user or computer auth," the modern answer is usually device-first.
VPN
Always On VPN is the Windows flagship: an IKEv2/SSTP (or vendor-client) profile that establishes automatically — with the device tunnel (device cert, pre-logon, management traffic) / user tunnel (user identity, app traffic) split for orgs that need always-reachable endpoints. Trigger rules (app-, name-based) give per-app-VPN-adjacent behavior.
Vendor clients (Cisco, Palo Alto, Fortinet, Zscaler et al.) deploy as Win32 apps with their config via profile or the vendor's mechanism — the standard app-plus-config pattern: the client arrives as an app, its settings arrive as policy.
The strategic note: for Microsoft-stack orgs, modern access increasingly routes through identity-aware proxies and ZTNA rather than classic VPN — if a VPN profile's only job is reaching two legacy apps, that's an application-modernization conversation wearing a VPN costume.
Insights
Sequence the chain into enrollment-critical, filter-shaped assignments so ESP-blocked first boots land on corporate networks with working auth — a first boot that finishes on open guest Wi-Fi is a device you'll be re-touching.
Test certificate removal: retire a pilot device and confirm Wi-Fi/VPN access actually dies. The revocation story is half the security value and the half nobody rehearses.
Peer-to-peer content delivery — the bandwidth strategy under updates, Store apps, and Win32 content.
Every byte Intune-managed Windows downloads — WUfB updates, Store apps, Win32 content, Defender intelligence — rides Delivery Optimization (DO), and on bandwidth-constrained sites, DO policy is the difference between Patch Tuesday and Patch Outage.
Microsoft CDNupdates, apps, definitions
→
First peersdevices at the site
→
Branch-matespull from peers, not the circuit
Prerequisites
A per-site bandwidth picture: circuit sizes, VLAN/NAT topology, and which sites are thin enough to hurt — the policy decisions below are topology decisions first.
The network team in the room: throttle numbers and peer ports are their domain; the profile simply encodes the agreement you reach with them.
A boundary strategy: decide what "local" means in your estate (per branch, per site, per VLAN cluster) before touching the GroupID dial.
The Download Modes
The core decision is the download mode, set via Settings Catalog:
Mode
Behavior
For
HTTP only
No peering; every device pulls from the CDN
Tiny/cloud-only sites, troubleshooting baseline
LAN peering
Peers within the same NAT
The simple default for single-network offices
Group peering
Peers within a GroupID boundary you define (by Entra tenant, AD site, or explicit GroupID)
Multi-VLAN sites and branch topologies — the enterprise workhorse
Internet peering
Peers beyond the org
Almost never in corporate fleets
Step-by-Step: Building the Policy
Choose the download mode from the table above. Group mode with deliberate GroupIDs is the high-leverage configuration: devices at a branch peer with branch-mates, the WAN carries one-ish copy, and the 200-seat site with a 100 Mb circuit survives a feature update.
Define the GroupID boundary. Group peering honors a boundary you set — by Entra tenant, AD site, or an explicit GroupID per location. Explicit GroupIDs are the precise tool for branch topologies: devices that should peer share an ID; devices that shouldn't, don't.
Set the bandwidth throttles. Percentage or absolute caps, business-hours vs after-hours splits — set the daytime cap from the network team's actual circuit numbers, and let after-hours run wider.
Review the caching dials. Minimum content size to peer, cache size/age, peering-eligibility floors (battery/disk) — defaults are sane; change them only with evidence from a real site.
Add Microsoft Connected Cache where peers aren't enough. A server-side cache appliance/role upstream of peers for the sites where peer density is too low — the branch-office answer when DO alone can't carry the load.
Assign the profile to the broad fleet, with site-specific variants (different GroupIDs, tighter throttles) targeted only where topology demands them.
Verification
DO reports its own efficiency: per-device, Get-DeliveryOptimizationStatus and the DO Settings page show peer-vs-CDN byte splits; fleet-wide, the Windows Update/DO reporting surfaces % from peers — the KPI. A site showing 5% peering under group mode has a broken boundary (GroupID mismatch, blocked peer ports) — diagnose the topology, because the CDN is silently eating your WAN meanwhile.
Insights
DO is invisible until the network team escalates — get ahead of it: the first conversation with networking should hand them the modes table, the throttle policy, and the ports DO peers on, making IT the team that brought a bandwidth plan rather than the one that consumed Tuesday's circuit.
Autopilot day-one events are DO's stress test — 200 simultaneous first-boots pulling the ESP-blocking stack is exactly when group peering pays for the afternoon you spent configuring it.
The browser as managed surface — policy via Catalog, update channels, extensions, and the profile/identity story.
Edge is the most-configured app on a Windows fleet — browser policy is a large share of effective security and UX policy. The good news: Edge's management surface is enormous, native to the Settings Catalog, and the discipline is choosing the slice that matters.
Step-by-Step: The Settings That Earn Their Keep
Settle identity and profiles first. Sign-in behaviors, automatic creation of a separate browser profile for the corporate identity, and clean separation between corporate and personal profiles — the foundation that makes everything else (sync, Conditional Access session controls) coherent.
Set the security floor. SmartScreen enforced (the broader story), TLS/downgrade protections, password-manager policy (corporate decision: Edge's manager configured or blocked in favor of the sanctioned vault), site-isolation defaults left alone.
Install the extension regime. The high-value control — block by default, allow-list the sanctioned set, force-install the corporate-required ones. Unmanaged extensions are unvetted code with page-content access on every device; the allow-list converts that from a standing risk into a review process.
Brand startup, homepage, and new-tab lightly. Homepage and new-tab pointed at the intranet/portal earns goodwill; locking every UX surface earns ridicule.
Pin the update channel. Edge updates ride its own updater — pin the fleet to Stable with the channel policy, and let Autopatch manage the cadence where it's deployed. A canary group on Beta channel is the cheap early-warning system for the line-of-business web app that breaks on next month's engine.
Do
Block extensions by default; allow-list and force-install the sanctioned set
Pin the fleet to Stable with a Beta canary group
Point homepage and new-tab at the intranet — lightly
Don't
Lock every UX surface — that earns ridicule, not security
Leave extensions unmanaged — unvetted code with page-content access
Scatter Edge settings across careless profiles — one home per setting
IE Mode (the Legacy Annex)
Where ancient internal apps demand Trident, IE mode with a managed site list confines them: the listed sites render in the compatibility engine inside Edge, everything else stays modern. Treat the site list as a shrinking artifact with an owner — every entry is modernization debt with a URL.
Verification
On a pilot device, edge://policy lists every applied policy, its value, and its source — the on-device truth for whether the profile landed. Fleet-wide, the per-setting status and conflict reporting confirm the estate agrees with the design before the broad rings receive the profile.
Insights
Write the policy intent once (extension regime, security floor, homepage) and keep it separate from the profiles that express it — intent survives setting renames and engine updates, and an auditor handed intent-plus-implementation signs off faster than one handed four hundred raw settings.
The per-setting conflict reporting matters double for Edge — its settings arrive from baselines, security profiles, and UX profiles simultaneously in careless estates. One Edge profile per intent, one home per setting.
Silent sign-in, KFM, and Files On-Demand — making the endpoint hold nothing irreplaceable.
The cloud-native blueprint's disposability property — any device is replaceable in an hour — rests on one unglamorous pillar: the user's files aren't on the device in any way that matters. OneDrive with Known Folder Move, configured silent, is that pillar.
Prerequisites
Entra-joined identity — silent sign-in rides the device's signed-in identity; that mechanism is what makes activation zero-prompt.
Your tenant ID at hand — KFM policy pins folder redirection to your tenant, not to whichever account happens to be signed in.
A quota and outlier review — know the per-user storage entitlement, and expect the handful of users with enormous local folders to surface during rollout (they will; see Rollout Reality).
Silently sign in users to OneDrive with their Windows credentials — zero-prompt activation riding the Entra-joined identity; the user never "sets up" OneDrive, it's simply on.
Silently move Windows known folders to OneDrive (Desktop/Documents/Pictures), with the tenant ID pinned and user notification per taste — the actual KFM. Pair with prevent users from redirecting known folders back so the posture sticks.
Files On-Demand: enabled — content streams on access, disk holds placeholders + recents; the policy that makes 256 GB devices viable and first-sync non-events.
Add the supporting cast. Block syncing personal OneDrive accounts on corporate devices — the corporate data boundary, enforced at the sync client — plus known-folder-only enforcement where you want it, and upload throttles coordinated with the DO bandwidth plan on thin sites.
Assign in rings, pilot first — the next section explains why this is a migration, not a toggle.
Rollout Reality
KFM on an existing fleet is a data-migration event wearing a policy costume: large Desktops upload, quota questions surface, and the one user storing 400 GB of video in Documents finds you. Ring it like an update — the pilot ring surfaces the outliers, and comms answer "where did my files go" (nowhere — same folders, now protected).
The Payoff, Spelled Out
Device dies → user signs into replacement → Autopilot rebuilds the stack → OneDrive rehydrates Desktop and Documents as placeholders → productive within the hour, zero data conversation. "Reset it" becomes a legitimate fix (the blueprint property) the day KFM coverage hits 100% — which is why KFM coverage % belongs on the same KPI chart as encryption and Autopilot rates.
Device diesLost, stolen, or brokenNothing irreplaceable lives on it
ReplacementUser signs into any registered unit
RebuildAutopilot reprovisions the stack
RehydrateDesktop and Documents return as placeholders
ProductiveWithin the hourZero data conversation
Verification
Verify in three layers. On a single device, the known folders' paths now resolve under the OneDrive root and the sync client reports healthy. Per ring, watch the OneDrive sync-health reporting as the move executes. Fleet-wide, the Remediations channel can report KFM state per device, turning coverage into the number the KPI chart wants.
Insights
The classic silent-KFM blocker is a file open and locked in a known folder during the move — the policy retries, but a pilot-ring eye on the OneDrive sync-health reporting catches the stuck stragglers before broad rollout multiplies them.
Managing UEFI itself through Intune — boot options, cameras, radios, below the OS, tamper-resistant.
Device Firmware Configuration Interface (DFCI) is the deepest control Intune offers on Windows: UEFI firmware settings managed as cloud policy — boot options, hardware radios, cameras — enforced below the operating system, immune to OS reinstalls and local admin ambition. It's also the most prerequisite-laden feature on this site, which is why most orgs who'd benefit have never deployed it.
Applies toDFCI-capable hardware only — verify per model line
RequiresAutopilot registration via the OEM/partner channel — harvested hashes don't bind
Console pathEndpoint security > the firmware interface surface
ControlsBoot media, cameras/mics, radios, virtualization — below the OS
What It Controls
A DFCI profile (Endpoint security > the firmware interface surface) manages, hardware permitting: boot from external media/USB (the headline — closing the boot-a-Linux-stick hole that no OS policy can), cameras and microphones at the firmware level (the regulated-environment ask), radios (Wi-Fi/Bluetooth below the OS), and CPU virtualization settings underpinning VBS/Credential Guard. Local UEFI menu changes to managed settings are refused — the firmware trusts the cloud authority, not the keyboard.
The Prerequisites (Read Twice)
DFCI-capable hardware — the OEM must ship UEFI that implements DFCI (Surface lineage and a set of enrolled OEM/model lines; verify your exact models against current OEM support statements).
Autopilot registration via the right channel — DFCI trust chains to Autopilot registration performed by the OEM/partner (or Microsoft-trusted path); hashes you harvested yourself don't establish firmware trust. This is procurement plumbing, decided at purchase.
The device enrolls through Autopilot; the DFCI profile targets the Autopilot device group.
Miss any leg and the profile simply doesn't bind — the classic DFCI "failure" is an ineligible device, not a broken policy.
Deploying It
Confirm hardware eligibility per model against current OEM support statements — eligibility is per model line, not per vendor, and the answer changes over time.
Verify the Autopilot registration channel. Registration must have come through the OEM/partner (or Microsoft-trusted) path; if your devices were hash-harvested in-house, fix procurement first — no profile setting compensates.
Create the DFCI profile (Endpoint security > the firmware interface surface) and define the firmware posture: boot-from-external-media, cameras and microphones, radios, the virtualization settings.
Target the Autopilot device group — DFCI binds to Autopilot-registered devices, so the device group is the natural assignment boundary.
Enroll (or re-enroll) the device through Autopilot. The firmware trust establishes during Autopilot enrollment; an eligible device that enrolled another way binds nothing until it goes through the right front door.
Verification
The profile's per-device status in the console is the first check, but the convincing test is physical: open the UEFI menu on a managed device and watch a managed setting refuse local change — enforcement below the OS, demonstrated once, buys the whole team conviction. Devices reporting as not applicable are the eligibility story above (hardware or registration channel), not a policy bug.
Where It Earns Deployment
High-assurance fleets (boot-path lockdown as audit line item), camera-prohibited environments (firmware-off beats OS-off in every review), and kiosk/signage hardware where physical access is assumed hostile. For the standard knowledge-worker fleet, BitLocker + Secure Boot + standard users already covers the realistic threat model — DFCI is precision equipment, not a default.
Insights
Decommissioning is part of the design: DFCI unenrollment must happen before the device leaves management forever, or you've manufactured firmware-locked e-waste — make unenrollment a standing line on the device retirement checklist; it's the deepest lifecycle landmine on the platform precisely because it survives everything else.
If DFCI is out of reach (hardware/channel), the honest fallbacks: UEFI passwords via OEM tooling and Secure Boot attestation in compliance — weaker, but real.
Single-app and multi-app Windows kiosks — the profile, the account model, and the Edge-kiosk pattern that covers half of all cases.
Windows kiosks ride assigned access: the OS confines a sign-in to a defined app surface. Intune's kiosk profile (Devices > Configuration > the kiosk template) expresses it two ways — and the enrollment story underneath is half the design.
one app, full screen, forever — signage, check‑in, lookupSingle-app modeAuto-logon local account; Edge kiosk + a URL covers half of all cases.
a curated app set behind a restricted shellMulti-app modeAllowed-apps list + Start layout, bound to specific accounts.
interactive frontline work with shift sign-inShared PC mode insteadAssigned access is confinement; shared PC is multi-user hygiene.
A defined app surface: know exactly what the confined session must expose — one app or a curated set — and which account model the floor plan demands.
Building a Single-App Kiosk
One app, full screen, forever:
Create the kiosk profile in single-app mode and let it create and manage the auto-logon local account — the device boots straight into the experience, no credentials in the lobby.
Choose the app. A UWP app, or — the workhorse — Edge in kiosk mode: a URL, full-screen or public-browsing behavior, idle-timeout reset. The "signage/check‑in/lookup screen" class is an Edge-kiosk profile and a URL, no app development required.
Pair the shell suppression with update discipline. The profile handles the shell; align update windows so deadline restarts respect the lobby.
Building a Multi-App Kiosk
A restricted shell exposing a curated app set:
Define the allowed-apps list (UWP and desktop apps by path/AUMID) plus a Start layout defining what the confined user sees.
Bind the configuration to accounts. The kiosk config targets specific local/Entra accounts or groups — which is how one device can be a kiosk for visitors and a workstation for the technician who signs in with a real identity.
Make the escape-hatch decisions explicitly. Taskbar visibility, folder access, every suppressed surface — each one is a workflow you've certified doesn't need it, and that certification belongs in writing, not in assumption.
The Operating Disciplines
The appliance rules: device-group targeting via Autopilot group tags, check‑in alerting because nobody complains for a kiosk, maintenance-window updates, and a remote-recovery ladder ending in reprovision-by-anyone thanks to self-deploying enrollment.
Verification
Test against the hostile-curiosity checklist before the device ships to its lobby: Ctrl+Alt+Del paths, edge-swipe/accessibility invocations, file-dialog escapes from print/save surfaces inside the allowed app. The assigned-access confinement is good, and the app's own dialogs are where determined visitors find Explorer — the allowed app's surface area is the kiosk's attack surface.
Insights
For interactive multi-app frontline scenarios with shift sign-in, compare honestly against shared PC mode + a tight Start layout — assigned access is confinement; shared PC is multi-user hygiene; conflating them produces the wrong tool politely misconfigured.
Many-user Windows done deliberately — account lifecycle, storage hygiene, and the settings that keep shared hardware healthy.
Shared PC mode is a deliberate policy set (the SharedPC configuration surface) that converts a device from "one human's machine" to rotating-population infrastructure — labs, frontline stations, training rooms, library floors — with the account, storage, and maintenance hygiene that rotating populations demand.
What the Mode Actually Does
Account lifecycle management: the headline. Local profiles accumulate on shared hardware until the disk chokes; shared PC mode deletes them by policy — at sign-out (strictest), at disk-space thresholds, or by age. Pick the deletion model per population: training rooms purge at threshold; exam labs purge at sign-out.
Guest/kiosk account options: a no-credential guest experience where the population is anonymous — distinct from assigned access confinement; guest mode is open computing with hygiene, kiosk is a locked surface.
Power and maintenance posture: the mode carries sleep/wake and maintenance-friendly defaults tuned for always-available shared hardware — review them against your update-window design rather than discovering the interactions.
Storage and restriction hygiene: local-storage discouragement pairs naturally with the real answer — OneDrive/KFM so whatever a user touches follows their identity, not the hardware.
every sitting must start clean — exam labsDelete at sign-outThe strictest model; no profile survives the session.
steady rotation where disk space is the constraint — training roomsDelete at thresholdProfiles persist until free space demands the purge.
The Composite Design
A working shared fleet is four pieces aimed at one device population (the enrollment page's dimension discipline):
Enrollment: self-deploying/pre-provisioned, no primary user
Shared PC mode: account lifecycle per the population's rhythm
Identity: Entra sign-in for known users (with Hello realities considered — per-device credential enrollment on rotating populations is friction; FIDO keys or web sign-in often fit shared fleets better) or guest mode for anonymous ones
Apps/policy: device-targeted everything, because user-targeted assignments on rotating populations produce install churn at every sign-in
Verification
Prove the lifecycle policy before the room opens: sign in with two or three test accounts, sign out, and confirm profiles purge per the chosen model (immediately at sign-out, or once the disk crosses the threshold). Then watch the C: drive's free-space and profile-count trend across the first real week of rotation — on a healthy shared fleet, both stay flat.
Insights
The failure smell of unmanaged sharing is always the same: a C: drive full of profile corpses and a stale primary user nobody remembers — shared PC mode is the systemic fix, and the Remediations channel makes a fine drift detector (profile count as an output string) for fleets that should be in the mode and aren't.
Decide the printer/peripheral story per room, not per ticket — shared rooms live and die on "can I print from any station," which is exactly the Universal Print brief.
Layout JSON, pinning policy, and the restraint doctrine — branding the shell without becoming the villain.
Shell customization is where IT's reach most visibly meets the user's sense of ownership — every pin and layout decision is felt daily, which makes this small policy family disproportionately political. The modern tooling is good; the doctrine matters more than the mechanics.
Step-by-Step: The Mechanics
Author the Start layout. Modern Windows takes a JSON pinned-layout definition delivered via Settings Catalog — your curated pins (Company Portal, the LOB suite, Office) in defined order. The historic XML approach belongs to older builds; check which your fleet's OS generation expects and don't mix eras in one estate.
Make the partial-vs-full lockdown decision. A pinned set users can extend versus a locked layout users can't touch. Knowledge workers get the former — seed the pins, surrender the rest. Kiosk and frontline surfaces get the latter, where the layout is the workflow.
Apply the same curate-vs-lock decision to the taskbar, plus the de-noising set — search box presentation, widgets/news feeds off on corporate fleets (consumer content surfaces in an enterprise shell read as unserious), chat/consumer-Teams entry points aligned with your actual collaboration stack.
Finish with the adjacent de-consumering. The Catalog's content-delivery and suggestion settings (app suggestions, welcome experiences, consumer features) — the single most appreciated invisible policy set you'll ship.
The Doctrine
Seed, don't cage. The defensible enterprise posture: a clean first-run (corporate pins present, consumer noise absent) with user freedom thereafter. Full layout lockdown on knowledge workers buys negligible security for maximal resentment — every pin a user can't move is a daily reminder of who owns the machine, and that's a currency you spend on things that matter. Lock layouts where the device is infrastructure (kiosk, shared), seed them where the device is someone's tool.
Do
Seed corporate pins on a clean first-run, then surrender the layout
Lock layouts only where the device is infrastructure — kiosk, shared
Check the result where it actually lands: a pilot-ring device's first sign-in after enrollment should render the curated pins in order with the consumer noise absent — screenshot it, because that first-run surface is the deliverable. For changes to existing devices, the layout applies after the next policy sync (a fresh sign-in is the reliable way to see it); confirm on one machine per OS generation before ringing wider, since the JSON-era and XML-era handling differ.
Insights
The Start layout is a first-impression artifact — it renders during the Autopilot first sign-in alongside the ESP and the branded enrollment; a deliberate layout there says "ready for you" the way a default one says "IT didn't finish."
Version the layout JSON in the repo and ring its changes — a fleet-wide pin reshuffle is a fleet-wide muscle-memory reset, and the pilot ring's grumbling is data.
Cloud-native printing — retiring print servers, deploying printers by policy, and the honest migration map.
Printing is the last on-prem dependency most "cloud-native" fleets quietly retain — Entra-joined laptops still whispering to a print server over VPN. Universal Print is Microsoft's retirement plan: printers registered to the cloud service, discovered by Entra identity, deployed by Intune policy, no print servers, no drivers on clients.
PrintersUP-native, or legacy via the connector
→
Universal Printcloud objects, Entra-group shares
→
Managed devicesuniversal driver — no servers, no driver packaging
The Architecture
Printer side: UP-native printers register directly (most current enterprise fleets from the major vendors); legacy hardware joins via the Universal Print connector — a lightweight Windows service bridging old printers to the cloud (the transitional crutch, not the destination).
Service side: printers live as cloud objects with Entra-group-based share permissions — who can print where becomes group membership, the same targeting muscle as everything else.
Client side: Windows speaks UP natively with the universal driver model — the driver-packaging hobby ends. Intune deploys printers via the Universal Print policy surface: target a group, list the printer shares, optionally set the default; users on managed devices simply have the right printers. Location-based discovery covers the roaming case.
Licensing: UP rides Microsoft 365 entitlements with pooled job allowances — do the volume math against your print reality before the design review does it for you.
The Migration Map
Inventory the print estate: per-printer model (UP-native?), monthly volume, owning group
Pilot one site: native printers direct, stragglers via connector, Intune policy deploying to the pilot group
Cut sites over group by group — the migration choreography in miniature: deploy UP printers, verify, remove legacy connections (a Remediation makes a tidy legacy-printer sweeper)
Retire servers as their queues empty — the actual point; a UP deployment that leaves every print server running bought complexity, not cloud
Verification
Per cutover wave: print a test page from a managed device to every migrated queue, confirm the job appears in Universal Print's service-side job visibility (one of the things you just bought), and sweep for lingering legacy printer connections — the Remediation sweeper from step 3 doubles as proof they're gone. The pilot site's ticket volume is the real scorecard.
Insights
The connector is the honest compromise and the classic permanent-temporary: give every connector-fronted printer a hardware-refresh exit date in the asset lifecycle ledger, or the bridge becomes the architecture.
Print is emotionally critical infrastructure — the pilot's success metric is silence: ring it with the accounting team's blessing during a non-close week, and let the absence of tickets be the case study.
The experience telemetry you already own — startup, reliability, and the evidence layer under "my computer is slow.
Endpoint Analytics is the answer to a question every IT org argues about with anecdotes: is the fleet actually getting slower? It's experience telemetry built into the platform — scores you mostly already license, waiting to be turned on and read.
What It Measures
Startup performance: boot and sign-in phase timings per device and per model — where the slow-logon investigation starts with data instead of a screen recording
Application reliability: crash/hang rates per app across the fleet — the evidence that one LOB app's build is hurting everyone, weeks before the ticket pattern would show it
Restart frequency and the health adjacencies that contextualize the rest
Each rolls into comparative scoring against baselines and your own history — the trend line being the product: direction, per model, per ring, per change.
Turning It On
Confirm the license tier. The core scores ride entitlements most enterprise tenants already hold; the Advanced Analytics tier extends the floor (anomaly detection, battery and resource depth) — evaluate it after you've exhausted the included layer, which most orgs never fully read.
Enable data collection via the Intune health-monitoring policy — scope follows the policy's assignment, so decide deliberately whether analytics covers the whole estate (usually yes) or named populations.
Wait for the baseline. Data populates over days, and the comparative scoring needs history before trend lines mean anything — resist reading week one as truth.
The Operating Patterns
Hardware refresh by evidence: startup scores by model age turn the hardware-refresh budget conversation into a chart — the devices below the line are the refresh list, defensibly
Change validation: ship a baseline or agent change to ring 1 and watch its scores for a week — regression caught as a number, not as a complaint volume
Remediation pairing: analytics finds the pattern, Remediations fixes it at scale, analytics confirms — the closed loop the two features were designed to be
DetectAnalytics finds the patternScores by model, ring, and change
FixRemediations act at scale
ConfirmAnalytics proves the recoveryThe closed loop the two features were designed to be
Insights
The political value equals the technical: "user experience" finally has a number both IT and the business read the same way — which converts the perennial perception fight ("everything's slow since the security agent") into a falsifiable claim with a dashboard. Sometimes the agent really did cost four seconds; now you know — and the vendor conversation starts from evidence instead of anecdote.
The WUfB driver service — approval flows, automatic policies, and bringing the last unmanaged update lane under control.
OS updates got rings and deadlines; apps got pipelines; drivers stayed the wild west — vendor utilities, manual downloads, and hope. The Windows Update driver-management service closes the gap: OEM-published drivers, surfaced per-device-applicable, deployed through Intune policy with the same ring discipline as everything else.
OEMpublishes to the driver catalog
→
Intune driver policyapplicability match + approval queue
→
Fleetringed rollout, reported per device
The Model
Intune's driver update policies ride Windows Update's driver catalog — the same channel OEMs publish through — with two operating modes per policy:
Manual approval: the service surfaces applicable drivers (matched to your actual enrolled hardware — no more guessing which fleet a driver touches); each waits in a review queue until approved, with a scheduled availability date. The change-controlled lane.
Automatic approval: applicable drivers flow on a deferral you set — the default-ring philosophy applied to drivers, appropriate once trust is earned.
Deployment then rides the normal Windows Update plumbing the fleet already trusts — Delivery Optimization, the update UX, the reporting surface.
Step-by-Step: Rings for Drivers
Drivers earn more caution than quality updates — they're the historical HVCI-blocker and safeguard-hold source. Structure the rollout accordingly:
Create a ring-1 policy on automatic approval with a short deferral — the canary fleet absorbing OEM regressions while the blast radius is a handful of devices.
Create the broad-ring policies on manual approval. Drivers reach the wide fleet only by promotion: approve from the review queue with a scheduled availability date, on the strength of ring-1 evidence.
Review firmware-class updates individually, always — a bad driver rolls back; bad firmware is a bench day.
Rehearse the pause and rollback controls once, on purpose, so the first real incident isn't a research project.
Verification
The policy reports name what's applicable, approved, and installed per device — read them after each promotion wave; a driver sitting at applicable-but-not-approved on a broad ring is a promotion you forgot, not a mystery.
What This Retires
The OEM agent sprawl — the vendor update utilities living on every device with their own schedules, elevation, and telemetry. Migrating driver authority to WUfB policy lets a deliberate Uninstall-assignment campaign sweep the agents away, shrinking the very attack-and-update surface they existed to patch.
Insights
Coverage check before victory: the catalog carries what OEMs publish to Windows Update — most enterprise lines are well-covered; specialty hardware may not be. The applicable-drivers report against your model list names the residual fleet that keeps a vendor tool — by choice, and documented.
Governing the AI surface — Windows Copilot, Edge AI features, Recall-class capabilities, and the policy posture that survives renames.
AI features are the fastest-moving policy surface on the platform — shipping, renaming, and re-scoping faster than any documentation cycle. The durable skill isn't a settings list; it's the posture framework plus knowing where each control lives.
Review cadenceQuarterly — every release ships AI policy changes
The Control Locations
Windows Copilot / on-OS AI surfaces: Settings Catalog policies govern presence and behavior of the OS-level assistant surfaces — taskbar entry points, the assistant's availability per device population. Names here churn; the Catalog search ("Copilot," "AI") on each release is the reliable discovery method.
Recall-class capabilities (the screen-snapshotting/recollection features on capable hardware): explicit disable/enable policies exist precisely because the data-governance stakes are obvious — regulated fleets set this first, on purpose, and the data-boundary questions deserve written answers: what gets captured, where it rests, who can query it.
Edge AI features: sidebar/assistant integrations ride Edge management's policy schema — the browser is its own AI surface with its own toggles.
M365 Copilot: licensed and governed service-side (M365 admin and data-governance tooling) — your endpoint policy decides surface visibility; the tenant decides data reach. Don't promise endpoint policy can govern what's a service entitlement.
The Posture Framework
Decide once, per fleet, three questions: (1) Which AI surfaces may exist (visibility), (2) what data may they touch (the DLP/boundary conversation — commercial data protection status, tenant grounding), (3) who's entitled (licensing reality from the editions page). Most estates land tiered: knowledge workers get sanctioned, tenant-grounded AI; regulated fleets get explicit-off on capture-class features; kiosk/shared populations get none, because an assistant on a lobby device is surface without a user.
the population is knowledge workersSanctioned, tenant-grounded AIApproved surfaces stay visible; the data boundary does the governing.
the fleet is regulatedExplicit-off on capture-class featuresRecall-class capabilities disabled first, on purpose, with written data-boundary answers.
the device is kiosk or sharedNo AI surfacesAn assistant on a lobby device is surface without a user.
Insights
Put this policy family on a standing quarterly review: each Windows and Edge release ships AI policy changes, and an unreviewed posture quietly becomes whatever Microsoft's current default is — which is a decision, just not yours.
Write the posture as intent ("no ambient screen capture on regulated fleets") not as setting names — the settings will rename; your one-line intent survives and the quarterly pass re-maps it.
Modern standby, lid-and-button policy, and the power settings that decide update success and battery lifespan.
Power policy looks like preference territory until you notice what rides on it: update installs need devices awake at the right moments, battery lifespan is a fleet cost, and "my laptop was hot in my bag" is a modern-standby story. The Settings Catalog's Power family, organized by what's actually at stake:
Step-by-Step: The Settings That Earn Configuration
Profile sleep, hibernate, and lid/button behavior, AC and DC separately: the corporate defaults conversation — aggressive-enough idle sleep for energy posture, hibernate-on-critical-battery so unsaved work survives, lid-close behavior matched to docking reality (the closed-lid-docked fleet wants do nothing on AC).
Set expectations for modern standby. Connected-standby hardware sleeps "lightly" by design — network-on, occasionally warm. The policy surface tunes the edges; the expectation-setting is yours: bag-heat tickets on modern-standby hardware are mostly physics plus a runaway app (Endpoint Analytics finds the app).
Align power with the update windows. Deadline-driven restarts need devices reachable and awake-able — power policy that hibernates everything into unreachability fights your own WUfB design; align sleep depth and wake permissions with the update rhythm so maintenance windows find devices they can actually wake.
Use the battery health levers where OEM hardware exposes them (charge thresholds via vendor tooling/policy on dock-resident fleets) — hardware that lives at 100% charge on a dock ages its battery fastest, and laptop carts deserve the same longevity discipline as any always-docked fleet.
Defaults per Fleet
Knowledge workers get humane defaults and user freedom inside them (the restraint rule); kiosk/signage gets never-sleep + scheduled-restart discipline; shared carts get the mode's maintenance-friendly posture reviewed, not assumed.
the fleet is knowledge workersHumane defaultsSensible sleep and hibernate posture, user freedom inside it.
the device is kiosk or signageNever-sleep + scheduled restartsAlways-on posture with restart discipline instead of idle sleep.
the fleet is shared cartsMaintenance-friendly posture, reviewedThe mode's defaults are a starting point — review them, don't assume them.
Verification
Validate on real hardware classes, not in the abstract: confirm a docked, lid-closed pilot device stays awake on AC and takes its update-window restart; confirm a battery device hibernates at the critical threshold instead of dying mid-document; and on modern-standby models, powercfg /sleepstudy names whatever kept the device warm in the bag.
Insights
Power policy is the hidden variable in three other pages' mysteries: the update-failure "won't install overnight" class, the sync-health "device asleep for days" class, and the slow-Monday-boot class. When those tickets cluster, audit power before anything clever.
Clock discipline as policy — why skew breaks Kerberos and TLS, the W32Time settings to deploy, and how to verify fleet-wide.
Nobody opens a ticket asking for time policy. They open tickets for what its absence breaks: Kerberos failures against hybrid resources that masquerade as identity mysteries, certificate validation errors around wrong time, 802.1X handshakes failing on skewed clocks, and log timelines that can't be correlated across devices. Kerberos tolerates only minutes of drift; everything downstream inherits the assumption that the fleet agrees what time it is.
ProtocolNTP over UDP 123 outbound
Console pathSettings Catalog > Administrative Templates > System > Windows Time Service > Time Providers
Skew budgetKerberos tolerates only minutes of drift
Verifyw32tm /query /status per device
How Windows Time Works Under Management
The Windows Time service (W32Time) syncs from a source determined by join state: Entra-native devices default to time.windows.com; domain-joined stragglers follow the AD hierarchy until they're migrated off it. Policy is needed exactly twice — when segmented networks block outbound NTP (UDP 123) and devices must use an internal source, and when you want the defaults enforced rather than assumed.
Recommended Configuration
Three moves, then verify:
Create the profile.Settings Catalog → Administrative Templates → System > Windows Time Service > Time Providers.
Set the values from the table below — the point is enforcing the defaults you currently only assume.
Assign to the all-Windows baseline group; firewalled sites get a filter-targeted variant pointing at the internal source.
Setting
Recommended value
Enable Windows NTP Client
Enabled
Configure Windows NTP Client → NtpServer
time.windows.com,0x9 (or your internal NTP source)
Configure Windows NTP Client → Type
NTP (Entra-native) · NT5DS only for domain-hierarchy devices
Configure Windows NTP Client → SpecialPollInterval
3600 (hourly)
Enable Windows NTP Server
Disabled (endpoints serve nothing)
Verification
Per device, w32tm /query /status is the truth (source, stratum, last sync); fleet-wide, a Remediation that flags offset beyond your threshold and triggers a resync turns clock health into a managed property with a compliance-style number attached.
Insights
Install the triage reflex: authentication failures that resist identity-side explanation get a clock check first — skew is a thirty-second test or a week of escalation, depending on when someone thinks of it.
The OT/manufacturing edge case is where this page earns its keep: isolated networks with no internet path need the internal-NTP variant before the first 802.1X rollout there, not after.
Automated disk hygiene by policy — the settings that keep updates installable, with the two dials that need deliberate choices.
Disk-full is the upstream cause of a whole class of failures: updates that won't install, profile bloat, slow sign-ins, and the 128 GB cohort limping through every release wave. Storage Sense is the built-in answer — automated cleanup of temporary files, Recycle Bin aging, and cloud-content dehydration — and under policy it runs fleet-wide without asking anyone to remember it.
Set the values from the table below, and treat the two flagged dials as deliberate decisions rather than defaults — the reasoning follows the table.
Assign broadly — this is baseline hygiene for the whole Windows estate, and the small-disk cohort feels it first.
Setting
Recommended value
Allow Storage Sense Global
Allowed
Config Storage Sense Cadence
7 (weekly) — or 0 to run only on low free space
Allow Storage Sense Temporary Files Cleanup
Allowed
Config Storage Sense Recycle Bin Cleanup Threshold
30 days
Config Storage Sense Downloads Cleanup Threshold
0 (never) — see below
Config Storage Sense Cloud Content Dehydration Threshold
60 days
Two dials carry real consequences. Downloads stays at never: users treat Downloads as storage whether you approve or not, and a policy that silently deletes their files manufactures the worst kind of ticket — data loss with your name on the change record. Dehydration at 60 days is the quiet hero: locally-cached Files On-Demand content reverts to cloud-only after two unused months, which is the single biggest silent disk reclaimer on KFM fleets — and entirely safe, since the files remain one click away.
Do
Leave Downloads cleanup at 0 (never) — users treat Downloads as storage
Set cloud-content dehydration to 60 days on Files On-Demand fleets
Make Storage Sense and Delivery Optimization agree on what "low disk" means
Don't
Ship a policy that silently deletes user files — data loss with your name on the change record
Let cleanup and the DO cache take turns undoing each other
Verification
The win is measurable: free-disk percentiles by model from the inventory rhythm, charted before and after rollout. Endpoint Analytics surfaces the downstream effect as the disk-pressure complaints thin out.
Insights
Pair this page with Delivery Optimization's cache sizing deliberately — DO defends a cache, Storage Sense reclaims space, and the two should agree on what "low disk" means or they'll take turns undoing each other.
The small-disk cohort is the policy's report card: if the 128 GB fleet's free-space curve doesn't lift within a month, the problem isn't hygiene — it's the hardware refresh-spec conversation this chart now lets you have with evidence.
The .intunewin pipeline — packaging, detection, requirements, dependencies, and supersedence done properly.
Win32 is the workhorse Windows app type: any installer (MSI, EXE, scripts-around-either) wrapped into .intunewin, delivered by the Intune Management Extension with real logic around it. The standing rule: package everything as Win32 — the legacy "LOB MSI" type lacks the logic below and mixing types causes more grief than standardizing ever will.
Console pathApps > Windows > Win32
RequiresIntuneWinAppUtil.exe — the Win32 Content Prep Tool
Delivered byIntune Management Extension
LogIntuneManagementExtension.log
The Pipeline
WrapSource → .intunewinContent Prep Tool encrypts the installer
CreateCommands + behaviorSilent install/uninstall, System or User context
DetectThe installed contractMSI code, file, registry, or script
Install / uninstall commands — silent flags are your job (setup.exe /S, msiexec /i app.msi /qn); wrap complex installs in PowerShell, or adopt PSAppDeployToolkit for anything with pre/post logic, user dialogs, or process-closing needs — it's the community standard for a reason.
Install behavior: System for machine-wide (the default posture), User for per-profile apps.
Detection rules — the contract that tells IME "installed": MSI product code (cleanest), file/version, registry, or a custom script (exit 0 + stdout = detected) for anything nuanced. Bad detection is the #1 Win32 failure class: app installs fine, detection never confirms, Intune retries forever.
Requirements — OS floor, architecture, optionally a requirement script (e.g., "only laptops") — requirements gate before install, sparing the failure column from not-applicable noise.
Dependencies: "this app needs the VC++ runtime first" — declared, and IME sequences them. Chains stay shallow or debugging gets archaeological.
Supersedence: new version replaces old — with or without uninstalling the predecessor. This is your in-place upgrade mechanism; pair with versioned detection and app updates become routine instead of events.
Delivery Mechanics Worth Knowing
Content delivers from Intune's CDN (with Delivery Optimization peer-sharing — configure its policy on bandwidth-sensitive sites). IME logs every decision in IntuneManagementExtension.log — the first stop for any install dispute. System-context installs run 64-bit-hosted; scripts touching the registry/filesystem should be bitness-aware (sysnative from 32-bit hosts).
Verification
Before broad assignment, prove the loop on one clean machine: the install lands, the detection rule confirms it (the per-device status flips to installed only after detection passes), and the uninstall command genuinely removes it. Fleet-wide, the app's install-status report is the truth; a climbing failure count nearly always traces to detection logic or a silent-flag regression, and IntuneManagementExtension.log on a failing device settles which.
Insights
Test the uninstall command with the same rigor as install — supersedence, retirement, and "remove the broken version" all depend on it, and nobody tests it until production needs it.
Keep a packaging repo: source, wrapped output, commands, detection logic, version history — Win32 packaging is tribal knowledge that belongs in Git, not in one engineer's Downloads folder.
ESP-blocking Win32 apps get extra scrutiny: every minute of their install time runs on the enrollment clock.
The Microsoft Store (new) app type — winget-backed deployment with auto-update for free.
The Microsoft Store app (new) type is Intune's integration with the winget ecosystem: search the Store catalog from inside Intune, click add, assign — no packaging, no update pipeline, because the Store keeps the app current. For everything it covers, it deletes an entire maintenance category.
Console pathApps > Windows > Add > Microsoft Store app (new)
CoversUWP and vendor-published Win32 in the Store catalog
UpdatesAutomatic — the Store keeps the app current
Verifywinget list shows package and version per device
What It Covers
The modern Store carries both UWP and traditional Win32 apps published by their vendors (Company Portal, browsers, common utilities, a growing long tail). If the app you package quarterly is in the Store catalog, you've been volunteering.
The Loop
Apps > Windows > Add > Microsoft Store app (new) → search the catalog in-blade → select.
Choose install context where offered (System for machine-wide).
Assign Required/Available. Done — IME + the Store plumbing handle delivery, and updates flow from the Store automatically thereafter.
Compare the Win32 page's pipeline length and the value proposition states itself.
Verification
The per-app install status report covers the fleet view; on any single device, winget list shows the installed package and version — useful when you want to confirm the Store's auto-update actually moved the fleet after a vendor release.
The Decision Matrix
App
Type
In the Store catalog, vendor-published, no install customization needed
Store (new) — always
Needs transforms, config files, pre/post logic, or license keys at install
Win32 for the install, accept you own updates — or app-config via policy post-Store-install if the vendor supports it
Company Portal itself is the canonical Store (new) deployment — make it the first one you create.
Insights
Auto-update is the feature and the trade: versions move on the vendor's schedule. The handful of apps your org pins (validated plugin chains, regulated tooling) stay Win32 with supersedence — deliberate version control is the one thing the Store type doesn't sell.
Older "Microsoft Store for Business" content is retired history — if a guide references it, the guide predates the current model; translate to Store (new)/winget.
The same winget engine is scriptable on devices (winget install, via scripts) for edge automation — handy in labs, but fleet deployment belongs in the app type where reporting and assignment live.
Required vs Available, Company Portal as the front door, and an update doctrine per app class.
Individual app types are mechanics; this page is the doctrine — how a fleet's app estate stays coherent at scale.
Required vs Available (vs Uninstall)
Required: installs silently, repairs on drift (detection-driven), the device must have it. Reserve for the true core — security agents, the apps the business runs on.
Available: appears in Company Portal for self-service. The default for everything else — every Available app is a helpdesk install request that never happened and an ESP minute never spent.
Uninstall: the retirement assignment — pair with the replacement's Required rollout when sunsetting; don't leave zombie installs to attrition.
Layer with filters: one app, one packaging, many shaped assignments — Required to the department that lives in it, Available to everyone else.
the business runs on it — security agents, the true coreRequiredInstalls silently, repairs on drift; the device must have it.
anyone might want it, nobody must have itAvailableSelf-service in Company Portal — a helpdesk request that never happened.
the app is being sunsetUninstallPair with the replacement's Required rollout; no zombie installs left to attrition.
Company Portal Is a Product — Treat It Like One
Branding (Tenant administration > Customization: logo, support links, categories), app categorization, and featured apps decide whether self-service happens. A curated Portal with ten categorized, described apps beats a 200-item alphabet dump — storefront curation is the difference between a portal users open and one they ticket around. Deploy Company Portal itself via Store (new), Required, fleet-wide.
Vendor auto-update where trustworthy; pinned + superseded where not — decide per agent, in writing
The anti-pattern: no doctrine — where every app updates by whichever mechanism it shipped with, and the vulnerability report becomes a quarterly surprise.
Do
Give every app class a written update mechanism
Decide vendor auto-update per security agent, in writing
Watch the per-device truth with the App Install Status report
Don't
Let every app update by whichever mechanism it shipped with
Treat the vulnerability report as a quarterly surprise
Insights
Enterprise App Management (the Intune Suite add-on catalog of pre-packaged, Microsoft-maintained third-party apps with update handling) is worth an evaluation if Win32 packaging volume is a real cost center — it's purchased toil-reduction for exactly the table row above that hurts most.
Measure the estate: point the App Install Status script at any Windows app for the per-device truth, and run failure triage with a consistent ladder — the Win32 failure taxonomy is the deep-dive when a specific app's numbers turn red.
One-shot PowerShell and detect-fix pairs — the automation layer that closes the gap between policy and reality.
Two script vehicles ride the Intune Management Extension, and choosing correctly between them is the difference between automation and entropy.
it's one-time state that policy can't expressPlatform scriptRuns once per device — migration cleanups, legacy agent removal, initial state-sets.
it must stay trueRemediationDetect + fix on a schedule — drift gets noticed, corrected, and reported.
you only need fleet telemetryDetect-only pairA remediation that never fires — a free scheduled audit, output string as the data column.
Platform Scripts (One-Shot)
Devices > Scripts and remediations > Platform scripts: a PowerShell script that runs once per device (re-running only if the script changes). Context (System/User), 64-bit host toggle, signature enforcement optional.
Right uses: one-time configuration that policy can't express — a migration cleanup, a legacy agent removal, an initial state-set. Wrong use: anything that must stay true — a one-shot script can't notice drift, which is precisely the next section's job.
Remediations (Detect + Fix, on a Schedule)
The crown jewel: paired scripts — detection (exit 0 = healthy, exit 1 = remediate) and remediation (the fix) — running on a schedule (hourly/daily) with fleet-wide reporting of detected/remediated counts and per-device output strings.
This is desired-state enforcement for everything between policy's reach and reality:
Service X must be running and auto-start → detect checks, fix corrects
The legacy agent must stay gone → detect finds remnants, fix removes
Registry/config drift on settings no CSP covers → detected, corrected, reported
Fleet telemetry: a detect-only pair (remediation never fires) is a free scheduled audit with the output string as your data column
Doctrine: detection scripts are fast and side-effect-free; remediation scripts are idempotent (safe to run twice); both write one terse, meaningful line to stdout — that string is your report.
Building a Pair, Step by Step
Author the detection script against the doctrine above: check the condition, write one line to stdout, exit 0 (healthy) or 1 (remediate) — nothing else.
Author the remediation as a script you'd be comfortable running twice on the same machine, because the schedule eventually will.
Create the pair under Devices > Scripts and remediations: upload both scripts, set run context (System for machine state, User for per-profile state), and the 64-bit toggle for anything touching the native registry/filesystem views.
Set the schedule — daily is right for most pairs; hourly is for the few that earn it (see Insights).
Assign to a pilot group first and read the detected/remediated counts and per-device output strings before broadening — a detection bug at fleet scale is a fleet-scale false alarm, or worse, a fleet-scale fix for a problem that wasn't there.
The Hierarchy of Enforcement
Reach for tools in this order: Settings Catalog/CSP (the OS enforces) → Remediation (you enforce on a schedule) → Platform script (you set once and hope). Every remediation is a small confession that policy couldn't express the need — fine, but when a Catalog setting later appears for it, retire the script. Script estates only grow unless gardened.
FirstSettings Catalog / CSPThe OS enforces it
ThenRemediationYou enforce it on a schedule
LastPlatform scriptYou set it once and hope
Insights
Version control the lot (the repo discipline) — scripts-in-portal-only is how orgs lose the why behind forty remediations.
Output strings are queryable via Graph — a detect-only remediation plus a scheduled Graph pull is a poor admin's fleet telemetry pipeline, and frequently all you need before buying one.
Mind the schedule budget: forty hourly remediations on battery-powered laptops is a power-and-CPU tax; daily is right for most, hourly for the few that earn it.
The built-in suite app type, channel strategy, and the XML decisions that shape every desktop's Office.
The Office suite is most fleets' largest deployment, and Intune ships it a first-class app type: Microsoft 365 Apps for Windows — the Office Deployment Tool's machinery wrapped in a designer (or fed your own XML), with the update story handled by channel policy rather than packaging.
Console pathApps > Windows > Microsoft 365 Apps
Architecture64-bit, at this point unconditionally
Corporate default channelMonthly Enterprise
ESP postureRequired, never blocking
Step-by-Step: Creating the Deployment
Create the app: Apps > Windows > Microsoft 365 Apps — the designer view covers the common path, or feed it your own XML.
Compose the suite deliberately. Deselect the apps your org genuinely doesn't deploy — Access on 5,000 devices that need it on 50 is support surface for nothing.
Pick the architecture: 64-bit, at this point unconditionally.
Choose the update channel — the decision the next section unpacks, because the channel is the update policy.
Switch to the XML configuration view when the designer runs out: language packs, shared computer activation (shared PC and multi-session AVD fleets need it), exclusions, and pinned-version scenarios — the full ODT vocabulary.
Assign in rings — the channel section below covers the pilot-to-fleet pattern and which authority owns the dial.
The Channel Decision
The channel is the update policy:
Channel
Rhythm
For
Monthly Enterprise
Monthly, predictable, enterprise-targeted
The corporate default — change-controlled cadence with security currency
Current
Features as they ship
The canary ring and the teams who asked
Semi-Annual Enterprise
Twice yearly
Regulated/validation-gated estates; increasingly a niche posture
Ring it like everything else: a Current-channel pilot population feeding a Monthly Enterprise fleet, with channel set via the app XML or Settings Catalog policy — and if Autopatch runs your estate, it operates these channels for you; know which authority owns the dial.
Configuration Is a Separate Layer
The app type installs; behavior comes from policy — the Office ADMX-backed Catalog set (macro security tiers, privacy/telemetry options, the feature toggles your security review cares about) plus the Cloud Policy service for user-identity-following settings. Deployment, update channel, configuration — three layers, three owners, documented.
Layer 1DeploymentThe suite app type installs Office
Layer 2Update channelChannel policy owns the cadence
Layer 3ConfigurationADMX-backed Catalog set + Cloud Policy
Verification
On a pilot device, any Office app's Account page states the channel and build — confirm both match the design before trusting the fleet view. At scale, the app's install status plus the per-setting policy reports tell you deployment and configuration both landed; the classic miss is a device that installed fine but rides the wrong channel because two authorities disagree.
Insights
The suite app is the classic ESP-blocking temptation and the classic mistake — Office is enormous, and no one needs Word in the enrollment hour. Deploy Required, never blocking; the pre-provisioning bench absorbs it where day-one-complete genuinely matters.
Migrating estates with MSI-era Office or vendor-bundled trials: the XML's remove-MSI directive and a deliberate cleanup pass beat coexistence archaeology — Office side-by-side states generate the weirdest tickets in the catalog.
The curated Win32 catalog — Microsoft-packaged third-party apps with update handling, honestly evaluated against your packaging treadmill.
Win32 packaging is a craft; Enterprise App Management (the Intune Suite capability) is the offer to buy your way out of a chunk of it: a Microsoft-maintained catalog of pre-packaged third-party Windows apps — install logic, detection, and crucially update lifecycle handled — deployed through the same Apps blade as everything else.
LicenseIntune Suite
CoversThe common third-party Win32 canon — curated, Microsoft-packaged
UpdatesCatalog-packaged, with controls for how they roll
UnderneathStandard Win32 — IME delivery, supersedence, filters
What It Actually Does
Catalog apps: browse/search the curated set (the common-third-party canon: readers, browsers, runtimes, utilities, the long tail growing by release), add, assign — no IntuneWinAppUtil, no silent-switch archaeology, no detection-rule authorship.
Update management: the headline. When the vendor ships a new version, the catalog packages it and surfaces the update — with controls for how it rolls — converting "who repackages 7-Zip this month" from a rota item into a review click. Self-updating apps get their updaters handled consistently rather than per-app folklore.
Same machinery underneath: catalog apps are Win32 apps in the end — IME delivery, supersedence semantics, standard reporting, filters — so nothing about your assignment doctrine changes.
The Honest Evaluation
Score it the suite way: your app list ∩ the catalog, priced in packaging-hours saved. Estates whose Win32 load is mostly common third-party apps see the treadmill shrink dramatically; estates whose load is internal LOB and exotic vendors keep packaging regardless — the catalog can't carry what only you have. Most real fleets land mixed: catalog for the canon, hand-packaging + PSADT for the rest, and the doctrine table gains a row.
Where It Sits vs Store (New)
Store/winget apps already auto-update for vendor-published Store entries — the catalog's territory is the Win32 world beyond the Store, with enterprise update governance the Store's auto-pilot doesn't offer (controlled rollout vs vendor-schedule). Decision order per app: Store (new) → Enterprise App Catalog → hand-packaged Win32 — first match wins.
FirstStore (new)Vendor-published, auto-updating
SecondEnterprise App CatalogWin32 beyond the Store, updates governed
FallbackHand-packaged Win32Internal LOB and exotic vendors
Insights
The strategic value is risk, not just hours: stale third-party apps are a top vulnerability class, and the catalog converts "patching Chrome-adjacent utilities" from best-effort to managed — pull your Defender vulnerability data for third-party app findings and price the catalog against that list for the security-budget conversation.
App protection on personal Windows devices — the Edge-anchored model, what it covers, and where it honestly stops.
The BYOD answer on Windows is MAM for Windows: App Protection Policy thinking applied to personal PCs, anchored in Microsoft Edge with Windows Security Center health signals as the device-trust input. It's a deliberately narrow surface, and used for what it is, it closes a real gap.
Applies toPersonal, unenrolled Windows PCs
AnchorMicrosoft Edge — the signed-in corporate profile
Trust inputWindows Security Center health signals
RequiresConditional Access steering — without it, a policy waiting for traffic
The Model
The protected surface: corporate identity in Edge — the signed-in corporate profile's tabs become the managed boundary, with APP-style controls (cut/copy/paste restrictions toward unmanaged surfaces, save-as governance — the data-egress vocabulary of app protection) applied to corporate web sessions and the web-app estate they carry.
Health-based conditional launch: the policy consumes device health attestation-adjacent signals via the Windows Security Center integration — threat level, basic posture — gating corporate access in Edge on a device you don't manage.
The enforcement pair: Conditional Access policies targeting the unmanaged-Windows population route corporate access through protected Edge — without CA steering, MAM for Windows is a policy waiting for traffic.
Standing It Up
Draw the corporate/personal line first: enrollment restrictions decide who can enroll, which is what makes "personal device" a deliberate population instead of an accident.
Create the App Protection Policy for Windows — the Edge-anchored controls above, including the health-signal conditional-launch thresholds — and assign it to the BYOD user population.
Create the Conditional Access steering: policies that require the protection-policy-covered Edge path for corporate access from unmanaged Windows devices, so the only door is the governed one.
Pilot before broadening — and pilot the workload, not the feature; the Insights bullet below is the test plan.
Verification
From a personal, unenrolled test device: sign into a corporate web app through Edge and confirm the protection actually applies — try the copy/paste you claimed to block — then confirm that going around Edge fails closed under the CA policy rather than open. In the console, the app protection report shows the policy reaching users; the sign-in logs show the steering firing.
Where It Honestly Stops
This is browser-and-web-estate protection, not device-wide MAM: the native desktop Outlook on a personal PC is not inside this boundary — the personal-device answers for thick clients remain "don't" (web/VDI instead), Windows 365 (the corporate desktop as a service is the strongest personal-device story Microsoft sells), or enrollment after all. Set the scope expectation in the design doc before someone discovers it in an incident review.
The Population Architecture
The complete Windows access-tier table: corporate (enrolled, the blueprint) → personal, web-sufficient workload (MAM for Windows + CA) → personal, full-desktop workload (Cloud PC) → refusers (browser-only with CA session controls, or nothing). Every user lands in exactly one row, enrollment restrictions enforce the corporate/personal line, and the BYOD policy writes itself.
the device is corporateEnrolled — the blueprintFull management; compliance proves the device.
it's personal and the workload is web-sufficientMAM for Windows + CACorporate access through protected Edge, no enrollment.
it's personal and the workload needs a full desktopWindows 365 Cloud PCThe corporate desktop as a service.
the user refuses all of itBrowser-only with CA session controls — or nothingNothing reaches corporate data ungoverned.
Insights
Pilot with the workload test, not the feature test: pick ten real BYOD users, inventory what they actually touch, and verify the web estate covers it — MAM for Windows succeeds or fails on workload fit, and discovering the thick-client dependency in week one beats month three.
The container-adjacent package format — where it shines, where Win32 remains king, and how the two coexist in one estate.
MSIX is Windows' modern package format: declarative install, clean uninstall (no registry archaeology left behind), per-package isolation, and differential updates that ship only changed bytes. It's also a decade into "the future of Windows packaging" while Win32/.intunewin still carries most enterprise freight — this page is the honest map of both facts.
What MSIX Genuinely Buys
Lifecycle hygiene: installs are transactional, uninstalls are complete, and "the app left debris that breaks the reinstall" exits your troubleshooting taxonomy for these apps
Update efficiency: block-level differential updates — a 2 GB suite shipping a 40 MB patch matters at bandwidth-constrained sites
Deployment simplicity: Intune's MSIX line-of-business path needs no wrapping, no detection-rule authorship (identity and version are the package's own metadata)
The Constraints That Keep Win32 King
MSIX's containment model constrains apps that expect the old world — services, drivers, deep shell integration, installers with imperative logic. Vendor MSIX adoption concentrated in well-behaved app classes; the legacy long tail and anything needing PSADT-grade choreography stays Win32. Signing is non-negotiable: MSIX must be signed by a certificate the fleet trusts — vendor-signed ideally; your own packages signed with an org cert whose trust you deploy (the certificate chain earning another job).
The Estate Doctrine
Format follows the artifact, decision order per app: vendor ships MSIX → take it (the benefits are free); Store (new) carries it → even easier (Store packages ride this machinery under the hood); repackage-to-MSIX yourself → only with a reason (the repackaging effort buys lifecycle hygiene for apps that tolerate containment — a deliberate modernization project, not a default); everything else → Win32 without apology. One estate, one doctrine table, formats coexisting by design.
the vendor ships MSIXTake itThe lifecycle and update benefits are free.
Store (new) carries the appEven easierStore packages ride this machinery under the hood.
you'd be repackaging to MSIX yourselfOnly with a reasonA deliberate modernization project, not a default.
App attach is MSIX's killer app in AVD estates: packages mounted into sessions at sign-in rather than baked into images — the image-sprawl cure for pooled hosts, and the strongest single reason a Windows admin learns this format deeply.
Certificate expiry on self-signed MSIX is a delayed-action outage — the package that installs fine today refuses on machines tomorrow; treat signing certs as renewable infrastructure with named owners and calendar reminders, the same discipline you apply to every other expiring trust anchor in the estate.
Running your own winget REST source — internal packages with package-manager ergonomics, honestly scoped.
Store apps and winget covers the public catalog; the natural next question is "can our internal apps live in winget too?" Yes — via a private winget REST source — and the full answer includes when that's worth running versus letting Win32/Enterprise App Management carry the load.
The Model
The winget client speaks to sources; beyond the public catalog, it federates any endpoint implementing the REST source API. Microsoft ships the reference implementation — winget-cli-restsource, an Azure-deployable service — and your internal packages publish into it as manifests pointing at your installers.
Internal installersversioned like the software they describe
Standing One Up
Deploy the REST source: winget-cli-restsource into your Azure subscription, fronted from day one by the access controls the Insights bullet insists on.
Author and publish the manifests for your internal packages — metadata plus installer locations, versioned like the software they describe.
Test the loop: on a configured device, winget source list shows the private source, and winget install your-internal-app works exactly like the public catalog.
Bridge into Intune where you want push rather than pull — WinTuner-class tooling converts packages into Intune assignments, so the same artifact serves both delivery models.
Where It Earns Its Keep
Developer and power-user fleets: populations that live in package managers get internal tools in their native workflow, version-pinnable and scriptable
CI/build infrastructure: agents installing internal toolchains by manifest, no Intune dependency in the build path
The self-service tier: a curated internal catalog as the Company Portal complement for the CLI-fluent
Where It Doesn't
The general fleet's required-app delivery: that's IME and the Apps blade — reporting, supersedence, and install-status truth that a pull-based source doesn't replicate. A private source complements the pipeline; teams that try to replace Intune app deployment with it rediscover why deployment reporting exists.
Insights
The security posture writes itself if you start there: manifests and installers signed, the source behind identity-aware access, and the repo treated as software supply chain — because that's exactly what it is, and "internal" is not a trust level.
BitLocker, Secure Boot, TPM, Defender signals, and build floors — attesting the posture you configured.
The contract has two halves: compliance attests, Conditional Access enforces. A compliance policy never blocks anything on its own — it renders a verdict on the device object, and Conditional Access reads that verdict at every token request. The Windows policy's distinguishing power is hardware-rooted attestation — the device proves its security state, not just reports it.
Compliance policyattests — renders the verdict
→
Device objectcompliant / noncompliant
→
Conditional Accessenforces the verdict
Prerequisites
Configuration before attestation: the BitLocker policy and update rings you intend to attest must already be deployed — the compliance requirement and the configuration policy must agree, or new devices flap noncompliant while configuration catches up.
Defender for Endpoint connector active if you plan to consume machine risk score — flip it on in the Defender integration before the compliance setting that references it.
A Conditional Access design ready to consume the verdict — compliance without the enforcement half is a report nobody reads.
Step-by-Step: Building the Policy
Create the policy under Devices > Windows > Compliance policies and work the settings in this order:
Require BitLocker. The attestation half of the encryption story; the pair must agree or new devices flap noncompliant during their first encrypt cycle — grace periods exist for exactly this window, so set one that covers the silent-enablement timeline.
Require Secure Boot and require code integrity. Boot-chain health, measured at boot rather than self-reported.
Require TPM. The hardware root the rest of the policy stands on.
Set the Defender posture: antimalware on, real-time protection on, signatures current — and machine risk score (via the Defender for Endpoint connector) at your ceiling: the live-threat half of compliance.
Express the minimum OS version as build floors that track your update rings: set the floor at ring-pace minus a grace period (e.g., last month's build once the broad ring completes), and "unpatched" becomes "loses access" — patch pressure expressed as an access decision instead of a nag.
Add password/lock requirements only where Hello doesn't already make them moot.
Configure actions for noncompliance: grace period (1–3 days) → user notification → noncompliant → Conditional Access gates. The grace-period window absorbs transient states; the gate is what makes the verdict real.
Assign to device groups that cover the whole estate — assignment decides which devices get a verdict at all.
Verification
After the first evaluation cycle, read the compliance reports: every assigned device should show as evaluated, and the noncompliant population should be explainable — new devices in a grace period, known stragglers, nothing mysterious.
Walk the loop end to end on one test device: break a requirement (suspend BitLocker), sync, and confirm the verdict flips and a token request actually gets blocked — then remediate and watch access restore. The enforcement half is only proven once you've seen it deny.
Operating Notes
One policy per posture, not per team — compliance evaluates ALL assigned policies and any failure marks the device; overlapping policies with different floors create unexplainable states.
The built-in default policy ("mark devices with no policy as noncompliant" — set it that way) catches the unassigned stragglers; an unevaluated device should never read compliant by omission.
Co-managed fleets: the compliance workload slider decides whether ConfigMgr or Intune evaluates — move it first in co-management sequencing, since it unlocks Conditional Access for the whole estate.
Do
One policy per posture, assignments covering the whole estate
Mark devices with no assigned policy as noncompliant
Deploy the configuration before the attestation that checks it
Don't
Overlap policies with different floors — unexplainable states
Let an unevaluated device read compliant by omission
Reference the machine risk score before the Defender connector is on
Insights
Build-floor compliance is your only update enforcement on devices users control politically — executives who ignore deadlines don't ignore losing access to mail.
Watch the noncompliant-reason distribution in reports monthly: a spike in one signal (BitLocker, risk score) is an upstream system telling you something — escrow broke, or Defender's having a week — not three hundred coincidences.
The PRT, the compliant-or-hybrid grant, and device filters — where the fleet's compliance verdicts become access decisions.
The compliance page ends with a verdict on the device object; this page is what reads it. Conditional Access evaluates every token request and grants or denies there — it gates cloud resources, not the desktop. A noncompliant laptop still boots and signs in locally; what it loses is mail, files, and every Entra-protected app.
Evaluated atEvery token request
GatesCloud resources — not the local desktop
Device proofThe PRT, presented by the WAM broker
First diagnosticdsregcmd /status — join state plus PRT health
How a Windows Device Proves Itself: the PRT
When a user signs in to an Entra-joined or hybrid-joined device, Entra ID issues a Primary Refresh Token — an opaque, device-bound artifact carrying the user and device claims. The Web Account Manager (WAM) broker presents the PRT whenever apps request tokens, so every access token inherits the device's identity and Conditional Access can ask "is this device compliant?" at each request. The PRT refreshes on unlock and sign-in, keeping device-based policy continuous. Two consequences: a sign-in without a registered-device PRT reads as unknown device and fails every device-based grant; and dsregcmd /status — join state plus PRT health — answers most "why was I blocked?" tickets in one paste.
Entra IDissues the device-bound PRT at sign-in
→
WAM brokerpresents it for every token request
→
Conditional Accessgrants or denies per request
The Grant: Compliant Device OR Hybrid Joined
Grant control
What it asserts
When it's the right tool
Require device to be marked as compliant
Intune evaluated the device against compliance policy and it passed — a posture statement
The end state for every enrolled device; the only grant that says anything about health
Require Microsoft Entra hybrid joined device
The device is domain-joined and registered — an identity statement with no posture content
A bridge for hybrid fleets not yet enrolled or not yet evaluating compliance
Mid-migration estates select both with Require one of the selected controls — the "compliant OR hybrid joined" pattern. Treat the OR as a ratchet: the hybrid arm admits any domain-joined machine regardless of its state, so as enrollment coverage grows, retire it and stand on compliance alone.
Browser SSO and the Wrong-Profile Trap
Edge signed in with the work account rides WAM natively — device claims flow into browser sign-ins without ceremony. Other browsers need their enterprise SSO support explicitly enabled before they can present the PRT, and private-browsing sessions don't present hybrid-join state at all. The failure you'll actually meet: a user in a personal browser profile — or wrong account — requests a token with no device claims, and compliant hardware gets blocked as unmanaged. The sign-in log shows the tell: device info empty. Train tier-1 to check which profile before anyone debugs policy.
Device Filters
The filter for devices condition scopes a policy by device attributes — model, ownership, trust type, extension attributes — independent of user assignment. Two workhorse patterns: exclude a fenced population (kiosk and shared devices that can't survive interactive grants) from broad policy, and include-only designated admin workstations in a policy locking privileged roles to hardened hardware.
The Unmanaged Lane: BYOD
Personal Windows devices get a deliberately narrower deal: the Require app protection policy grant steers them into MAM for Windows — corporate access through protected Edge, with no enrollment — so enrolled devices prove compliance, personal devices ride the protected-browser lane, and nothing reaches corporate data ungoverned.
Prerequisites
Compliance policies deployed and reporting, with at least one known-compliant device — a compliant-device grant with no compliant devices is a tenant-wide block.
Break-glass accounts created and documented — excluded from this and every CA policy you ever write.
A pilot group you can actually talk to.
Step-by-Step: the First Device-Based Policy
Create the policy under Entra ID > Conditional Access > Policies, named to your convention.
Assign users: include the pilot group; exclude the break-glass accounts and (in synced tenants) the Directory Synchronization Accounts role. The exclusions are the difference between a bad day and a locked tenant.
Target resources: All resources — per-app carve-outs accumulate into holes; let the pilot users carry the blast radius instead.
Set the grant: Require device to be marked as compliant — plus Require Microsoft Entra hybrid joined device with Require one of the selected controls if you're mid-migration.
Enable in report-only mode. Report-only evaluates every real sign-in and records what would have happened — your only preview of the lockouts you didn't predict.
Read the results for a week in the sign-in logs, fix what surfaces (unenrolled stragglers, service accounts, the conference-room PC), widen the include ring, then flip to On.
Verification
On a compliant test device: sign in and confirm in the sign-in logs that the policy applied with a Success grant — the claims chain proven end to end.
Break compliance deliberately (suspend encryption, sync, let the verdict flip) and confirm the next token request is blocked; remediate and watch access restore. Enforcement is only proven once you've seen it deny.
Lockout Pitfalls
Freshly provisioned devices race their first compliance evaluation. Enrollment itself isn't blocked by the compliant-device grant, but a device fresh off the bench can sit in "not evaluated" while its user tries to work. Compliance grace periods and a sync-on-handoff habit absorb the window.
Kiosk and shared devices: user-less and many-user fleets break interactive assumptions — and one noncompliant shared device blocks every account that walks up to it. Decide their lane explicitly: device filters, dedicated policy, or exclusion with compensating controls.
Break-glass exclusions are load-bearing. A policy that locks every admin out during a service incident is a story you only get to tell once.
Do
Start in report-only and read a week of sign-in logs
Exclude break-glass accounts from this and every CA policy
Target All resources and let the pilot group carry the blast radius
Retire the hybrid-joined OR arm as enrollment coverage grows
Don't
Flip to On without reading what report-only surfaced
Leave kiosk and shared fleets to meet interactive grants undecided
Accumulate per-app carve-outs — they become holes
Insights
Report-only always surprises. Every tenant has sign-ins nobody remembered — scanners, scheduled tasks, an executive's home PC — and finding them in a report beats finding them on the phone.
Measure the OR: track the share of sign-ins satisfied by the hybrid arm versus compliance, and remove it when that share approaches zero — every month it lingers, it's an unmonitored side door.
Pair device grants with Hello for Business and the daily experience is fewer prompts, not more — strong device identity is what lets you stop interrogating the human.
AV policy, ASR rules, firewall, and MDE onboarding — the security stack as Intune profiles.
The Endpoint security node is where Windows security policy lives as focused profile types — and where Microsoft Defender for Endpoint (MDE) onboarding turns Intune-managed devices into sensor-reporting, risk-scored endpoints. The architecture is a loop: Intune deploys the sensor, Defender scores the device, compliance consumes the score, and Conditional Access acts on the verdict.
Intunedeploys the sensor
→
Defenderscores the device
→
Complianceconsumes the score
→
Conditional Accessacts on it
The Profile Family
Antivirus — Defender AV configuration: real-time/cloud protection, scan scheduling, exclusions (govern exclusions like the attack surface they are — reviewed, justified, minimal), tamper protection on.
Attack surface reduction (ASR) — the rules that block macro/script/credential-theft tradecraft. The non-negotiable rollout doctrine: Audit mode first, mine the audit events for business-process collisions (that one Excel macro pipeline), then flip rules to Block individually. Big-banging ASR to Block is the classic self-inflicted outage.
Firewall — Defender Firewall profiles and granular rules; default-deny inbound is the easy win most fleets still haven't taken.
These profiles overlap territory with security baselines — pick the owner per area (baseline floor + Endpoint security specifics is the common split) and hold the one-home-per-setting line.
Do
Keep tamper protection on
Roll ASR rules out in audit mode and mine the collisions first
Govern AV exclusions — reviewed, justified, minimal
Pick one owner per setting area: baseline floor + Endpoint security specifics
Don't
Big-bang ASR rules to Block — the classic self-inflicted outage
Carry unexplained exclusions into your next audit
Let baselines and Endpoint security profiles fight over one setting
MDE Onboarding and the Risk Loop
Connect the tenants: Defender portal settings flip the Intune connection; Endpoint security > Microsoft Defender for Endpoint confirms it.
EDR policy with onboarding from the connector deploys the sensor blob fleet-wide — no per-device packages.
Compliance consumes the machine risk score; CA acts on compliance. A device that catches fire loses access while it burns — the entire point.
Bonus circuit: MDE's vulnerability management feeds back the patch and app debt your update and app doctrine pages exist to retire.
Insights
Security settings management extends these same Intune profiles to devices MDE sees but Intune doesn't manage — useful mid-migration; know it exists before building a parallel mechanism.
ASR audit data is the cheapest security telemetry you'll ever get: even rules you never intend to block document what's running where.
Keep the exclusion list in version control with reasons and owners — an unexplained exclusion is a finding in every audit framework that will ever read it.
No standing local admins, rotating break-glass credentials, and the retrieval workflow — the endgame for endpoint privilege.
The target state, achievable today: users run standard (Autopilot sets it), no shared local admin password exists anywhere, and break-glass is a per-device, auto-rotating credential retrieved on demand and rotated after use. Windows LAPS — built into the OS, managed by Intune — is the whole mechanism.
Console pathEndpoint security > Account protection > Windows LAPS
EscrowThe Entra ID device object — the object is the vault
Password20+ characters, complex, rotated every 7–30 days
After usePost-authentication rotation burns the credential
Prerequisites
Decide the managed account first: the built-in Administrator, or better, a dedicated break-glass account that your baseline or a script creates on every device. LAPS rotates the account you point it at, so the account must exist everywhere before the policy means anything.
Standard-user posture under way: LAPS is the break-glass half of the no-local-admins program — the value compounds when users actually run standard and sanctioned elevation has its own governed path.
Healthy device objects in Entra ID: passwords escrow to the device object, so the object is the vault — stale or duplicate device records become retrieval failures later.
Step-by-Step: The Policy
Create the policy under Endpoint security > Account protection > Local admin password solution (Windows LAPS):
Set the backup directory to Entra ID — passwords escrow to the device object (the cloud-native posture; AD backup exists for hybrid estates that need it).
Name the administrator account the policy manages: the built-in Administrator, or better, the dedicated break-glass account — managing a renamed/dedicated account beats advertising the well-known one.
Set password complexity, length, and age: long (20+), complex, rotate every 7–30 days.
Configure post-authentication actions: rotate after the password is used (+ optional logoff/restart of the session) — every retrieval burns the credential, automatically.
Close the hygiene loop: pair with an account-management profile or remediation that guarantees the target account exists and no other local admins do — the rotation is the product's job; the fleet hygiene around it is yours.
The Retrieval Workflow
Per-device: the Intune device blade's Local admin password view (audited), or Graph for automation — every read is logged, which is the governance story. Helpdesk runbook: retrieve → use → confirm post-auth rotation fired → done; no password ever written on a sticky note because no password is valid for long.
RetrieveDevice blade or GraphEvery read is logged — that's the governance story
UseSign in with the credentialThe break-glass moment itself
RotatePost-auth action firesThe password you just used stops working
DoneNothing reusable remainsNo retrieval leaves a standing credential
Verification
On a pilot device, retrieve the password from the device blade, sign in with it, and confirm the post-authentication rotation fires — the credential you just used should stop working on schedule.
Check escrow coverage across the fleet: every targeted device should hold a current password on its device object; gaps usually mean the policy's account name and the account that actually exists on the device disagree.
Why This Trio Closes the Chapter
Standard users + Hello for Business + LAPS = no standing admin rights, no phishable sign-in secret, no reusable local credential — the three classic lateral-movement gifts, individually wrapped and returned. It's the rare security project that reduces helpdesk load (self-service-less elevation requests drop once the temporary-elevation path is defined) while deleting an entire attack class.
Insights
The "but I need admin sometimes" population gets a process (temporary elevation via your chosen mechanism — Intune's Endpoint Privilege Management add-on being the native option), not an exemption. Exemptions are how LAPS projects die at 80%.
Audit retrievals monthly: the access pattern is telemetry — a device retrieved weekly has an unsolved underlying problem wearing a break-glass costume.
Migrating from legacy LAPS (the AD-era MSI)? Windows LAPS is the in-OS successor; don't run both against one account — pick the policy source and decommission the old client deliberately.
Rule-based elevation for standard users — the missing piece that makes the no-local-admins posture livable.
Removing local admin rights is the single highest-value Windows hardening move — and the reason orgs don't do it is the exception flood: the engineer who needs to install drivers, the analyst whose ancient tool demands elevation. Endpoint Privilege Management (EPM, an Intune Suite capability) is the answer: standard users everywhere, with policy-governed elevation for exactly the operations you've blessed.
Rule identityCertificate + attributes ideally; hash for unsigned; path last
Default answerUser confirmed — automatic earns its way in per file
The Model
EPM policies live under Endpoint security and come in two parts:
Elevation settings policy: turns the EPM client on per device population and sets the default posture — including what happens for elevations no rule covers (deny, or allow user-confirmed with justification, per fleet temperament).
Elevation rules policies: the allow-list. Each rule identifies a file (by certificate + attributes ideally, file hash for the unsigned stragglers, path only as a last resort — paths are spoofable) and assigns an elevation type:
Elevation type
Behavior
Use for
User confirmed
User attests (optionally with justification/auth) and elevates
The everyday case — driver installers, the blessed utility set
Support approved
Elevation waits on an admin approval in the console
High-risk tools; break-glass-adjacent operations
Automatic
Elevates silently
Sparingly — updaters and agents that must elevate unattended
Rules ride assignments and filters like everything else, so the CAD team's rule set doesn't follow them onto loaner hardware.
Do
Identify files by certificate + attributes
Default new rules to user confirmed
Let elevation reporting build the rule backlog before removing admin rights
Don't
Write path-only rules — paths are spoofable
Grant automatic elevation under helpdesk pressure — every silent rule is invisible privilege
Add an automatic rule without a written reason
The Rollout Pattern
Inventory reality first: EPM's elevation reporting shows what's actually elevating fleet-wide (including unmanaged elevations on devices where users still hold admin) — your rule backlog, pre-sorted by frequency.
Remove admin rights ring by ring (the LAPS page's choreography), with EPM rules landing first so day one of standard-user life already covers the known elevation diet.
Tune by exception data: denied-elevation reports become rule candidates or coaching moments; the support-approved queue's latency becomes a staffing signal.
Insights
EPM completes a trio: LAPS owns the break-glass account, EPM owns sanctioned elevation, and standard-user-by-default owns everything else. Present the three together in security review — each covers the others' "but what about" questions.
Resist the automatic-elevation temptation under helpdesk pressure: every silent rule is invisible privilege, and the audit trail's value comes precisely from the confirmation/approval friction. The default answer is user confirmed; automatic earns its way in per file, with a written reason.
Virtualization-based security, memory integrity, and the credential isolation that makes pass-the-hash a museum piece.
Virtualization-based security (VBS) is Windows using the hypervisor against attackers: carving out hardware-isolated memory enclaves the OS kernel itself can't read. Two headline tenants live there — memory integrity (HVCI) guarding kernel code, and Credential Guard sealing domain secrets — and on modern fleets your job is less "enable them" than "attest and keep them on."
Memory integrity (HVCI): kernel-mode code integrity enforced from the enclave — unsigned or tampered drivers can't load. The historic enablement blocker was that one ancient driver; the Settings Catalog policy plus a ring-based rollout surfaces incompatible drivers in ring 1 where they're a ticket, not an outage.
Credential Guard: LSA secrets (NTLM hashes, Kerberos tickets) isolated in the enclave — the pass-the-hash and credential-dump killers. Default-enabled on current Windows 11 Enterprise/Education on capable hardware, which converts your task to verifying it's on and preventing it from being turned off.
LSA protection (the non-VBS cousin): LSASS as a protected process — on by default on modern installs, part of the same attestation story.
Prerequisites
The hardware floor: UEFI with Secure Boot, virtualization extensions, and TPM 2.0 — met by definition on a current Windows 11 fleet, worth confirming on anything older.
A driver census for HVCI: the historic enablement blocker is that one ancient kernel driver; know which populations carry unusual peripherals before enforcement, and seed ring 1 with their owners.
Baseline awareness: read the security baseline's positions on VBS, HVCI, and Credential Guard first, so your policy aligns with them rather than fighting them.
Step-by-Step: Enablement
Configure the policy via the device-security surface of the Settings Catalog: VBS on, memory integrity (HVCI) on, Credential Guard on.
Make the UEFI-lock decision deliberately. Locking Credential Guard in firmware prevents remote disablement — including by you. It's the right posture for high-assurance fleets, with the understanding that undoing it means touching machines.
Roll out ring by ring on the update-ring cadence, so an incompatible driver surfaces in ring 1 as a ticket rather than fleet-wide as an outage.
Verification
Then prove it: device health attestation and compliance carry the boot-measured truth, and the fleet-wide "is Credential Guard actually running" answer is a Graph/report query, not an assumption — attest the running state rather than trusting the policy deployment report.
Insights
The blast radius of HVCI lives in peripherals: the badge-reader vendor's 2017 driver, the lab instrument's kernel module. The ring-1 canary population should deliberately include the weird-hardware owners — that's what canaries are for.
When security review asks "are we protected against credential theft," the layered answer is this page plus Hello for Business: Credential Guard protects secrets that exist; Hello reduces how many exist at all.
Attack surface reduction rule by rule — what each blocks, what each breaks, and the audit-to-block path for all of them.
The Defender page names attack surface reduction as a pillar; this page is the cookbook — because ASR is deployed rule by rule, and each rule has its own blast radius. The universal method first, then the roster.
Step 2Read the telemetryTwo to four weeks: which rules would fire, on what, for whom
Step 3Block in wavesSilent rules first; noisy triggers get investigated
Step 4Warn where neededThe override-with-audit-trail middle path
Everything starts in audit mode — fleet-wide, immediately. Audit costs nothing and starts generating the evidence.
Read the audit telemetry (Defender portal's ASR report or advanced hunting) for two-to-four weeks: which rules would have fired, on what, for whom.
Block in waves by noise level: silent rules go straight to block; noisy rules get their triggers investigated — most "noise" is one legacy app or one team's macro habit, which becomes a targeted exclusion or (better) a remediation.
Warn mode is the middle path for user-facing friction: the block with an override button and audit trail.
The Roster, By Family
The quiet wins (block early, almost nowhere breaks):
Block abuse of exploited vulnerable signed drivers
Block executable content from email client and webmail
The Office family (block after macro-reality triage):
Block Office apps from creating child processes — the malware-chain breaker; finance macro suites are the classic exception
Block Office apps from creating executable content / injecting into other processes
Block Win32 API calls from Office macros
Block execution of potentially obfuscated scripts; block JS/VBScript from launching downloaded executables — pairs with your macro-security Catalog policy
The behavioral big guns (audit longest):
Block executable files unless they meet prevalence/age/trusted-list criteria — the rule most likely to catch your own LOB installers; exclusions or signing discipline required
Use advanced protection against ransomware
Block untrusted/unsigned processes from USB
Per-rule exclusions exist and should be named, owned, and reviewed — an ASR exclusion list nobody audits is an allow-list for the next attacker who reads your config.
Insights
ASR findings in audit are free security telemetry even before blocking: a workstation tripping the LSASS rule today is an investigation, not a future policy note.
Track the portfolio as a KPI: rules-in-block ÷ total applicable, fleet-wide. It's the single most legible "attack surface is shrinking" number you can hand leadership, and the compliance/CA loop doesn't capture it — this one's yours to chart.
Boot-time truth from the TPM — how Windows proves Secure Boot, BitLocker, and code integrity actually ran.
Compliance policies contain a quiet superpower: settings the device cannot lie about. Device Health Attestation (DHA) is the mechanism — boot-time measurements sealed in the TPM, validated by Microsoft's attestation service, and delivered to Intune as cryptographic fact rather than agent self-report. When a security review asks how much of the compliance verdict survives device compromise, the DHA-backed settings are the part that holds.
How the Proof Works
During boot, UEFI and the OS loader extend measurements of each boot stage into TPM PCRs — a hash chain recording what actually executed. At attestation time the TPM signs a quote of those registers with a key rooted in the hardware; the health attestation service validates the quote and issues the verdict Intune consumes. An attacker who disabled Secure Boot or stripped code integrity after boot can't rewrite the registers — the lie is cryptographically unavailable.
Boot chainUEFI + loader extend measurements
→
TPMsigns the quote with a hardware-rooted key
→
Attestation servicevalidates the registers
→
Intune complianceconsumes cryptographic fact
What Compliance Can Attest
The compliance policy's device-health block consumes DHA verdicts:
BitLocker (boot-measured, distinct from the configuration-side BitLocker policy — policy sets, attestation proves)
Secure Boot enabled
Code integrity enabled
Three checkboxes, each backed by the TPM rather than a registry read — turn them on for any fleet whose Conditional Access posture means anything, and pair them with the VBS/Credential Guard attestation story for the full boot-chain narrative.
Operational Notes
Hardware floor: TPM 2.0 — the Windows 11 fleet baseline already guarantees it; legacy stragglers fail attestation eligibility, not attestation, and read differently in reports.
Transient failure ≠ compromise: attestation hiccups (service reachability, fresh enrollments, post-reset states) clear on sync and re-evaluation — triage the transient causes first, before treating any verdict as a security event.
A device persistently failing Secure Boot attestation that policy says should pass is a finding: someone with firmware access changed the boot posture. That's an investigation route, not a compliance-exception route.
Insights
DHA is the difference between "the agent says we're encrypted" and "the silicon proves we booted encrypted" — when an auditor pushes on evidence quality, this page is the answer, and the inventory report's encryption column inherits its credibility from it.
DFCI fleets get a pleasing symmetry: cloud-managed firmware setting the boot posture, TPM-attested truth proving it — configuration and verification meeting below the OS.
Reputation checks to full allow-listing — the spectrum of execution control, and where your fleet should sit on it.
"Only intended software runs" is a spectrum on Windows, from reputation nudges to cryptographic allow-listing. This page maps the whole spectrum so the fleet's position on it is a decision, not a default.
The floorSmartScreen enforcedOn, not user-overridable — catches the commodity tier
The middleApp Control in auditGathering evidence, costing nothing
The ceilingApp Control enforcedKernel-enforced allow-listing with managed installer
SmartScreen (the Reputation Floor)
Microsoft Defender SmartScreen checks apps, files, and URLs against reputation services — the floor every fleet should enforce via Settings Catalog: SmartScreen for apps/files on and not user-overridable for downloaded executables, plus the Edge-side enforcement for web-borne threats. Cheap, quiet, catches the commodity tier. The security baseline already takes these positions; your job is not contradicting it.
App Control for Business (the Ceiling)
App Control for Business (the WDAC lineage) is the real thing: kernel-enforced code-integrity policy where only explicitly trusted code executes — trusted by signer, hash, path rule, or reputation tier. Intune deploys it natively via the Endpoint security app-control surface:
Start from the built-in base modes: trust Windows + Microsoft Store + managed installer — the pragmatic enterprise opening position
Managed installer is the keystone: designating the Intune Management Extension as a managed installer means everything you deploy through Intune is automatically trusted — the allow-list maintains itself for the sanctioned channel, and unsanctioned arrivals (downloads, USB sticks) face the policy
The ISG option (Intelligent Security Graph) adds reputation-based allowing for fleets that can't fully enumerate — a deliberate looseness, chosen knowingly
Audit mode first, always: app-control events (8003/8004 family in the CodeIntegrity log) for weeks before enforcement; the ASR method at higher stakes, because a wrong block here is "the app won't launch," fleet-wide
Supplemental policies carry the exceptions — versioned in the repo, owned, reviewed, exactly like every other trust list on this site
AppLocker still exists for legacy scenarios, but new designs start with App Control for Business — it's where the engineering investment lives.
Do
Start from the built-in base modes — Windows + Store + managed installer
Run audit mode for weeks and read the CodeIntegrity 8003/8004 events
Carry exceptions in supplemental policies — versioned, owned, reviewed
Don't
Enforce before the audit evidence is read — a wrong block is "the app won't launch," fleet-wide
Contradict the security baseline's SmartScreen positions
Start new designs on AppLocker — the investment lives in App Control
Choosing the Fleet's Position
Fleet
Position
Knowledge workers, modern apps
SmartScreen enforced + audit-mode App Control (gathering evidence, costing nothing)
Enforced App Control with managed installer — bounded app diet makes allow-listing nearly free, and these devices face physical-access threats
High-assurance/regulated
Enforced App Control as the audit centerpiece, with DHA attesting code integrity ran
Insights
The managed-installer pattern quietly rewards app-deployment discipline: a fleet where everything arrives via Intune gets allow-listing almost for free, while shadow-IT-heavy estates feel the enforcement pain in proportion to their sprawl. App Control is, among other things, a mirror.
Governing the Administrators group from the cloud — membership policy, Entra role mapping, and the drift that creeps back.
LAPS secures the break-glass account and EPM handles elevation — between them sits the question this page owns: who is in the local Administrators group at all, governed as policy instead of folklore.
The Policy Surface
Endpoint security > Account protection carries the local user group membership policy: per built-in group (Administrators, Remote Desktop Users, and kin), declare an action — add, remove, or replace — with members expressed as Entra users/groups or SIDs. The posture choice is the action verb: replace is the strong posture (the group's membership is the policy — drift gets reverted at evaluation), add/remove the surgical one for estates not ready to enumerate completely.
you can enumerate the intended membership completelyReplaceThe group's membership is the policy — drift reverts at every evaluation.
the estate isn't ready to enumerateAdd / removeThe surgical option — adjust known members without claiming the whole group.
The Entra-Native Reality Worth Knowing
On Entra-joined devices, two memberships exist implicitly: the device's enrolling/assigned local-admin behavior per tenant settings, and the Entra role mapping — Global Administrator and the Entra-Joined-Device-Local-Administrator role land in the local Administrators group by token, invisible to local inspection habits. Your effective-admins answer = explicit policy members + role-mapped principals + local stragglers — audit all three, because the auditor will ask for one number.
The Operating Pattern
Inventory reality first: a Remediation/script reporting actual Administrators membership fleet-wide — the drift census that always surprises
Replace-mode policy declaring the intended state: LAPS-managed account + the named break-glass principals, nothing else — composing the no-local-admins trio into an enforced invariant
Tenant-side hygiene: scope the Entra local-admin role tightly (it's fleet-wide admin granted through an identity role), and let PIM-style just-in-time elevation own the exceptions
Re-census quarterly — the same script, now measuring policy compliance instead of chaos
Insights
The replace action's underrated property is self-healing: the technician who hand-adds themselves "temporarily" gets reverted on the next evaluation cycle — which converts admin-group hygiene from an audit finding you remediate annually into a property the fleet maintains hourly.
Profiles, rule policy, and logging — running the built-in firewall as managed infrastructure instead of a default.
The Defender overview confirms the firewall is on; this page runs it like infrastructure — because the built-in firewall under policy is a genuinely capable host-isolation layer most estates leave at factory settings.
Console pathEndpoint security > Firewall
ProfilesDomain, private, public — independently configured
Corporate floorAll three enabled, inbound default-block
Design questionLocal rule merge — policy-only truth vs audited accumulation
The Profile Model
Three firewall profiles keyed to network location — domain, private, public — each independently configured via Endpoint security > Firewall: enabled state, default inbound/outbound actions, notification and local-rule-merge behavior. The corporate floor: all three enabled, inbound default-block, with the sharp design question being local rule merge — whether device-local rules (the kind installers add) combine with policy rules. Strong posture disables merge on locked-down fleets (policy is the whole truth); pragmatic posture allows it on knowledge workers and audits the accumulation.
Rule Policy
Firewall rules deploy as policy objects: direction, action, ports/protocols, scoped by app path, package, or service, profile-targeted. The patterns that matter:
Inbound stays near-zero on endpoints: clients rarely need listening ports; every inbound allow is a named, owned exception — the trust-list discipline again
The lateral-movement cut: blocking workstation-to-workstation inbound (allowing only management/infrastructure sources) is the cheapest meaningful containment control on the platform — ransomware's favorite road, closed by policy
App-scoped allows for the genuine listeners (softphones, collaboration screen-share) rather than port-wide doors
Do
Keep endpoint inbound near-zero — every allow named and owned
Block workstation-to-workstation inbound — the cheapest containment on the platform
Scope allows to the app, not the port
Don't
Open port-wide doors for one app's sake
Let years of installer-merged local rules accumulate unowned
Logging and Verification
Firewall logging configuration (per profile: dropped packets, successful connections, log size) feeds your security-telemetry pipeline — dropped-inbound logs on server-adjacent endpoints are cheap detection signal. Verification is a Remediation reading effective profile state fleet-wide, plus the reporting surface — enabled-by-policy and enabled-in-fact are different claims; attest the second.
Insights
Rule sprawl is the failure mode: years of installer-merged local rules nobody owns. The reset play — disable merge + a deliberate policy ruleset + a cleanup script — is a ring-1 project with outsized audit payoff, and the App Control mirror-effect applies: fleets with disciplined app pipelines barely feel it.
The second encryption layer — identity-bound file protection above BitLocker, and where it fits.
BitLocker protects the volume — strong against the stolen-laptop-powered-off case, silent once Windows boots. Personal Data Encryption (PDE) adds the layer BitLocker structurally can't: file-level encryption whose keys bind to the user's Windows Hello sign-in, so protected files stay sealed until that user authenticates — and reseal at lock.
RequiresCurrent Windows 11 Enterprise
Join stateEntra-joined — not hybrid
Keys bind toThe user's Hello for Business sign-in
Console pathSettings Catalog > PDE family
The Model
PDE encrypts designated content under keys derived through Hello for Business — meaning the protection follows identity presence, not machine power state. The threat it addresses is the post-boot gap: a signed-out or locked device whose disk is technically "unlocked" at the BitLocker layer; an attacker with the powered-on device (or an extracted-while-running attack path) meets sealed files anyway. The composition slide writes itself: BitLocker = at-rest volume, PDE = identity-gated files, DHA = boot-proof, Hello = the credential — four layers, one story.
Prerequisites
The prerequisites stack tightly, and each one is a hard gate:
Entra-joined (not hybrid) — another vote for the cloud-native endgame.
Hello for Business as the sign-in, since the keys hang off it — a population still on passwords has nothing for PDE to bind to.
Step-by-Step: Enablement
Create the policy in the Settings Catalog's PDE family: enablement plus the protected-content levels Microsoft defines.
Verify the current protection scope rather than assuming it. The protected-content levels have expanded by release (known-folder coverage being the headline arc) — confirm what the builds you're deploying to actually protect.
Read the documented interop notes per release. The feature carries compatibility considerations with certain recovery/management scenarios that the docs enumerate — they evolve, so re-read before each ring expansion.
Pilot on a population that exercises the lock/unlock rhythm — the value and the edge cases both live where devices lock often.
Verification
On a pilot device, confirm the seal actually behaves: protected files readable after the user's Hello sign-in, sealed at the lock screen and for any other account. Then check the policy's per-setting status in reporting — deployed and protecting are different claims, and the second one is the audit answer.
Where It Earns Deployment
Regulated and high-value-data fleets where the unattended-but-running device is a named threat scenario — executive travel fleets, clinical floors, anywhere screens lock more often than machines power off. The standard knowledge-worker fleet should land BitLocker + Hello + auto-lock discipline first; PDE is the precision layer above a finished foundation, not a substitute for one.
Insights
Rehearse the recovery story before ring 2: PDE-protected files on a device whose Hello container resets (PIN forgotten, device repair) follow a different recovery path than BitLocker's — bring the same escrow discipline you apply to recovery keys, because the rehearsed path is the difference between a help-desk script and a data-loss conversation.
Beyond the blunt USB switch — Defender Device Control's allow-list model for peripherals and removable media.
Blocking ports outright is the blunt instrument; Windows carries a far sharper one: Microsoft Defender Device Control — policy over removable storage and peripheral classes that goes past on/off into which devices, for whom, doing what, with audit evidence attached.
The Model
Device Control policy (Endpoint security, the attack-surface-reduction family) composes groups (device sets matched by IDs — vendor/product, serial, device class) with rules (allow/deny/audit per access type — read, write, execute) applied to those groups. The expressive power is the point: deny removable storage write fleet-wide; allow the named encrypted-drive product for the field-engineering group; audit reads everywhere is three rules, not a wish.
The Rollout Ladder
Rung 1Audit everythingThe plugged-in census — security telemetry by itself
Rung 3Deny executeCode from removable media has no fleet-wide story
Rung 4Named exceptionsSerial-pinned drives, owned and reviewed
Audit first, always — the ASR method verbatim: audit-mode events build the census of what's actually plugged in where, which is itself security telemetry (the unknown-USB map surprises every org that draws it)
Block write before block all: write-blocking removable media kills the exfiltration path while leaving read workflows (the conference-room USB deck) alive — the highest value per unit of friction on the ladder
Execute-deny as standing policy: code running from removable media has no legitimate fleet-wide story — pairs with the USB ASR rule and App Control posture
Named-exception allow-lists for the genuine needs — serial-pinned encrypted drives for the populations that earn them, owned and reviewed like every trust list
Printer and broader peripheral-class controls ride the same framework where the estate's data-handling rules reach that far.
Evidence and Verification
Device Control events flow into the Defender portal's reporting — per-device, per-rule, advanced-hunting-queryable — which makes the audit answer ("can data leave on USB, and who tried") a query instead of a shrug. The reporting rhythm gains a column; the DLP conversation gains a floor.
Insights
The exception process is the control: a serial-pinned allow-list with an owner and an expiry converts "we block USB (except everyone who asked)" into governed reality — and the audit-mode census tells you in advance exactly how many askers to budget for.
Vulnerability Remediation with Defender and Intune
Closing the loop — Defender's vulnerability findings flowing into Intune security tasks, and the rhythm that burns down exposure.
Two consoles, one loop: Defender Vulnerability Management finds the exposure; Intune owns the machinery that fixes it. The integration that joins them — security tasks — is the most underused handoff in the Microsoft security stack.
Defender's vulnerability layer continuously inventories software, versions, and configurations against the CVE world, scoring exposure per device and recommendation — the what's broken where truth, with your third-party app sprawl usually headlining
Security tasks: from a Defender recommendation, security creates a task targeted at Intune — the request crosses consoles with its evidence attached and lands in Intune's Security tasks queue
Close the task — status flows back to the security console, and the recommendation's exposure score reflects reality on the next evaluation
The connector prerequisite is the Defender-Intune integration most estates already run; the process prerequisite is the missing piece — agreeing who triages the queue and on what clock.
The Operating Rhythm
Treat exposure like patch-age buckets: a weekly triage of incoming tasks (severity-sorted, the exploited-in-the-wild class jumping the queue — actively exploited findings run on an hours-to-days clock, not the monthly rhythm), remediation routed to the owning lane, and the burn-down chart — exposure score and open-task age trended monthly — as the artifact both security and IT leadership read. The chart is the relationship: it replaces the perennial "IT ignores our findings" / "security throws PDFs over the wall" theater with a shared queue and a slope.
Insights
The highest-yield standing fix is upstream of any single CVE: the apps that recur in findings are the apps without an update lane — every repeat offender adopted into the catalog/pipeline removes a family of future tasks, which is the difference between vulnerability whack-a-mole and vulnerability management.
The timeout that isn't the cause, the error codes that matter, and the bench diagnosis sequence.
Autopilot failures look dramatic and resolve formulaically. The discipline: identify the phase (device prep → device setup → account setup), then work that phase's short list.
Phase 1Device prepJoin and enrollment — the device becomes managed
Phase 2Device setupDevice-targeted apps and policies land
Phase 3Account setupUser-targeted payload after sign-in
The Greatest Hits
0x800705B4 (timeout) — the most-Googled, least-informative code: the ESP hit its limit while something in the blocking list stalled. The fix is finding the something, not raising the limit. Diagnosis: the cab/IME logs below show per-app status — the app stuck "in progress" forever is your culprit; its own install log says why (bad silent switch, dependency wait, content download stall on hostile Wi-Fi).
"This device hasn't been set up for your organization" / profile not found — the hash isn't registered, registered to the wrong tenant, or the profile assignment hasn't flowed (assignment can lag after registration — check the Autopilot devices blade shows assigned).
TPM attestation errors (self-deploying/pre-provisioning) — firmware TPM quirks, VMs, or vendor firmware needing an update; attestation is a hardware conversation, validate the exact SKU.
Sign-in succeeds, enrollment fails — licensing (no Intune license), enrollment restrictions blocking the platform, or the MDM user scope not covering the user.
Network at OOBE — captive portals, TLS inspection, and filtered guest Wi-Fi break first contact; the staging VLAN exists for a reason.
The Diagnosis Kit
On the failure screen: the diagnostics option exports logs to USB right there — collect before rebooting away the evidence.
IME log (%ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log) — the per-app truth during ESP, readable with CMTrace-style viewers.
Reproduce on the bench under the user's network conditions (hotspot mimicking home Wi-Fi) before declaring "works for me" — half of Autopilot tickets are network-environmental.
Keep one known-good reference device per hardware model: "does the golden unit deploy?" splits fleet problems from device problems in twenty minutes.
After any fix, the clean retest is a full reset (wipe/Sysprep-fresh) — partial OOBE retries carry contaminated state and produce phantom second failures.
Where Intune truth lives on a Windows endpoint — IME logs, MDM diagnostics, event channels, and the remote collect action.
Windows offers an enormous diagnostic surface — the skill is knowing which log answers which question, so the right five minutes replaces the wrong afternoon.
Match the Question to the Log
Question
Source
Did this app/script/remediation run, and what happened?
IME log: %ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log (+ AgentExecutor for scripts) — every detection check, download, install exit code
Did this policy arrive and apply?
Event Viewer: Applications and Services > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin — the MDM session log; pair with the portal's per-setting report for the server-side view
What's the join/identity state?
dsregcmd /status — AzureAdJoined, DomainJoined, PRT health; ends most "is it even joined" debates in one paste
Everything, packaged
MDMDiagnosticsTool -area DeviceEnrollment;DeviceProvisioning;Autopilot -cab — the support-case bundle
Enrollment plumbing specifics
Task Scheduler > Microsoft > Windows > EnterpriseMgmt (the sync tasks) + the same event channel
The Remote Path: Collect Diagnostics
The device blade's Collect diagnostics action pulls the standard bundle (event logs, IME logs, registry exports, config state) from a device you'll never touch — downloadable from the portal under Device diagnostics. For remote-workforce fleets this action is the bench; train tier-2 on reading its contents and half your escalations stop requiring a user's lunch hour.
Forcing and Verifying Sync
Sync from the portal (device action), from the device (Settings > Accounts > Access work or school > Info > Sync), or just wait — MDM checks in on its own cadence and IME on its own (~hourly) rhythm. Reading the timestamps in the sources above beats re-mashing Sync: "last session succeeded five minutes ago" reframes the question from delivery to content.
Insights
CMTrace/OneTrace-style viewers make IME logs legible — rolling logs, color-coded severity; reading them in Notepad is a self-imposed handicap.
The IME log rolls over fast on busy devices — collect promptly after reproducing, not tomorrow.
Build the habit: log with a question. The table above is the routing layer; the answer is usually three lines once you're in the right file.
When two authorities disagree — per-setting conflict triage, MDMWinsOverGP, and the registry where MDM truth lives.
A setting "not applying" on Windows usually means a setting applying twice — two Intune profiles disagreeing, or Group Policy and MDM both claiming a domain-joined device. This page is the disambiguation kit.
two Intune profiles disagreePer-setting reportRead the Conflict state, apply the one-home rule, delete the duplicate claim.
Group Policy and MDM both claim the areaMDMWinsOverGPFlip precedence for supported areas — transition tooling, not permanent architecture.
reports and reality disagreePolicyManager registryHKLM\SOFTWARE\Microsoft\PolicyManager — resolved values and per-authority deliveries.
Intune vs Intune
The Settings Catalog's per-setting reporting is the tool: Devices > the device > the per-setting status view shows every applied setting, its winning value, and Conflict states naming the contending profiles. The triage is mechanical:
Pull the conflicting setting's two (or more) source profiles from the report
Apply the one-home rule — every setting lives in exactly one profile per intent; the fix is deleting the duplicate claim, not nudging values until they coincidentally match
Recheck after sync — conflict states clear on re-evaluation
Baseline overlap is the classic source: baselines take positions on hundreds of settings, and any ad-hoc profile touching the same surface collides. Diff before deploying alongside a baseline.
GPO vs MDM (the Co-Managed and Hybrid Estate Special)
On hybrid-joined devices still in GPO's reach, both authorities can write the same policy area. The rules of engagement:
Default: for many ADMX-backed areas, GPO historically wins on conflict
MDMWinsOverGP (ControlPolicyConflict policy): flips precedence to MDM for supported policy areas — the migration-era lever that lets Intune take authority before the device leaves AD. It covers GP-vs-MDM for those areas; it is not a magic eraser for every legacy setting class
The endgame is not needing the lever: each policy area migrated deliberately, GPO scoped away from migrated devices, precedence flags as transition tooling rather than permanent architecture
Reading Device-Side Truth
When reports and reality disagree, the registry arbitrates: the PolicyManager hive at HKLM\SOFTWARE\Microsoft\PolicyManager — current\device shows the resolved MDM value per area; providers\<EnrollmentGUID> shows what each authority delivered. Pair with MDM Diagnostics (the logs page) and gpresult on hybrid devices, and you can name the winning authority for any setting in five minutes.
Insights
Conflicts are an architecture smell, not an incident class — a fleet generating steady conflict tickets has a profile taxonomy problem (one setting, one home) or a half-finished GPO migration; fix the taxonomy and the ticket class disappears.
During migrations, keep a dual-authority ledger: which policy areas have moved to Intune, which remain GPO, dated. The ledger converts "why is this setting weird" from archaeology into a lookup.
IME triage — detection loops, exit codes, download stalls, and the log lines that name the failure.
Win32 deployment rides the Intune Management Extension, and IME failures cluster into four families. Work them in order — targeting, download, execution, detection — because each family's evidence rules out the next.
Family 1Never startedTargeting, filters, applicability rules
Family 2Download failedProxy/SSL inspection, disk, firewall
Family 3Exited badlyThe installer's exit code tells the truth
Family 4Detection didn't confirmInstalled and working — reported failed
Family 1 — Never Started
No install attempt visible: targeting first, always — assignment, group, filter, and the applicability rules on the app itself (architecture, minimum OS, disk). The IME log shows apps it evaluated; an app absent from evaluation was never owed to this device. Sync health covers the device that isn't hearing about anything.
Family 2 — Download Failures
Content stalls: the IME log's download phase names it — proxy/SSL inspection mangling the CDN connection (the classic network-team conversation, with DO endpoints and your inspection exemptions as the agenda), disk space, or corporate firewall rules. Large-app stalls on thin sites are a DO design question wearing an incident costume.
Family 3 — Install Ran, Exited Badly
The contract: your installer's exit code tells IME the truth. The log records the command line executed and the code returned — reproduce that exact command in a SYSTEM-context shell on a test device and the mystery usually names itself: a per-user installer packaged in the wrong context, a dependency absent, a silent switch that wasn't. Map nonzero-but-benign vendor codes (the famous reboot-required values) in the app's return-code table so success stops reading as failure.
Family 4 — Installed, Then "Failed" Anyway
Detection did not confirm — the signature failure mode: install succeeded, the detection rule looked in the wrong place (32/64-bit registry redirection, version-string vs file-version mismatch, per-user paths checked in SYSTEM context), and IME reports failure while the app sits there working. Worse is the detection loop: detection passes before install (over-broad rule), so IME thinks it's done and supersedence/updates never fire. Author detection as carefully as the install (the packaging page's craft); validate both states — present and absent.
Where the Truth Lives
%ProgramData%\Microsoft\IntuneManagementExtension\Logs — IntuneManagementExtension.log and the AppWorkload/ActionProcessor companions, readable with CMTrace-style tooling. One device's story lives there; the fleet's story lives in the App Install Status report — cohort failures by error code, where the pattern (one site, one model, one OS ring) is usually the diagnosis.
Insights
The single highest-yield habit: test in SYSTEM context before assigning (the psexec-style local rehearsal) — ninety seconds that pre-empts Families 3 and 4 entirely, because you've already run exactly what IME will run.
A device stuck on an old build — how to tell whether it's policy, a safeguard hold, a broken update stack, or a failed expedite, and what to do for each.
A Windows device behind the update-ring curve has one of four causes. Three of the four are not device faults, so determine which one you have before touching the device. Start with the per-device state in Reports > Windows updates > Windows Update for Business reports (or the per-policy report under Devices > Windows > Update rings) — it tells you whether the device is on schedule, held, or genuinely failing.
Fleet viewReports > Windows updates (Windows Update for Business reports)
Per-device stateDevices > Windows > the device > check the assigned Update ring report
Device-side logEvent Viewer > Applications and Services > Microsoft > Windows > WindowsUpdateClient > Operational; plus C:\Windows\Logs\WindowsUpdate\
Error decodeMost WU error codes are documented; decode against Microsoft's published tables, don't guess
1. It isn't actually stuck — the policy math says wait
Your own deferral, deadline, and active-hours settings can legitimately place a device weeks behind the newest build. Walk the math first: offer date + feature/quality deferral days + deadline window + grace period. A device inside that envelope is compliant with your design, not broken — the fix for "too slow" is the ring policy conversation, not a device ticket.
The Windows Update for Business report's per-device state names where in the pipeline the device sits: Offered, Installing/Downloading, Pending reboot, Deadline pending, or Installed. A device in Pending reboot for days has downloaded the update and is waiting on a restart — that is a deadline-design question, not a delivery failure.
2. A safeguard hold is blocking the offer
Microsoft blocks feature-update offers to devices with a known compatibility issue (a driver, app, or firmware signature it has flagged). The device will sit on its current build no matter how aggressive your ring is. The Windows Update for Business reports surface hold status and the safeguard hold ID.
Confirm the hold in the report (the device shows as held with a hold ID rather than failing with an error code).
Treat the hold as information: it names a real incompatibility. Find and remediate the offending driver/app/firmware — that is the actual fix.
The DisableWUfBSafeguards CSP (surfaced in the update ring as the opt-out for safeguard holds) exists for lab/test devices that knowingly accept the risk. Do not opt a production fleet past a hold; you are overriding a real compatibility block.
3. The update stack on the device is broken
The device-side update components can wedge: store corruption, disk pressure, or a Delivery Optimization path that can't fetch content. Symptoms are real error codes in the WindowsUpdateClient event channel (e.g. 0x80070070 low disk, 0x80240034 / 0x8024200B download or install failures, 0x800F0922 on cumulative updates). Decode the code against Microsoft's published tables before improvising. The repair ladder, cheapest first:
Free disk space — feature updates need several GB. cleanmgr or Storage Sense; confirm the WU error wasn't simply 0x80070070.
Run the in-box update troubleshooter — Settings > System > Troubleshoot > Other troubleshooters > Windows Update.
Component repair — DISM /Online /Cleanup-Image /RestoreHealth then sfc /scannow.
Reset the update stack — stop the services, clear the cache, restart: net stop wuauserv bits, rename C:\Windows\SoftwareDistribution and C:\Windows\System32\catroot2, then net start wuauserv bits.
For the fleet-scale version, package that ladder as a Proactive Remediation (a detection script that flags wedged stacks by error code, a remediation script that runs the reset) so you fix the scatter without hand-touching each device.
4. An expedited update didn't land
Expedited quality updates bypass deferrals for a critical patch, but they still require the Windows Update health tools component (the update-health add-on installs automatically when you create an expedite policy) and an eligible servicing state. An expedite that "isn't working" is usually a case 3 problem wearing urgency. Check, in order:
The expedite policy actually targeted the device (Devices > Windows > the device > the expedite policy reports applied).
The device already has, or can install, the latest cumulative baseline the expedite builds on — expedites accelerate the offer, they don't skip prerequisites.
If both are true and it still fails, work case 3 (the stack is wedged).
Read the fleet by the shape of the lag
The KPI is the distribution: percentage of devices on the latest quality update within N days of release, charted per ring (pull it from the Windows Update for Business reports or the inventory report's patch columns). The pattern tells you the cause:
A whole ring lagging → policy (deferral/deadline) or a safeguard wave hitting that population.
A scattered set lagging → wedged update stacks (case 3) — these are the Remediation candidates.
One site lagging → bandwidth / Delivery Optimization can't fetch content efficiently there.
Insights
Restart avoidance is the silent majority of "stuck" tickets. A device in Pending reboot has already downloaded and staged the update — that's a deadline and grace-period design question (covered on the WUfB page), not a delivery failure. The per-device update state distinguishes won't-download from won't-reboot in one glance; they're different problems with the same user complaint.
Why a device stops getting policy or apps — the two independent channels (MDM sync and the IME), how to check each, and how to force a fresh cycle.
A Windows device holds two separate conversations with Intune, and they fail independently. The MDM sync delivers policy and compliance over the OMA-DM channel; the Intune Management Extension (IME) delivers Win32 apps and PowerShell scripts/Remediations. A device can apply policy perfectly while installing no apps, and vice versa — so identify the affected channel first, then run that channel's checks. The single most useful symptom-to-channel mapping: policy applies but apps don't install means MDM is healthy and the IME is sick; apps install but compliance goes stale is the reverse.
Force sync (portal)Devices > the device > Sync — pushes a WNS wake-up to the device
Force sync (device)Settings > Accounts > Access work or school > the work account > Info > Sync
Join/identity truthdsregcmd /status
IME serviceMicrosoft Intune Management Extension (IntuneManagementExtension)
The MDM sync channel
After enrollment the device checks in frequently, then settles into the steady-state schedule (roughly every 8 hours), plus push-triggered syncs over WNS when an admin clicks Sync or a policy changes. When sync stops, work these in order:
Scheduled-task plumbing. The sync is fired by the scheduled tasks under Task Scheduler > Microsoft > Windows > EnterpriseMgmt > {EnrollmentGUID}. A device with mangled task state only syncs when poked manually. Confirm the tasks exist and aren't disabled; the DeviceManagement-Enterprise-Diagnostics-Provider event channel (Admin) shows attempt-vs-success per session.
WNS reachability. Push sync rides Windows Notification Service. Networks that filter or SSL-inspect it sever the push channel — the device still polls on schedule, but "Sync now" stops being now. Get the WNS endpoints (*.notify.windows.com, *.wns.windows.com) onto the proxy / SSL-inspection bypass list with the network team. Microsoft's published network-endpoint list is the source of truth for the full set.
Identity staleness. A long-offline device returns with an expired token; a fresh user sign-in restores the channel. dsregcmd /status is the device-side truth for the join/registration state — check AzureAdJoined, TenantId, and the AzureAdPrt (PRT) status.
Isolate direction as always: a portal-side Sync tests service→device (does the push arrive?); the device-side Sync button tests device→service (can the device reach Intune?).
The IME channel
The IME is a Windows service with its own lifecycle, separate from MDM sync:
Confirm it exists and is running. Look for the Microsoft Intune Management Extension service (services.msc, or Get-Service IntuneManagementExtension). It installs only when the device receives its first Win32 app or script assignment — a device that has never been targeted has no IME at all, which surprises people who expect it on every enrolled machine.
Read the log heartbeat.%ProgramData%\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log — recent timestamps mean the IME is cycling; a log that stopped writing means the agent is wedged. See the Win32 app failures page for reading per-app outcomes.
Restart for a fresh cycle.Restart-Service IntuneManagementExtension forces a fresh evaluation of all assigned apps and scripts — the legitimate "turn it off and on again" of Win32 delivery.
The IME also self-updates. A fleet pinned on an old IME version when delivery misbehaves at scale is worth a Graph query against the agent version.
Fleet hygiene
The fleet's pulse is the lastSyncDateTime distribution — the spread of how recently each device checked in (visible in Devices > All devices as the Last check-in column, or via Graph). Set thresholds per fleet, not one global number: a kiosk quiet for a day is an outage, while a laptop quiet for a week may just be on vacation.
Insights
Always name the channel before you start fixing. "Policy applies but apps don't install" is MDM-healthy / IME-sick — go straight to the IME service and log. "Apps install but compliance is stale" is the reverse — check the EnterpriseMgmt tasks and token freshness. Identifying the channel halves the candidate fix list before you run a single command.
Turning "my computer is slow" into a named cause — which phase is slow, where to read the data, and the common culprits per phase.
"Slow" is undiagnosable until you decompose it into a phase. Decide which of the three phases the user means, then pull that phase's data. The fastest first move is Endpoint Analytics (Reports > Endpoint analytics), which scores boot and sign-in time per device and per model, so you can see whether one machine or a whole cohort is affected before you touch anything.
Per-device boot timingEvent Viewer > Applications and Services > Microsoft > Windows > Diagnostics-Performance > Operational (event IDs 100-110)
Startup-app censusTask Manager > Startup apps; or Get-CimInstance Win32_StartupCommand via a script
Phase 1 — Boot (power to the sign-in screen)
This is firmware, driver, and core-service territory — it happens before any user logs in. Endpoint Analytics' Startup performance tab breaks boot time into core boot, group policy, and other phases, scored per device and per model.
A fleet-wide slow boot clustered by model is almost always firmware or a driver — work the driver and firmware update lane for that model.
A slow boot that appeared on a date, across mixed models, is usually an agent or policy change — correlate the start date against your deployment timeline and check whether the canary/pilot ring saw it first.
Phase 2 — Sign-in (credential to a usable desktop)
This is the phase users actually mean by "slow logon." It covers profile load, policy processing, and everything that runs at logon. Read it from the Diagnostics-Performance event channel (event ID 100/101 record boot and logon durations and flag the slow component). The usual culprits, ranked by frequency:
Startup-app accumulation — every agent's helper and every installer's auto-updater launching at sign-in. Census them (Task Manager > Startup apps, or a Get-CimInstance Win32_StartupCommand inventory script) and prune the non-essential ones by policy.
Legacy logon scripts and drive-mapping surviving from the GPO era — synchronous logon scripts and mapped-drive reconnects serialize sign-in. Migrate or retire them.
Profile bloat where OneDrive Known Folder Move isn't redirecting the heavy folders, so the profile loads gigabytes at sign-in.
First-sign-in profile creation on shared PCs — a brand-new profile being built looks like slowness but is expected; only repeat sign-ins should be fast.
Phase 3 — In-session (during the working day)
App hangs and general sluggishness once the desktop is up. Endpoint Analytics' App reliability and Resource performance views surface the offending app and CPU/memory pressure per device. The classic pattern here is agent contention — two security products scanning each other or the same files. Resolve it only with vendor-documented mutual exclusions (the exclusion lists each vendor publishes for the other), never improvised exclusions that punch real holes in protection.
The data sources, in order
Endpoint Analytics for the fleet shape — which phase, which cohort, since when.
The per-device event channels (Diagnostics-Performance for boot/logon timing) for the named machine.
An A/B against a clean device — a freshly reset unit of the same model as a control. If the reset twin is fast, the delta is the accumulated state on the user's device, and a wipe-and-redeploy is often faster than chasing the cause.
Insights
Performance regressions are usually changes, not gradual decay. Before profiling, correlate the start date of the complaint cluster against your deployment timeline — new agent versions, baseline changes, new startup apps. The change calendar resolves more performance tickets than any profiler.
Publish the fleet's sign-in time p50/p90 from Endpoint Analytics quarterly even when nobody asks. The trend line is nearly free to produce and turns the next "everything got slower" escalation into a conversation about a chart with a baseline.
Twenty-plus vetted open-source projects for the Windows endpoint engineer — PSADT to OSDCloud to the diagnostics canon.
The Windows endpoint admin's open-source shelf — app packaging and delivery, Autopilot and imaging, baselines and drift, driver automation, diagnostics and reporting, and the tenant-wide Intune core.
Looking for everything across platforms? Browse the central Open-Source Toolbox — all 144 tools in one filterable, searchable place.
🧰 Intune core & tenant automation
Tenant-wide Graph automation, config-as-code, backup, and assignment analysis.
ugurkocde/IntuneAutomation — Curated library of ready-to-run Microsoft Graph PowerShell scripts (and Azure Automation runbooks) for Intune device operations, app management, compliance reporting, and monitoring.
MG-Cloudflow/Intune-Toolkit — WPF/PowerShell GUI to view and bulk-manage Intune policy and app assignments, audit what a security group has assigned, and back up/restore/document configurations.
Microsoft365DSC/Microsoft365DSC — PowerShell Desired State Configuration module that extracts, deploys, and continuously monitors full-fidelity Microsoft 365 (including Intune, Entra, and CA) tenant config as code, flagging and remediating drift.
Azure/enterprise-azure-policy-as-code — EPAC manages Azure Policy and policy assignments/exemptions as code in Git with CI/CD plan-and-deploy pipelines, giving admins desired-state governance and compliance enforcement at scale.
merill/graphxray — Browser DevTools extension that captures the Microsoft Graph calls behind clicks in the Entra/Intune portals and auto-generates equivalent PowerShell, C#, Java, or Go, so admins can script any portal action.
microsoft/EntraExporter — Microsoft PowerShell module that exports an entire Entra/Azure AD tenant configuration to versionable JSON files for Git-based backup, change tracking, and audit of identity and CA policies.
microsoftgraph/msgraph-bicep-types — Microsoft Graph Bicep extension that lets admins declare Entra/Graph resources (groups, apps, service principals) as Infrastructure-as-Code in Bicep templates alongside Azure resources.
microsoftgraph/msgraph-sdk-python — Microsoft's actively maintained Python SDK for Microsoft Graph, used to script tenant-wide Intune/Entra automation and reporting from Python instead of PowerShell.
DanielChronlund/DCToolbox — PowerShell module for Microsoft 365 security work, with cmdlets to export/import and bulk-deploy Conditional Access policies as JSON for managing CA as code across tenants.
fleetdm/fleet — MIT-licensed open-source cross-platform device management platform built on osquery and Apple's native MDM/DDM, letting admins manage profiles, OS updates, software, and CIS-benchmark compliance from one GitOps/API workflow alongside (or instead of) Intune.
🛠️ MDM internals & provisioning
MDM servers, enrollment, Autopilot/ADE, imaging, and profile authoring.
OSDeploy/OSDCloud — cloud OS deployment from WinPE; bare-metal-to-Autopilot without an on-prem task sequence
OSDeploy/OSD — Core PowerShell module behind OSDCloud for internet-based Windows reimaging from WinPE, with driver-pack management and Autopilot JSON injection for rebuilding or repurposing devices into Intune.
📦 App packaging & delivery
Build, package, wrap, and ship apps — Win32, PKG, VPP, winget, and CI pipelines.
ennnbeee/IntuneAppAssigner — Interactive PowerShell tool for bulk-assigning or replacing app assignments (including Apple VPP/license assignment) across Android, iOS, macOS, and Windows apps in Intune.
FlorianSLZ/scloud — Large companion library of Intune deployment scripts and Win32 packaging templates (Winget/Choco install-detect-uninstall, Autopilot, LAPS, Windows Hello, printers) for endpoint admins.
MSEndpointMgr/IntuneWin32App — PowerShell module to fully automate Win32 app lifecycle in Intune (package, create, assign, update) via Graph, enabling CI/CD app deployment instead of manual portal work.
MSEndpointMgr/IntuneAppFactory — Azure DevOps pipeline framework that auto-detects, downloads, packages, and publishes the latest version of onboarded apps as Win32 packages so admins keep Intune apps evergreen hands-free.
simeoncloud/IntuneAppBuilder — Cross-platform .NET console tool and SDK that packages MSI/Win32 installers into .intunewin and publishes them, letting admins build Intune app packages from CI runners on Windows, macOS, or Linux.
alcavix/IntuneWin-Creator — Modern WPF GUI that creates and extracts .intunewin Win32 packages with drag-and-drop, AES decryption, and PowerShell wrapper generation, giving admins a no-CLI alternative to the Content Prep Tool.
aaronparker/m365apps — PowerShell script and GitHub Actions workflow that builds an evergreen Microsoft 365 Apps (with optional Visio/Project) Win32 package for Intune, including detection and supersedence handling.
microsoft/winget-create — Microsoft's command-line manifest creator (wingetcreate) for generating and updating winget manifests, used by admins to publish apps to private winget sources feeding the Intune Enterprise App Catalog.
🔄 Updates, drivers & remediation
OS and driver updates, patch compliance, drift, and self-healing remediations.
maurice-daly/DriverAutomationTool — PowerShell WPF app that discovers, downloads, packages, and deploys OEM driver and BIOS updates (Dell, HP, Lenovo, Surface, Acer) to Intune or Configuration Manager.
aaronparker/remediations — Pester-tested library of ready-to-deploy Intune detection/remediation script pairs (firewall, AppX cleanup, Acrobat updates, Teams GPU, AV reporting) for Endpoint Analytics proactive remediations.
jantari/LSUClient — PowerShell module that orchestrates silent, unattended driver, BIOS/UEFI, and firmware updates for Lenovo PCs, ideal for Intune remediation or Win32 scripts that keep Lenovo fleets patched.
🛡️ Security, hardening & identity
Baselines, hardening, app vetting, Conditional Access, and identity posture.
scipag/HardeningKitty — audit actual device hardening against published benchmarks; the verification half of baseline work
ennnbeee/EPManager — PowerShell utility to bulk-export Intune Endpoint Privilege Manager elevation requests and turn them into EPM rule policies, speeding up least-privilege rollout on Windows.
ennnbeee/IntuneFirewallMigration — Updated revival of Microsoft's retired firewall-migration tool that captures Group Policy/local Windows Firewall rules and uploads them as native Intune Settings Catalog firewall policies.
maester365/maester — PowerShell test-automation framework that runs hundreds of curated security checks (EIDSCA, CISA SCuBA, CIS) against a tenant's identity, device, and app config and alerts on drift via GitHub Actions or Azure DevOps.
cisagov/ScubaGear — CISA's PowerShell tool that assesses a Microsoft 365 tenant against the SCuBA secure-configuration baselines (incl. Entra/CA) using Open Policy Agent and outputs HTML/JSON/CSV compliance reports.
Cloud-Architekt/EntraOps — PowerShell/DevOps project that classifies and monitors privileged access across Entra RBAC systems using Microsoft's Enterprise Access Model, helping admins identify and protect over-privileged identities.
p0w3rsh3ll/ASRRules — PowerShell module to enumerate, audit, and configure Microsoft Defender Attack Surface Reduction rules by friendly name, helping admins validate ASR posture before and after Intune deployment.
MHaggis/ASRGEN — ASR toolkit that generates GPO/Intune/PowerShell configurations for Defender Attack Surface Reduction rules and includes atomic tests to verify each rule actually blocks the behavior it should.
dafthack/MFASweep — PowerShell script that logs a test account into many Microsoft endpoints (Graph, ARM, EWS, web, ActiveSync, ADFS) to reveal protocols and Conditional Access gaps where MFA is not actually enforced.
CompassSecurity/EntraFalcon — Lightweight PowerShell tool that enumerates Entra ID privileged objects, risky role/app assignments and misconfigurations into interactive HTML reports, letting admins audit identity attack surface with no extra modules or Graph consent.
silverhack/monkey365 — Self-contained PowerShell security-assessment framework with 200+ checks for M365, Azure and Entra ID, scoring tenant configuration against CIS and best-practice benchmarks in a single HTML report for admins.
kayasax/EasyPIM — PowerShell module that manages Entra PIM role, group and Azure-resource settings and assignments as code, with drift detection, WhatIf and audit reporting so admins can govern privileged access without raw ARM/Graph calls.
microsoft/AaronLocker — PowerShell solution that generates and maintains strict AppLocker/WDAC application-control policies (deployable via Intune) to allowlist trusted apps and block unauthorized execution by standard users.
🔬 Diagnostics & device control
Logs, device queries, remote control, and lab / emulation.
JayRHa/IntuneDeviceTroubleshooter — WPF/PowerShell troubleshooting console giving a unified Intune+Entra device view with built-in actions (sync/restart), actionable recommendations, and one-click remediation triggering.
petripaavola/Get-IntuneManagementExtensionDiagnostics — Parses Intune Management Extension logs into an interactive timeline (Win32/WinGet apps, scripts, remediations, compliance, Autopilot ESP) with a cmtrace-style log viewer for fast deployment debugging.
ztrhgf/useful_powershell_modules — Home of the IntuneStuff PowerShell module (plus Graph/M365 helpers) with cmdlets to read client-side Intune policy results, scripts, Win32 apps, and logs straight from a managed device for troubleshooting.
📊 Reporting & monitoring
Dashboards, KQL packs, Power BI, and inventory reporting.
SMSAgentSoftware/IntuneAssignmentsReport — Azure Automation + Power BI reporting solution that pulls all Intune assignments (25+ item types) from Graph into a dashboard so admins can audit what is assigned where.
merill/idPowerToys — Generates a PowerPoint document of a tenant's Conditional Access policies so admins can review, share, and audit CA design without granting portal access.
AzureAD/AzureADAssessment — Microsoft's PowerShell tooling that collects Entra/Azure AD tenant configuration and hybrid component data and produces Power BI assessment reports on identity, app, and Conditional Access posture.
petripaavola/IntuneDeviceDetailsGUI — PowerShell tool that produces searchable HTML 'Resultant Set of Policy' reports for a device, surfacing assigned apps, policy conflicts, Win32 detection scripts, BitLocker keys, and LAPS for fast troubleshooting.
ugurkocde/IntuneMonitoring — Deploy-in-seconds Azure Workbook that gives a single-pane-of-glass view of device health, enrollment, compliance and app deployment across the tenant without an app registration.
ugurkocde/KQL_Intune — Curated library of KQL queries and Azure Workbooks (Audit, Compliance, Device, Operational) for analyzing Intune diagnostic data piped into a Log Analytics workspace.
ugurkocde/IntuneDeviceQuery — Copy-paste KQL query collection for Intune's on-demand Device Query, letting admins pull live hardware, security, registry and process inventory from enrolled Windows devices.
petripaavola/Get-WindowsTroubleshootingReportCommunity — Merges Windows Event Logs and Intune log files into one interactive, filterable HTML timeline with GUID-to-name resolution and community detection rules for endpoint troubleshooting.
MSEndpointMgr/IntuneEnhancedInventory — Collects rich custom inventory from managed devices and ships it securely (via an Azure Function) into Log Analytics with sample workbooks for reporting beyond Intune's built-in inventory.
haavarstein/intune-dashboard — Client-side browser dashboard that inspects a live tenant via Graph (managed devices, app deployments, BitLocker, compliance, Win11 readiness) or visualizes CSV exports with no backend.
greebo-labs/intune-patching-os-compliance-dashboard — Browser-based dashboard that ingests Intune CSV exports to produce executive patch-compliance, Windows OS-lifecycle and audit-ready reporting views entirely in-browser.
JayRHa/PowerBiDashboards — Ready-made Power BI (.pbix) dashboard templates for Microsoft Intune endpoint analytics and device-management reporting.
PowerStacks-BI/BI-for-Intune — Open-source Power BI template collection (Intune KPI, Support Desk, Windows 11 Migration Tracker, Windows Update for Business) for building Intune executive and operational reports.
microsoft/intune-tenant-doc — Microsoft-published PowerShell script that connects to any tenant via read-only Graph and exports a full Intune configuration inventory as per-platform and combined Markdown documentation.
Insights
Adoption rule for anything on this shelf: read the source of what you run before you run it, pin versions, and treat community tooling with tenant write-access like the privileged code it is — repo-versioned, reviewed, least-privilege app registrations.
MacOS · Fundamentals
MacOS Management Overview
How Intune manages Macs — the MDM channel, the agent, and what changes when the Apple device has a keyboard.
MacOS management with Intune rests on Apple's shared device-management foundation — ABM, APNs, VPP — then adds the realities of a desktop OS: local admin questions, agents, packages, and users who've owned Macs longer than IT has managed them.
The Two Channels
MDM — Apple's native management protocol: configuration profiles, DDM declarations, restrictions, app installs, device actions, all delivered via APNs. Nothing extra is installed to make this channel work — the capability ships with the OS and activates at enrollment.
The Microsoft Intune management agent — installed automatically when you assign shell scripts; it handles scripts and custom attributes — the operational glue the MDM protocol doesn't carry.
MDM for policy and apps; the agent for scripted glue. Knowing which channel owns what is half of troubleshooting.
Intunepolicy authority
→
APNswake-up channel
→
Macchecks in for profiles, declarations, actions
Device Identity in Entra ID
Macs register with Entra ID — they do not join. What varies is how strong that registration is and how the signed-in browser proves it; the device identity guide goes deep:
Path
Entra identity
What Conditional Access sees
Company Portal enrollment
Entra registered during enrollment sign-in
User + device compliance verdict
ADE enrollment
Entra registered, corporate record from first boot
User + compliance, supervision-grade management behind it
+ Platform SSO
Registration bound to the local account's Secure Enclave key
Browser SSO that carries device identity — the modern posture for device-based grants
What Makes Mac Management Distinct
Supervision comes with ADE enrollment and unlocks the deeper management controls — and because Macs run arbitrary third-party software, the management surface extends into PPPC privacy grants, system extensions, and packages: the approval layer that decides whether your security tooling actually runs.
Local accounts exist: admin-or-standard is a real decision (enrollment page), and Platform SSO is the modern answer to binding them to Entra identity.
No VPP-or-nothing: apps arrive as VPP, PKG, DMG, or script-installed — choosing correctly per app is a skill, and the choice determines update behavior, reporting fidelity, and uninstall cleanliness later.
What's Different From Jamf-Era Expectations
Mac admins arriving from Jamf will look for Smart Groups and policies-with-triggers; the Intune equivalents are dynamic groups + filters, shell scripts, and a configuration model that leans on Settings Catalog plus custom profiles. The capabilities map well; the idioms differ — this section teaches the Intune idiom rather than transliterating the old one.
The Honest Scope Statement
Intune's MacOS surface has matured fast (DDM updates, Platform SSO, PKG/DMG types, managed local-admin password rotation arriving across recent releases) — but Apple ships new management features every June, and adoption into Intune follows. The operating habit: check the What's new feed after each MacOS release, and where a gap is real, the custom profile escape hatch usually covers it.
ABM, APNs, and VPP — the Apple-side plumbing every managed Mac depends on: what each piece does, how to stand it up, and the renewal calendar that keeps it alive.
Apple runs one device-management foundation across its platforms, and your Mac fleet rides it end to end: Apple Business Manager anchors device ownership, APNs carries every management conversation, and Apps & Books (VPP) licenses App Store software. If another Apple fleet already lives in your tenant, most of the MacOS groundwork is already done — verify each component below and move on. If the Mac estate is your first Apple footprint, work this page top to bottom; it is the setup order.
Applies toEvery Apple device in the tenant
RequiresABM org + a dedicated IT role Apple Account
RenewalAPNs cert, ADE token, VPP token — all annual
Console pathIntune admin center > Apple enrollment settings
Prerequisites
An Apple Business Manager organization at business.apple.com — the verified org identity that anchors device ownership, with your reseller/carrier numbers registered so purchased Macs flow into ABM automatically.
A dedicated, documented Apple Account for IT (a role account, not a person's) to own the APNs certificate — this one decision prevents the worst renewal accident in Apple fleet management.
Intune administrator rights sufficient to upload certificates and enrollment tokens.
The Components, in Setup Order
Step 1APNs certificateRenew annually, always from the same Apple Account
Step 2ABM ↔ Intune tokenABM-owned serials flow in for ADE
Step 3MDM server defaultsNew hardware lands assigned, no human touch
Step 5Managed Apple AccountsFederation and naming strategy decided
Step 6Stray intake pathApple Configurator brings retail strays into ABM
Create the APNs certificate — nothing works without it. In the Intune admin center's Apple enrollment settings, download the certificate signing request; sign in to Apple's Push Certificates Portal (identity.apple.com) with the IT role account, create the certificate from that CSR, and upload the result back into Intune. One certificate serves every Apple device in the tenant. It expires annually: renew, never recreate, and always from the same Apple Account — a replacement certificate from a different account breaks the trust chain and forces the entire fleet to re-enroll. Put the expiry on a shared calendar and automate the watch with the connector health-check script.
Connect ABM to Intune (the enrollment token). In ABM, add Intune as an MDM server (uploading the public key Intune provides), download the server token, and upload it into Intune's enrollment configuration. This token is what lets ABM-owned Mac serials flow into Intune for Automated Device Enrollment — and it renews annually, on the same calendar and the same health check.
Set MDM server assignment defaults. In ABM's device settings, point the Mac default at the Intune server entry so newly purchased hardware lands assigned without a human touch — ABM routes each device type to its own default, which also matters if you ever run a transitional second MDM during a migration.
Stand up Apps & Books (VPP). Acquire Mac App Store apps in ABM, download the location token, upload it to Intune — licensed apps then deploy with no Apple Account sign-in required on the device. The token renews annually; license posture stays auditable with the VPP license report.
Decide the Managed Apple Accounts strategy — federation, naming, and who gets one; the strategy page carries the full decision.
Build the intake path for strays. Channel-purchased Macs appear in ABM automatically; retail-purchased and acquisition Macs can be added through an Apple Configurator intake flow so they too become ABM-known and ADE-eligible. Build this path before you need it — every fleet accumulates strays.
Verification
APNs: the certificate shows active with a future expiry, and a test Mac enrolls and responds to a sync within minutes — a dead or mismatched certificate presents as silence, not as an error.
Enrollment token: ABM-assigned Mac serials appear in Intune's enrollment device list after a token sync.
VPP: a licensed app assigns to a test Mac and installs without prompting for any Apple sign-in.
Because APNs and the ADE token are tenant-shared, the Apple connector calendar protects your Macs already — no new annually-expiring credentials arrive with the Mac fleet. The health-check script covers the full connector set in one run.
ABM-side hygiene: give Mac fleets their own MDM server default by device type (ABM routes each device type to its own default) if you ever run a transitional second MDM — the migration playbook's reassignment mechanics apply identically to Macs.
ADE versus user-approved Company Portal enrollment — and the local-admin decision that rides along.
Two real paths onto a Mac, and the same site-wide law: the path sets the ceiling.
the Mac is org-owned and ABM-knownAutomated Device EnrollmentSupervised, wipe-persistent, Setup Assistant onboards the user — nearly every corporate Mac.
it's org-owned but not in ABM yetApple Configurator intake, then ADEUser-approved enrollment is only the stopgap while the intake happens.
it's genuinely BYO hardwareUser-approved enrollment — or noneRestrained policy set, or browser-only access gated by Conditional Access. Decide as policy, not per-ticket.
The Decision
Org-owned Mac? → Automated Device Enrollment. ABM-known, supervised, enrollment survives erase-and-reinstall, Setup Assistant onboards the user. This should be nearly every corporate Mac.
Org-owned but not in ABM (acquisition strays, old purchases)? → Get it into ABM via Apple Configurator intake where feasible (the shared-foundation page covers the intake path) — then ADE. User-approved enrollment is the stopgap while you do.
Genuinely BYO Mac? → User-approved Company Portal enrollment with a restrained policy set — or, often better, no enrollment: App Protection-style data controls are not a meaningful option on MacOS, so the honest BYO-Mac choices are light enrollment or browser-only access gated by Conditional Access. Decide as policy, not per-ticket.
ADE's Setup Assistant flow lets you decide the first user's privilege (admin vs standard) and create a hidden managed admin account. The defensible modern posture is a trio: standard users, a managed local admin for break-glass (rotated per the local-admin rotation patterns), and Platform SSO binding identity to Entra. The countervailing Mac-culture reality — developers and power users with legitimate admin needs — is solved with a defined elevation path, not blanket admin. Write the policy before the first ADE profile, because retrofitting privilege downward is a political project.
Insights
A Mac's enrollment story is verifiable in seconds: profiles status -type enrollment answers ADE-known/enrolled/supervised in one command — the diagnostics page builds on it.
Mixed Jamf-to-Intune estates: Macs cross over on the migration playbook's mechanics — ABM server reassignment + erase for ADE fleets; there is no dual-MDM Mac.
OS support windows, Apple silicon realities, and the procurement-to-retirement arithmetic for MacOS fleets.
Lifecycle discipline for a MacOS fleet runs on its own constants: Apple's hardware lasts longer than most refresh plans assume, the OS support model is convention rather than contract, and the silicon transition still shapes purchasing. This page is the procurement-to-retirement arithmetic.
1/yrmajor MacOS release cadence
n-2oldest release still receiving security updates, by convention
4–5 ycommon Mac refresh cycle — budget on OS-eligibility, not failure
The OS Support Reality
Apple ships a major MacOS annually and, by long-standing convention rather than published commitment, delivers security updates to the current release plus the two prior. The planning consequences:
Your update policy floor rides that n / n-1 / n-2 window — a fleet on the oldest supported release has zero buffer when the next major ships
Hardware ages out of OS eligibility: each major release drops older models; a Mac that can't take the current OS begins a countdown the compliance patch floor will eventually enforce. Track OS-eligibility horizon per model in a fleet EOL ledger — model, purchase window, last eligible OS, planned exit date — reviewed quarterly
Major-release adoption on Mac deserves deliberate lag: let the ring-1 population and your agent vendors validate against the new release — the annual "our security agent broke on the new MacOS" cycle is real, and the ledger of vendor-support statements is the antidote
Apple Silicon as a Fleet Property
Intel stragglers in a silicon fleet are a management split, not just a speed gap: Rosetta deployment for translated apps, divergent recovery flows, different security architecture underneath FileVault and boot security. Most orgs should be silicon-complete by now; if Intel units persist, give them their own filter dimension and a retirement date.
The Refresh Arithmetic
Mac refresh cycles run longer (4–5 years is common) — budget against the OS-eligibility horizon rather than hardware failure: a Mac is fleet-viable while it runs a securely-updated OS and your agent stack supports that OS. Residual value is real on Mac — buyback programs materially offset refresh cost, which is a finance conversation worth having with ABM procurement data in hand.
Retirement Checklist
Activation Lock release first, wipe second (Erase All Content and Settings on silicon — the recovery page covers the mechanics and the Activation Lock discipline), ABM unassignment for devices leaving the org, and Intune object cleanup on a scheduled stale-device rhythm. The Activation Lock line is the one that bites resale: a locked Mac is worthless to the buyback program until released.
Step 1Release Activation LockA locked Mac is worthless to the buyback program
Step 2WipeErase All Content and Settings on silicon
Step 3Unassign in ABMFor devices leaving the org
Step 4Clean up Intune objectsOn the scheduled stale-device rhythm
Insights
Run the lifecycle KPI trio: average fleet age, % on supported OS, % past OS-eligibility — three numbers that turn Mac refresh budgeting from negotiation into evidence.
The Mac-specific migration playbook — re-enrollment mechanics, artifact mapping, and what doesn't translate.
Mac estates arriving at Intune usually arrive from Jamf, and the move is the universal migration choreography with Apple-specific mechanics: MDM enrollment is exclusive, so every Mac re-enrolls, and the artifact translation is real work.
The Non-Negotiable Mechanics
One MDM at a time: the Mac must unenroll from Jamf before Intune can manage it — there is no coexistence period per device, only per fleet.
ADE devices re-anchor in Apple Business Manager: reassign the device's MDM server assignment from the Jamf instance to Intune's enrollment token — the supervision and ADE benefits carry; the enrollment itself still requires the device to re-enroll (an EACS-or-wipe decision on silicon, or a user-driven re-enrollment flow for gentler waves).
FileVault keys do not migrate: escrowed keys live in Jamf; the Intune-side escrow populates on key rotation post-enrollment — sequence the rotation profile early and verify escrow coverage before anyone declares victory, because the gap window is real.
The Artifact Translation Map
Jamf artifact
Intune destination
Configuration profiles
Settings Catalog first, custom .mobileconfig for the remainder — audit each profile's payloads rather than bulk-importing a decade of accretion
Policies + scripts
Shell scripts and the app pipeline — Jamf "policies" decompose into Intune scripts, apps, or profiles depending on what they did
The translation is also the audit: most Jamf estates carry years of one-off policies; migrate intent, not inventory.
Do
Reassign the ABM MDM server entry from Jamf to Intune before each wave
Sequence the FileVault key-rotation profile early and verify escrow coverage per wave
Audit each Jamf profile's payloads — migrate intent, not inventory
Don't
Plan for per-device MDM coexistence — enrollment is exclusive
Bulk-import a decade of profile accretion
Declare victory while escrowed keys still live only in Jamf
The Wave Design
Agent kit staged first (PPPC/extensions for your security stack pre-approved in Intune before any Mac arrives), pilot wave of IT's own Macs, then population waves with compliance plus Conditional Access as the deadline lever — with the FileVault escrow check added to each wave's exit criteria.
Stage 1Agent kit pre-stagedPPPC and extensions approved in Intune before any Mac arrives
Stage 2Pilot waveIT's own Macs cross first
Stage 3Population wavesCompliance + Conditional Access as the deadline lever
Stage 4Wave exit checkFileVault escrow verified before the next wave
Insights
Run the capability-gap review before committing dates: deep Jamf estates use features (complex Smart Group logic, patch-title automation, extension-attribute-driven workflows) whose Intune equivalents are adjacent rather than identical — the honest-differences conversation up front converts surprises into design inputs.
Rosetta, universal binaries, virtualization, and the silicon-specific facts that shape Mac fleet operations.
The lifecycle page treats Apple silicon as a procurement fact; this page treats it as an operations fact — the handful of silicon-specific behaviors that surface in deployment, security, and the lab.
Rosetta 2: the Translation Layer
Intel-built software runs on silicon through Rosetta — installed on demand, which under management means you install it up front, by script: the one-line scripted install during enrollment for any fleet whose app estate isn't verifiably universal, because the alternative is per-user prompts and "bad CPU type" tickets. The audit side: a custom attribute censusing translated processes tells you which vendors still owe you universal builds — the lane-orphan review's architecture cousin, and a renewal-conversation lever.
The Security Architecture Dividends
Silicon is why the modern Mac security pages work the way they do: the Secure Enclave underwrites Managed Device Attestation and Platform SSO's key-based modes; sealed system volumes and boot security feed the recovery model — EACS's minutes-not-hours erase is a silicon-era cryptographic property, and DFU revive is its bench-side sibling. One slide in the architecture doc connecting these makes every later review faster.
Virtualization: the Lab Multiplier
Silicon Macs virtualize MacOS natively (Apple's Virtualization framework, with UTM as the open-source face) — disposable MacOS VMs for profile testing, enrollment rehearsals, and OS-release validation without a hardware drawer. The constraints: VMs aren't ABM-known hardware, so ADE-specific flows and attestation-grade scenarios still want a physical bench unit or two; everything else — payload behavior, script validation, agent-kit dry-runs — virtualizes beautifully. Licensing terms bound VM counts; read them once and design the lab inside the lines.
Insights
The Intel-straggler dimension deserves explicit filter treatment until it's zero: divergent recovery, no MDA, different performance envelopes — a fleet that can't say "we are N% silicon" by query is carrying an invisible operational fork, and the retirement date for the fork belongs in the lifecycle ledger, not in vibes.
What enrollment actually creates in Entra ID — the registered device record, the Platform SSO upgrade, and why stale records quietly break access.
Every managed Mac exists twice: as an Intune device object (management — policy, apps, inventory) and as a Microsoft Entra ID device record (identity — what Conditional Access actually evaluates). Intune computes the compliance verdict against its object and stamps it onto the Entra record; access decisions read it from there. Most "enrolled but blocked" mysteries are daylight between those two records.
Trust typeMicrosoft Entra registered — never joined
BrokerEnterprise SSO plug-in inside Company Portal
Upgrade pathPlatform SSO binds the local account to Entra ID
What Enrollment Produces in Entra ID
When a Mac registers, Entra mints a device record with trust type Microsoft Entra registered, and the Mac receives a workplace join (WPJ) certificate — hardware-bound, and accessible only to the Microsoft Enterprise SSO plug-in that ships inside Company Portal. That certificate is how the Mac proves "I am device X in your directory" when apps and browsers request tokens; the device ID it asserts is the key Conditional Access uses to find the compliance verdict. Every enrollment path produces this same trust type — what differs is when the record lands.
Registered, not joined
Macs register with Entra ID; they do not join it. Registered is the only trust type a Mac record will ever carry, so device-based access for Macs rests entirely on the compliant device grant — a control demanding a joined device can never be satisfied from a Mac.
Three Paths, Three Registration Moments
Enrollment (the MDM relationship) and registration (the Entra record) are separate events, and the gap between them is where first-week tickets are born:
After setup — a Company Portal sign-in at the desktop completes registration
The classic gap: managed but unregistered, and Conditional Access blocks until that sign-in
ADE with Platform SSO registration during enrollment
During enrollment itself — the PSSO payload completes registration before the desktop
Closes the gap; the modern target for corporate Macs
Respect the middle row: a modern-auth ADE Mac reaches the desktop fully managed — and every Conditional Access-protected app bounces the user toward Company Portal until the registration sign-in happens. Write that step into onboarding comms, or let Platform SSO's registration-during-enrollment delete the human step entirely.
The Platform SSO Upgrade
Plain registration gives the Mac an identity; Platform SSO gives it a relationship. The local account binds to Entra ID, the SSO extension becomes the broker for authentication and Conditional Access on the device, and in Secure Enclave mode the credential is hardware-bound and phishing-resistant (the passkeys page continues that thread). For the identity story this changes three things: registration ties to the local account that performed it, sign-in state stays consistent between the OS and Entra, and browsers acquire device identity silently through the broker instead of certificate-picker prompts. Conditional Access stops being something users experience and becomes something simply true of the device.
Compliance Binds to the Record
The sequence that makes a Mac "compliant" in a token: enrollment establishes management → registration creates the Entra record → the first check‑in lets the compliance policy evaluate → the verdict lands on the Entra record → Conditional Access reads it at sign-in. A brand-new Mac showing noncompliant for its first minutes is this sequence mid-flight, not a failure; one stuck there past fifteen minutes usually has an unfinished registration, not a policy problem.
Step 1EnrollEnrollment establishes management
Step 2RegisterEntra mints the device record
Step 3EvaluateFirst check‑in runs the compliance policy
Step 4StampThe verdict lands on the Entra record
Step 5GateConditional Access reads it at sign-in
The Bootstrap Token Is Authority, Not Identity
Two trust fabrics run through a managed Mac, and they never touch. The bootstrap token — escrowed to Intune during ADE enrollment — is Apple-side authority: it lets MDM authorize operations that need SecureToken/volume-ownership powers on Apple silicon, like enforced software updates and kernel-adjacent work. It plays no role in Entra registration, tokens, or Conditional Access. Map symptoms: access blocked → registration/WPJ side; updates refusing to authorize → bootstrap side (profiles status -type bootstraptoken).
Erase, Re-Enroll, and Stale Records
Each registration mints a fresh device ID, so the erase-and-re-enroll loop that makes Mac recovery so fast also manufactures duplicates: one piece of hardware, several Entra records, only one of them live. Stale records don't block access — the Mac presents its current certificate — but they poison dashboards, inflate noncompliant counts, and make dynamic groups lie. Clean deliberately:
Dedupe by serial number, never display name. Serial is the only honest key; a fleet of identical "MacBook Pro" display names will name-match you into deleting live records.
Identify the live record before touching anything — the device ID from a fresh sign-in log entry, or the record Intune currently maps to, marks the survivor.
Clean the Intune side first, with the escrow caution: the escrowed FileVault recovery key rides the Intune device record — confirm the surviving record holds a valid key and rotate after cleanup rather than discovering the gap at unlock time.
Then the Entra side: disable, soak, delete. Filter on the activity timestamp with a generous window, disable first, and delete only after nothing has screamed for a couple of weeks.
Hardening: Managed Device Attestation
Registration as described is still assertion — the record exists because software said so. Managed Device Attestation upgrades the foundation: the Secure Enclave proves genuine hardware and properties to Apple's attestation service, and device certificates become silicon-rooted instead of software-held. As access design leans harder on the device record, MDA makes the record worth trusting.
Insights
"Enrolled but blocked" is a registration diagnosis until proven otherwise: check Company Portal sign-in state before re-pushing policy — the enrollment triage page and the PSSO triage page split the failure modes.
One Mac accumulating several Entra records across its life is normal, not pathological — but dashboards that count records instead of serials report a fleet you don't own. Dedupe by serial before any number leaves your team.
Treat registration as part of enrollment in the runbook: every path that leaves it to a human eventually meets a human who skips it.
ADE on MacOS — the enrollment profile decisions, Setup Assistant account creation, and the bootstrap token.
ADE is the Mac's supply-chain enrollment path: ABM-known serials hit Setup Assistant, management is mandatory and wipe-persistent, and supervision unlocks the full management surface. The Mac adds two consequential dials: local account creation and await final configuration.
Applies toOrg-owned, ABM-known Macs
RequiresHealthy APNs cert + synced ADE token + serial assigned in ABM
Console pathDevices > MacOS > Enrollment
Survives wipeYes — re-enrolls at Setup Assistant
Prerequisites
The shared Apple foundation in place: a healthy APNs certificate, the ABM ↔ Intune enrollment token synced, and the Mac's serial assigned to Intune's MDM server entry in ABM.
The local-account decision made in writing — admin vs standard, and whether a hidden managed admin exists. The profile encodes policy; write the policy first.
The day-one payload identified: FileVault, PPPC grants, and the security stack worth holding Setup Assistant for.
Building the Enrollment Profile
Under Devices > MacOS > Enrollment (ADE token section), create the profile and work the decisions in order:
Set user affinity. Enroll with affinity for 1:1 Macs (the norm); Setup Assistant authenticates with Entra (modern auth via Company Portal flow per current platform guidance), tying the device to its primary user for licensing, compliance, and self-service.
Decide account creation — the big one. Create the primary user as standard (recommended; see local account strategies) and define a hidden managed administrator account for IT break-glass. This is where the no-standing-admin posture is born; retrofitting it later is a political project.
Enable await final configuration. Setup Assistant holds until critical profiles land, so FileVault, PPPC grants, and the security stack arrive before the desktop does — the difference between a Mac that is compliant at first login and one racing its own policies.
Trim Setup Assistant panes. Skip the consumer panes (Apple Intelligence, Siri, Screen Time, analytics) per fleet taste — every retained pane is a decision delegated to the user; the Setup Assistant page carries the full strategy.
Assign the profile via the token's device list, and build enrollment-profile-based dynamic groups downstream so day-one targeting follows the enrollment path automatically.
The Bootstrap Token (Quietly Critical)
On ADE Macs, the bootstrap token escrows to Intune automatically — it's what lets MDM authorize things that need SecureToken/volume-ownership powers on Apple silicon: kernel-adjacent operations, some software-update and account flows. You don't configure it so much as verify it (profiles status -type bootstraptoken) when deep operations misbehave — a missing bootstrap token is a classic root cause on Macs that enrolled through odd paths.
First-Boot Flow and Verification
Unbox → Setup Assistant → Remote Management screen → Entra sign-in → account created per profile → await-config holds while the assigned-at-enrollment stack lands → desktop with compliance evaluating and Conditional Access gating. Verify a pilot unit end to end before fleet rollout: profiles status -type enrollment reports the Mac as ADE-known and enrolled, the hidden admin exists but stays off the login window, and the security stack is already running at first desktop. The user experience brief writes itself: "sign in, wait two minutes, work."
Step 1UnboxSetup Assistant on first power-on
Step 2Remote ManagementThe Mac learns it's managed
Step 3Entra sign-inUser affinity established
Step 4Account createdPer profile — standard user + hidden managed admin
Step 5Await config holdsFileVault, PPPC, security stack land first
Erase-and-reinstall is your friend: ADE re-enrollment after erase makes "wipe it" a legitimate, fast fix on Macs — Erase All Content and Settings (Apple silicon) brings a Mac back to Remote Management in minutes, not the reimage-afternoon of old.
Pilot the account-creation matrix explicitly: admin/standard × hidden-admin presence × Platform SSO later — these interact, and the Platform SSO page assumes you landed on standard-user + managed admin.
The non-ADE path — what it's for, what it can't do, and how to keep it from becoming the accidental default.
User-approved MDM enrollment via Company Portal is the Mac's manual path: the user downloads Company Portal, signs in, and approves the management profile by hand. Legitimate for its niche; corrosive when it quietly becomes how corporate Macs enroll.
SupervisionNo — the deeper restriction set stays out of reach
Survives wipeNo — erase returns an unmanaged Mac
The Flow
User installs Company Portal for Mac (from your portal link or pushed guidance), signs in with Entra credentials.
The enrollment walks them through downloading and approving the management profile in System Settings — the "user-approved" act that grants MDM its powers (without approval, large parts of MDM are inert by Apple's design).
Device enrolls, policy applies, compliance and CA take over.
What You Don't Get
No supervision — the deeper restriction set and several modern features stay out of reach.
Removable management — the user approved it; the user can revoke it. Access dies with the profile (CA sees to that), but the device was never anchored.
No wipe-persistence — erase the Mac and it returns as an unmanaged retail device; compare ADE's gravity.
No Setup Assistant account control — the local-account posture is whatever the user already built.
Where It's the Right Answer
Genuine BYO Macs, with a deliberately light policy set and the BYO-Mac strategy decision made consciously.
Stopgaps: the acquisition's fifty Macs get user-approved enrollment for compliance-gated access this month, and ABM intake + erase-to-ADE on the migration plan next quarter.
Lab/eval machines where ABM ceremony isn't worth it.
Keeping It Contained
Enrollment restrictions can fence who may use this path; reporting tells you whether the fence holds — put the enrollment-type split on a monthly review and watch it trend toward ADE. A corporate Mac discovered on user-approved enrollment isn't a config error, it's a procurement-to-ABM pipeline leak — fix the pipe, then re-enroll the Mac properly.
Insights
The approval ceremony confuses users exactly once per Mac — a three-screenshot guide in your portal text reduces the "it says profile not approved" tickets to near zero.
MacOS prompts are security theater to users until explained: one line — "this is what lets your Mac pass the company's access checks" — converts suspicion into a tap.
Designing the Mac out-of-box experience — pane skipping, the await-configuration gate, and what lands before the desktop.
The ADE page establishes the pipeline; this page designs the experience — what a user sees between power-on and desktop, and what your tenant guarantees has landed before they get there.
The enrollment profile's Setup Assistant section skips panes per your design. The doctrine: skip everything that delays value or invites configuration drift — Apple Account sign-in (corporate Macs run corporate identity), Siri, Screen Time, analytics, the personalization parade — and keep only what the flow genuinely needs (network, and the account-creation step your account strategy dictates). Every retained pane is a support-call generator during enrollment week; every skipped pane is a decision your profiles make instead.
Awaiting Configuration: the Provisioning Gate
The await device configured behavior in the enrollment profile holds the device in Setup Assistant while the MDM delivers the critical initial payload, rather than racing the user to the desktop. What belongs in that window is a deliberately short list — the agent-enablement kit (PPPC, extensions, login items so security tooling activates without prompts), FileVault enablement posture, core restrictions — and not the 6 GB app suite, which streams post-desktop while the human works.
The await window surfaces little granular user-facing status while it runs, so set expectations by time-boxing the window in your design (decide what must land, measure how long it takes) and validating it in ring-1 enrollment rehearsals on real hardware over real networks.
The First-Login Sequence
Post-Setup-Assistant, the remaining stack arrives in rough order: profiles complete, scripts fire, the app pipeline (VPP first, PKG lanes after) streams, Platform SSO registration prompts on schedule. Document the expected first-hour timeline for the helpdesk — "Slack appears within 20 minutes" written down converts day-one anxiety into a checklist.
Insights
Rehearse the bad-network enrollment deliberately: hotel Wi-Fi, captive portals, 802.1X-gated office jacks — the await-configuration window's failure modes live there, and the enrollment-failure triage you write afterward will be the most-used page in your internal runbook.
The pane-skip list needs an annual pass: each MacOS release adds Setup Assistant steps, and an unreviewed profile greets next year's hires with panes you never decided to show.
Admin or standard, hidden managed admins, and identity-linked account creation — deciding who the Mac thinks its users are.
Every managed Mac asks a foundational question: who gets the local account, and with what rights? The answer shapes your security posture, your helpdesk load, and your Platform SSO design.
The Primary Decision: Standard vs Admin
The ADE profile's account-creation settings decide what the user becomes:
Standard user — the defensible default: malware runs with user rights, configuration drift drops, audit posture improves. The historic Mac objection ("everything prompts for admin") has aged badly — managed software arrives via the app pipeline, settings via profiles, and the genuine elevation long-tail is smaller than folklore claims.
Admin user — still common in Mac culture, especially developer fleets; if you grant it, grant it knowingly with compensating controls (Gatekeeper posture, EDR, and the honesty that admin users can alter both).
The pragmatic middle that many estates land on: standard users fleet-wide, admin by documented exception for the populations whose workflow genuinely demands it. Intune has no native just-in-time elevation story for the Mac yet, so third-party elevation tools fill that slot where the exception list grows — and the principle stands either way: elevation should be an audited event, not a standing right.
the workflow has no genuine elevation needStandard userThe defensible default — malware runs with user rights, drift drops, audit posture improves.
the population's workflow genuinely demands elevationAdmin by documented exceptionGranted knowingly with compensating controls — or a third-party elevation tool making elevation an audited event.
The Managed Administrator Account
The enrollment profile can create a hidden managed admin during ADE — the break-glass identity that makes standard-user fleets serviceable. Treat its credential as a managed secret: unique-per-device or rotated (the rotation page covers the patterns), hidden from the login window, used by process rather than memory.
Identity Linkage
Account creation can ride the enrollment's identity flow — the local account taking shape from the Entra sign-in — and Platform SSO then keeps local and cloud credentials aligned from day one. Naming discipline matters more than it looks: a fleet of jsmith-style short names created consistently beats the archaeology of user-invented account names three years later.
Insights
Migrating existing Macs to standard-user is its own mini-project: demote by script in waves, with the managed-admin and elevation story landed first — removing rights before the elevation path exists generates the exact ticket spike that discredits the whole project.
Whatever the strategy, write down the account model per fleet (who's standard, who's admin, what the hidden admin is for) — it's two paragraphs, and it's the document every security review and every new admin asks for.
Gating which Macs enroll and how — personal-device blocks, version floors, and the corporate-channel guarantees.
Enrollment restrictions are the tenant's door policy for Macs: corporate machines through the ADE front door, personal Macs handled deliberately or not at all — and the restriction set is what makes that intent enforceable rather than aspirational.
The Restriction Surface
Device platform restrictions, MacOS edition:
Block personally owned MacOS devices — the high-leverage gate. ADE devices are corporate by ABM construction and pass; the personal MacBook with a Company Portal download doesn't device-enroll. The personal-Mac population then gets the deliberate tier: browser access under Conditional Access session controls, or nothing — MacOS offers no meaningful MAM tier, so the access-tier table has fewer rows and the design doc should say so plainly.
Minimum OS version at the door — aligned with the n / n-1 / n-2 support window so museum builds bounce at enrollment rather than aging inside compliance.
Device limits — Macs accumulate per user across refresh cycles; the limit plus a scheduled stale-device cleanup keeps the per-user pile honest.
The Channel Guarantees
Restrictions decide whether; the enrollment channel decides how much management you get:
ADE: supervision, await-configuration, mandatory MDM, the full feature surface — the only channel corporate Macs should ride
User-approved/Company Portal enrollment: real management with consent-shaped edges — appropriate for the transitional estate (mid-migration Macs and the pre-ABM long tail), with a plan to converge on ADE at refresh
The restriction set should make the unintended channels impossible: with personal devices blocked and corporate hardware ABM-assigned, every enrolled Mac arrived supervised through the front door — which is the property your security baseline silently assumes
Do
Block personally owned MacOS devices so only ABM-built hardware device-enrolls
Set the minimum-OS floor at the door, aligned to the n / n-1 / n-2 window
Review the enrollment-type split quarterly and trend it toward ADE
Don't
Expect a restriction change to fix already-enrolled stock — it gates new enrollments only
Let user-approved enrollment become the accidental corporate default
Leave the personal-Mac tier undecided — browser-only under Conditional Access, or nothing
Insights
Audit the channel mix quarterly: the enrollment report split by enrollment type should trend toward ADE-total; a persistent user-approved population marks either ABM-assignment gaps in procurement (fixable at the reseller) or a BYOD-Mac shadow program that deserves a real decision instead of an accident.
Restriction changes are forward-looking — they gate new enrollments only — so pair posture tightening with a sweep of the already-enrolled stock that no longer fits.
Erase All Content and Settings, recovery flows, and DFU revival — getting Macs back to managed from any state.
The cloud-native promise — any device returns to known-good fast — needs MacOS mechanics. Modern Apple silicon makes this genuinely good; this page is the ladder from gentle to forensic.
Rung 1EACSCryptographic erase to out-of-box in minutes — ADE catches it at Setup Assistant
Rung 2RecoveryOSMacOS reinstalls, startup security, disk repair
Rung 3DFU revive / restoreBench operation via a second Mac running Apple Configurator
Rung 1 — Erase All Content and Settings (EACS)
On Apple silicon (and T2-era hardware), EACS is the transformative tool: a cryptographic erase that resets the Mac to out-of-box without reinstalling MacOS — minutes, not hours. Issued locally or as the MDM erase action, the device reboots into Setup Assistant where ADE re-enrollment catches it automatically. The practical consequences:
"Reprovision it" becomes a tier-1 fix — the synced-data posture (user files living in OneDrive or equivalent managed sync) decides how true that is; a Mac whose user data lives in synced services rebuilds in under an hour
Offboarding, device transfers between users, and the migration waves all ride this rung
Activation Lock discipline decides whether the next hour is smooth: a locked Mac post-erase is a paperweight until released — the bypass-code escrow and ABM-release flow belong in the runbook before the first erase
Rung 2 — RecoveryOS
The local recovery environment handles the mid-tier: MacOS reinstalls for genuinely corrupted systems, startup security settings, disk repair. Under management, recovery access intersects your security posture — the recovery lock / firmware-password story (set via MDM on supported hardware) gates what an unauthorized hand can do from recovery, and the lock's escrow is another credential-rotation citizen.
Rung 3 — DFU Revive and Restore
Apple silicon's last resort: a Mac that won't boot at all connects to a second Mac running Apple Configurator for a revive (firmware repair, data preserved) or restore (full re-flash, data gone). It's a bench operation — cable, second Mac, current Configurator — and a fleet of any size should have one bench rehearsed on it, because the alternative is a depot ticket and a week.
Insights
The ladder's existence changes troubleshooting economics: past thirty minutes of diagnosis on a weird-state Mac, EACS-and-re-enroll is usually the cheaper path — if the data posture and Activation Lock discipline make it casual. Those two prerequisites are the actual project.
Rehearse the full loop quarterly: erase a lab Mac, watch it land back at the desktop fully managed, time it. That number — not the architecture diagram — is your real recovery SLA.
The MacOS configuration surface — Catalog first, custom .mobileconfig for the gaps, preference files for app settings.
Three layers configure a Mac, in strict order of preference: the Settings Catalog, custom configuration profiles, and preference-file payloads for application settings. Master the order and the Jamf-refugee question — "where do my config profiles go?" — answers itself.
the Settings Catalog surfaces the settingSettings CatalogThe default home for new MacOS policy — one setting, one home.
the payload isn't in the Catalog yetCustom .mobileconfigThe escape hatch — versioned in Git, retired when the Catalog catches up.
you're configuring an app's own settingsPreference file payloadManaged values pushed into the app's preference domain.
1. Settings Catalog (Default Home)
The Settings Catalog is the default home for new MacOS policy, with a deep payload set: restrictions, login window, FileVault-adjacent settings, Platform SSO, PPPC, extensions and login items, Microsoft AutoUpdate and Office preferences, and more — searchable by friendly name and Apple's payload keys, with Apple's Device Management documentation as the authoritative key reference. New policy starts here; one setting gets one home, and profile conflicts are resolved by never creating them.
2. Custom .mobileconfig (The Escape Hatch)
For payloads the Catalog hasn't absorbed: build the profile in iMazing Profile Editor (the community standard — every Apple payload, documented inline), upload under Devices > MacOS > Configuration > Templates > Custom. The custom-profile discipline applies — versioned in Git, descriptions explaining why, retired when the Catalog catches up. A custom profile is a dated artifact, not a permanent home.
3. Preference Files (App Settings)
MacOS apps read settings from preference domains (com.vendor.app plists) — and the Preference file payload pushes managed values into any domain: Office behaviors, Chrome policies (com.google.Chrome), your LOB app's config. The pattern: find the vendor's documented keys (or read them from an existing plist with defaults read), deliver them managed, and the app launches configured. Managed preferences generally win over user-set values while the profile is present — which is the point.
Insights
Test profile removal, not just installation — Mac profiles can leave configured state behind differently per payload; the retire/offboard behavior belongs in your pilot checklist.
sudo profiles show (and profiles list) on a lab Mac shows exactly what landed, from where — the ground-truth companion to the portal's per-setting report; full workflow in diagnostics.
Naming and repo discipline as everywhere: Mac-<Area>-<Audience>-v<N>, IntuneCD-backed — config-as-code is platform-agnostic hygiene.
Declarative update enforcement on MacOS — deadline-driven, evaluated on-device, and the single biggest upgrade to Mac fleet hygiene in a decade.
MacOS 14+ brought Declarative Device Management (DDM) software updates to the Mac — an enforce-by-deadline engine that turns Mac patching from a request into a policy, and the most consequential change to Mac fleet hygiene in years. This page is the model, the configuration, and the ringing strategy.
Applies toMacOS 14+ fleets
RequiresEscrowed bootstrap token on Apple silicon
EnforcementOn-device and declarative — survives being offline
DeferralRestriction supports up to 90 days
The Model
A DDM software update policy declares: target version (or latest), enforcement deadline, quiet-period behavior — the Mac downloads, nudges the user with escalating OS-native prompts, and at deadline installs and restarts. Enforcement lives on-device (declarative state, not command-chasing), which is why it works on the laptop that's offline every time legacy MDM commands fired.
Step 1DeclareTarget version (or latest) + enforcement deadline
Step 2Download & nudgeEscalating OS-native prompts as the deadline nears
Step 3EnforceAt deadline the Mac installs and restarts
Step 4ReportDDM status channel returns per-device state to Intune
Configuring and Ringing It
Create the update policy under the MacOS update policy surface (DDM-based where the OS supports it): target version or latest, the enforcement deadline, and the quiet-period behavior users will see.
Ring the fleet: a pilot ring at deadline-minus-aggressive, broad rings on a relaxed cadence, and the compliance floor trailing as the backstop that catches whatever the rings miss.
Add the deferral restriction (up to 90 days) so eager users stay off day-one major releases while validation runs.
Mac-Specific Realities
Apple silicon + bootstrap token: MDM-driven updates on modern Macs lean on the escrowed bootstrap token for authorization — ADE-enrolled fleets have it automatically; oddly-enrolled Macs that refuse updates often trace here.
Major-version upgrades (the annual MacOS release) ride the same declarations: pin the fleet on current-major, move rings to the new major on your validation calendar — the deferral window buys the validation time.
The restart is real: a Mac update interrupts a workday if deadlines land carelessly — schedule enforcement windows with the humans in mind: deadlines at end of week, prompts visible days ahead, no surprise lunchtime restarts.
Verifying and Reporting
The DDM status channel reports per-device declaration state back to Intune — actual installed version, pending enforcement, deadline countdown. Fleet-wide, the patch KPI is the triplet: current / lagging / stragglers, with the stragglers list cross-referenced against enrollment oddities before anyone blames the policy. Per-device failures get the update-failure triage.
Insights
Communicate the deadline behavior once, fleet-wide: "your Mac will give you N days of gentle warnings, then it will restart itself" converts the first enforced restart from outrage into a shrug.
Keep one deferral-free canary ring (IT volunteers) on day-one releases — the June-beta-to-September-GA cycle rewards orgs that find their breakages before enforcement does.
Silent enforcement, personal recovery key escrow, and rotation — Mac disk encryption as a non-event.
The disk-encryption doctrine on a managed Mac: encryption enables silently, the recovery key escrows before anyone needs it, and the user experience is one dialog at most. FileVault via Intune delivers all three when configured in the right order.
Console pathEndpoint security > Disk encryption > MacOS (FileVault)
Key escrowPersonal recovery key (PRK) to Intune — non-negotiable
RotationDevice action; rotate after every disclosure
Verifyfdesetup status + PRK visible in the device blade
The Policy
Endpoint security > Disk encryption > MacOS (FileVault):
Enable FileVault: Yes, with escrow the personal recovery key (PRK) to Intune — non-negotiable; an encrypted Mac without an escrowed key is a future data-loss incident.
Defer enablement until sign-out: the polite path — FileVault activates at the user's next logout rather than ambushing the session; pair with a number of times allowed to bypass (small, e.g. 1–3) so deferral can't become forever.
Hide recovery key from user: Yes for corporate fleets — the key lives in escrow and the self-service retrieval path; on-screen keys get photographed onto personal phones.
Disable the ability to turn off FileVault via restriction, closing the loop.
On ADE fleets with await-final-configuration, the profile lands before the desktop and the first sign-out completes the story — most users never consciously experience "encrypting."
Recovery
The PRK surfaces in the device blade (admin retrieval, audited) and via Graph; users get a self-service recovery key view through the Company Portal/Intune portal path — publicize it for the 2 a.m. password-forgotten moment, so the helpdesk isn't the only door back in.
Rotate after every disclosure: Intune supports PRK rotation as a device action — retrieval-then-rotation should be one helpdesk motion, and policy-level rotation hygiene keeps long-lived keys from accumulating.
Compliance Tie-In and Verification
MacOS compliance attests encryption required; Conditional Access enforces it. Enable → escrow → attest → enforce. Verify the chain on the pilot ring: fdesetup status on-device reports FileVault on, the PRK is visible in the device blade, and the compliance report shows the device encrypted — escrow gaps have a dedicated triage page.
Step 1EnableSilently, deferred to the next sign-out
Step 2EscrowThe PRK lands in Intune before anyone needs it
Step 3AttestCompliance reports encryption required: met
Step 4EnforceConditional Access gates on the verdict
Insights
Measure escrow, not encryption: the dangerous population is "encrypted, key not escrowed" — usually Macs encrypted before enrollment (user-enabled FileVault). The fix is key rotation under management (rotation generates a new, escrowed PRK), not re-encryption — a one-action remediation for what looks like a scary gap.
Apple silicon's hardware encryption makes FileVault's performance cost effectively zero — the last legitimate objection retired with Intel.
The headline modern Mac feature — Entra-bound local accounts, Touch ID into everything, and the end of password drift.
Platform SSO (PSSO) is the deepest identity integration MacOS has ever offered third-party IdPs: the local Mac account binds to Entra ID, sign-in satisfies Entra (with SSO flowing into apps and web), and — in its strongest mode — the credential is a hardware-bound key in the Secure Enclave: phishing-resistant, Touch ID-unlocked, the strongest sign-in posture a Mac can offer.
RequiresSupported modern MacOS + Company Portal + enrollment
The Three Authentication Methods (Choose Deliberately)
Method
What signs in
Character
Secure Enclave key
Hardware-bound key + Touch ID/password unlock
The passwordless target state; phishing-resistant; recommended for new design
Password sync
Local password kept in sync with Entra password
The pragmatic middle — ends local/cloud password drift, keeps a familiar model
Smart card
PIV/CAC-style
Regulated/government fleets
The chronic Mac ailment PSSO cures regardless of method: the local password and Entra password drifting apart until FileVault unlocks with one and the portal wants the other — password sync alone is worth the deployment for fleets not ready for full passwordless.
Deployment
Prerequisites: a supported modern MacOS, Company Portal installed (it hosts the SSO extension/broker), and the device enrolled — ADE + standard-user posture is the natural pairing.
The profile: Settings Catalog > the Platform SSO / Extensible Single Sign-On payload — Microsoft's Entra extension identifiers, your chosen authentication method, and registration behavior. Microsoft's Intune docs carry the current canonical values; build from those rather than blog-archaeology, as the payload matured across releases.
User registration: after the profile lands, MacOS prompts the user to register (a one-time, guided moment — a short comms note sent ahead of rollout pays for itself in avoided tickets). Post-registration: Entra sign-in state on the Mac, SSO into Microsoft and SSO-extension-aware apps, Conditional Access seeing a registered, compliant device.
Registration During Setup Assistant New
The deployment above is the classic flow: the Mac enrolls, the user reaches the desktop, and then MacOS surfaces a dismissible "Registration Required" notification the user has to notice, click, and sign through. It works — but ignore the prompt and you have an enrolled-but-unregistered Mac. Microsoft's Platform SSO registration during Automated Device Enrollment, generally available in the Intune May 2026 service release, moves registration into Setup Assistant. The user signs in with Entra ID before the desktop ever appears, the local account is created from that Entra identity, the Secure Enclave key (or synced password) binds inline, and registration becomes a mandatory gate — there is no desktop until it succeeds. Day one, zero-touch, Entra-bound from the first credentials the Mac ever sees.
This is a macOS 26 feature — not Sequoia
Registration during Setup Assistant requires macOS 26 or newer on the device. Earlier releases still do classic post-enrollment PSSO registration, but the Setup-Assistant-integrated flow isn't there before macOS 26. Confirm your OS floor before you promise it — this is the detail most people get wrong.
It is not a new profile type. You enable it inside the same Platform SSO payload, and it only works as a three-policy set assigned to the same user group — a static/assigned group, never a device group and never a dynamic group, or enrollment fails:
The Platform SSO Settings Catalog policy — your existing PSSO policy, plus Enable Registration During Setup = Enabled (EnableRegistrationDuringSetup). If you use the Password method, also set Enable Create First User During Setup = Enabled; leave it off for Secure Enclave. Microsoft recommends the Secure Enclave key (UserSecureEnclaveKey) for this scenario.
Company Portal as a required app — version 5.2604.0 or newer (it ships the Entra SSO extension), assigned Required to the same group. If the Settings Catalog policy lands before Company Portal finishes installing, the user hits an extension error mid-sign-in — they click Try again until it completes.
The ADE enrollment profile — Setup Assistant with modern authentication, Enroll with User Affinity, Await final configuration = Yes, and locked enrollment. The device must be a genuine ADE device (Apple Business / School Manager).
Know the edges before you pilot. Secure Enclave and Password work at Setup Assistant; Smart Card does not — smart-card fleets still register after Setup Assistant. Users currently sign in at least twice during enrollment (once to start it, once in Company Portal to pull the SSO extension); Microsoft has said a later update will trim that. And because registration is a gate, a misconfigured policy set fails the whole enrollment — the recovery is wipe-and-re-enroll, so prove the three policies on a test Mac before you aim it at real hardware.
Insights
Pilot the lifecycle, not the happy path: password change at the IdP, FileVault unlock after, lost-Touch-ID fallback, offboarding — PSSO touches the local account, so the edge cases are account edge cases. A two-week pilot with deliberate password churn finds them all.
PSSO + standard users + FileVault form the Mac endpoint-identity trio — pitch them internally as one posture and the security review happens once. Registration problems have a dedicated triage page.
Pre-granting TCC permissions so your agents work on day one — the profile every Mac security tool depends on.
MacOS's privacy framework (TCC) makes apps ask the user for sensitive access — Full Disk Access, accessibility, and friends. Admirable for consumers; fatal for fleet agents, because a security tool waiting on a user click is a security tool that's off. PPPC profiles are management's answer: pre-grant (or deny) those permissions by policy, on supervised/managed Macs, so Defender, backup agents, and EDR sensors work at deployment, not after a help-desk campaign.
Applies toSupervised/managed Macs
TargetingBundle ID + code-signing requirement, per app
Console pathSettings Catalog (PPPC payload) or custom profile
Hard limitScreen capture stays a user click — policy only lowers the bar
How a Grant Is Targeted
A PPPC entry identifies the app by bundle identifier + code-signing requirement — the pair that prevents impostor binaries inheriting grants:
Bundle ID: com.microsoft.wdav-style, from the vendor's docs or osascript/inspection.
Code requirement: from the signed binary itself — codesign -dr - /Applications/App.app prints it; vendors of management-aware software publish theirs (always prefer the published one).
Then per-service: Allow (Full Disk Access — the big one for security/backup tooling), Deny, or for a few services Apple deliberately fences (screen capture, input monitoring in part), the strongest grantable posture is "standard user can approve" — policy can lower the bar to a user click but not remove the click; design your comms for those.
Building Profiles
The Settings Catalog carries the PPPC payload; for complex multi-service grants the community-standard PPPC Utility (tools page) builds the profile from the actual app bundle — point it at the installed app, tick services, export, upload as a custom profile. Vendors with mature Mac support (Microsoft included) publish ready-made PPPC profiles — deploy theirs verbatim and version-watch them.
Step 1IdentifyBundle ID + code requirement (codesign -dr -)
Step 2BuildVendor's published profile, or PPPC Utility against the real bundle
Step 3DeploySettings Catalog payload or custom profile upload
Step 4SequenceLand with — ideally before — the app, in the await-config wave
Operating Discipline
Sequence PPPC with (ideally before) the app — an agent installing ahead of its grants spends its first hours degraded; bundle them in the same await-configuration wave.
Audit the grant estate like firewall rules: every Full Disk Access entry is real power; review owners and necessity on a recurring cadence alongside the rest of your endpoint security posture.
App updates that change signing identity (rare, but vendor acquisitions do it) silently orphan grants — a working agent that breaks after a version bump should send you straight to its code requirement.
Insights
PPPC failures present as app failures ("Defender shows limited protection"), not policy failures — make "check PPPC grants" the first move in any Mac-agent triage, via System Settings > Privacy & Security on a reference device against your profile.
PPPC pairs with system extensions and login items as the three-profile enablement kit nearly every Mac agent ships with — treat them as a set.
Approving the kernel-adjacent bits and locking the off switch — the other two-thirds of the Mac agent-enablement kit.
PPPC grants an agent its permissions; this page grants its existence: system extensions approval so security tooling loads without user clicks, and managed login items so users can't quietly switch the agent off afterward. Together the three profiles form the enablement kit nearly every Mac agent ships with.
System Extensions
Modern MacOS replaced kernel extensions with system extensions — network extensions (content filters, the Defender network protection), endpoint security extensions (EDR sensors), and driver extensions. Unmanaged, each one triggers a user-approval dance in System Settings; managed, the System Extensions payload (Settings Catalog) pre-approves them:
Allow by team identifier — the practical unit: approve the vendor's Apple Developer Team ID and every extension they sign is covered (Microsoft's, famously, is UBF8T346G9; take each vendor's from their deployment doc).
Or by specific bundle identifier for tighter scoping.
Removable system extensions settings control whether users can deactivate them — leave that power with management.
Non-removable from UI: pair with the login-items lock below so the whole stack is tamper-resistant.
Deploy this with or before the agent — an EDR sensor whose extension sat unapproved for a week protected nothing, while reporting "installed."
Managed Login Items (Service Management)
MacOS 13 gave users a kill switch — System Settings > General > Login Items lists every background agent with a toggle — and gave admins the counter: the Service Management / managed login items payload, which pins specified items on and greys the toggle. Identify items by team identifier (broad, vendor-wide) or bundle/label (surgical). Every security agent, backup daemon, and management component you deploy belongs in it; an agent users can disable is a recommendation, not a control.
The Three-Profile Kit, Assembled
For any serious Mac agent: PPPC (permissions) + System Extensions (loading) + Managed Login Items (persistence) — built once per vendor, versioned in the repo, assigned in the same await-configuration wave as the app itself. Mature vendors publish all three ready-made; deploy theirs and diff on updates.
PPPCPermissionsTCC grants pre-approved by policy
System ExtensionsLoadingThe extension activates without user clicks
Login ItemsPersistenceThe kill-switch toggle pinned on and greyed out
Insights
Triage order for "agent installed but degraded": PPPC grants → extension approval state (systemextensionsctl list on a reference Mac) → login-item state. Ninety percent of Mac-agent tickets die in that sequence — full workflow in diagnostics.
A vendor changing Team IDs (acquisitions do this) silently orphans all three profiles at once — the same code-requirement vigilance applies kit-wide.
802.1X in system versus user context, network extensions, and the Mac-specific seams in enterprise networking.
Mac Wi-Fi and VPN payloads speak the standard enterprise vocabulary — SSIDs, security types, certificate payloads — with one seam that defines the platform: MacOS distinguishes system and user context, and enterprise Wi-Fi designs live or die on that distinction.
802.1X: the System-vs-User Decision
A certificate-authenticated Wi-Fi profile must answer who authenticates:
System mode — the device joins the network with a device identity, before any user signs in. This is what corporate Macs want: the login window itself is online (critical for Platform SSO registration, first-sign-in flows on shared-style Macs, and management traffic with nobody logged in). The profile deploys device-scoped with a device certificate.
User mode — authentication follows the signed-in user's identity; appropriate where network access genuinely tracks people, with the cost that pre-login connectivity doesn't exist.
Mixed estates (system for the corporate SSID, user for specialized networks) are normal — just declared, because the RADIUS team's policy must match the mode or authentication fails in ways that read as certificate mysteries.
the Mac must be online at the login windowSystem modeThe device joins with a device identity before any user signs in — the corporate default.
The certificate dependency chain is the universal sequencing rule: trust + identity profiles land before the Wi-Fi or VPN payload that references them.
VPN: the Extension Era
Modern Mac VPN clients are network extensions — which makes VPN deployment a composite of the agent-enablement kit: the client app via the app pipeline, the system extension approval profile so it activates silently, the VPN payload or vendor-keyed managed preferences carrying configuration, and notification settings so its prompts surface. Per-app VPN exists on MacOS for the associated-domains pattern, but Mac reality leans full-tunnel or split-tunnel clients from the VPN vendor's own stack.
The strategic note: every VPN dependency is modernization debt with an IP range; per-app access and ZTNA patterns are the bridge out.
Insights
Validate Wi-Fi profiles on the login window, not just the desktop: the system-mode test is "freshly rebooted Mac, nobody signed in, does it hold the corporate SSID" — passing that proves the design; passing only after login proves you built user mode by accident.
Captive-portal and 802.1X-gated networks are the enrollment-day failure mode — keep one open provisioning SSID or wired path for first-boot flows; it's a cheap hedge that saves enrollment day.
SCEP and PKCS for MacOS — keychain placement, identity preferences, and the renewal rhythms that keep 802.1X quiet.
The MacOS certificate stack is the familiar enterprise trio — trusted-root profiles, SCEP for per-device identities, PKCS where the certificate-connector model fits — with Mac-specific seams around the keychain and context.
The Mac-Specific Seams
Keychain placement: device-scoped certificate payloads land in the System keychain — available pre-login, which is exactly what system-mode 802.1X and always-on agents require. User-scoped deployments land in the user's login keychain and inherit user-context limits. The placement decision is the context decision; mismatches surface as "works after login, fails at the login window."
Access control: a certificate in the keychain isn't automatically usable by every process — payload-delivered identities carry sensible ACLs, but vendor agents occasionally need their access declared, and "the cert is there but the client can't use it" is a keychain-ACL conversation, not a PKI one.
Profile-managed lifecycle: identities delivered by profile renew and remove with the profile — the clean property that makes enrollment-linked PKI hygienic. Resist script-imported certificates for anything load-bearing; they rot outside the management lifecycle.
The Renewal Rhythm
SCEP renewal is automatic within its window — the fleet discipline is watching the tail: the certificate report's expiry distribution should show a healthy renewal wave, and a cluster approaching expiry without renewal marks devices not checking in (the certificate is the canary; the sync health is the disease). Root/intermediate rotations are a multi-quarter project: new chain deployed alongside, services dual-trust, issuance cut over, old chain retired — sequenced, boring, correct.
Step 1Deploy the new chainAlongside the old — nothing cuts over yet
Step 2Dual-trust servicesServices trust both chains during the bridge
Step 3Cut issuance overNew identities come from the new chain
Step 4Retire the old chainSequenced, boring, correct
Verification Kit
Keychain Access (or security find-identity in a diagnostic script) answers presence and placement per device; the MDM-side certificate reports answer fleet coverage; an 802.1X join on a freshly-imaged ring-1 Mac answers the only question that matters end-to-end.
Insights
Build the dependency graph once per estate: which Wi-Fi/VPN/app profiles reference which certificate profiles, which CA issues each. Five minutes of documentation, and certificate incidents become lookups instead of investigations.
Microsoft Cloud PKI reaches MacOS too — estates running AD CS solely to feed Mac SCEP should price the retirement.
The high-value restriction set for MacOS — what to lock, what to leave, and the knowledge-worker/kiosk split.
The Settings Catalog exposes hundreds of MacOS restrictions; this cookbook is the curated set, governed by one rule: every line justified, deviations as named variants.
The Corporate Knowledge-Worker Set
Data boundaries:
iCloud service controls per your data-governance decision — the highest-stakes restriction family on the platform, deserving its own page and review
AirDrop: per data classification (managed-device-only postures exist; full blocks fight Mac culture — decide with eyes open)
Content Caching, Handoff, and continuity features: usually left alone for knowledge workers; restricted on regulated fleets
Security posture (with the honest note that several of these attest via compliance rather than lock):
Gatekeeper settings locked to identified-developers-or-stricter; user override governed deliberately
Password/screen-lock policy via the passcode payload; Touch ID allowed
Software-update deferral handled by the update policy, not scattered restriction toggles — one home per setting
Game Center, in-app purchase surfaces off on corporate fleets
Diagnostics/analytics submissions set deliberately
What Not to Restrict
Leave the personalization layer alone: wallpaper, Dock contents beyond seeding, Finder preferences, and the rest of the look-and-feel stay user-owned on knowledge-worker Macs. Restriction budgets are real — spend them on data boundaries and security posture, not aesthetics; a Mac that feels like a rental gets treated like one.
Do
Spend the restriction budget on data boundaries and security posture
Document intent → setting pairs — one intent justifies four toggles at once
Run an annual pass against each release's additions and deprecations
Don't
Lock wallpaper, Dock, or Finder look-and-feel on knowledge-worker Macs
Scatter update deferrals across restriction toggles — one home per setting
Ship the kiosk posture to knowledge workers — it's a separate named variant
The Kiosk/Fixed-Function Variant
Single-purpose Macs (signage, check‑in stations, lab controllers) flip the doctrine: aggressive restriction sets, managed login windows, app surfaces pinned — a fixed-function posture expressed in Mac payloads, as a separate named profile set targeting a separate device dimension.
Insights
The catalog grows every MacOS release — an annual pass against the new release's additions (and deprecations) keeps the baseline current; the ring-1 population is where new restriction behavior gets discovered before it surprises the fleet.
Document the cookbook as intent → setting pairs, not setting dumps — "block corporate data egress via consumer cloud" justifies four toggles at once and survives the OS renaming any of them.
The pre-desktop surface — auth banners, login window behavior, and the FileVault unlock sequence users actually experience.
The login window is the Mac's pre-desktop policy surface — small, visible, and disproportionately present in audits (the consent banner) and helpdesk calls (the FileVault unlock confusion). Worth an hour of deliberate design.
The Policy Banner
The auth/consent banner — legal text presented before sign-in — is a compliance staple in regulated and government-adjacent estates. MacOS displays banner content placed correctly on the device; under management that's a small deployment task or profile-adjacent configuration carrying your legal team's text. Two operational notes: the text is legal's artifact, IT's deployment (version it, date it, and redeploy on revision — an outdated consent banner is worse in audit than none), and keep it short — the banner gates every sign-in, and seven paragraphs of legalese trains users to click through everything you ever present.
Login Window Behavior
The login-window payload family shapes the surface:
Name-and-password fields vs user list: corporate fleets generally prefer fields (no account enumeration on shared-visibility hardware); the account-strategy page's hidden managed admin stays hidden either way
Visibility controls: hide the admin account, suppress shutdown/restart buttons on kiosk-class Macs, show a custom login-window message — the asset-tag play ("Property of, if found call…") earns its place here
Auto-login: off, attested — the one login-window setting with real security weight, and a compliance-adjacent check worth scripting
The FileVault Unlock Reality
On FileVault-encrypted Macs, the first screen after power-on is the pre-boot unlock — which looks like the login window but runs before MacOS proper. The sequence (pre-boot unlock → possible second login) confuses exactly once per user; one onboarding line ("the first password unlocks the disk, then you may sign in") plus Platform SSO's password alignment keeping credentials identical makes the double-prompt invisible in practice.
Step 1Power-onEncrypted disk, nothing booted yet
Step 2Pre-boot unlockLooks like the login window; runs before MacOS proper
Step 3Login windowThe possible second prompt — invisible when credentials align
Step 4DesktopSigned in
Insights
The login window is also your incident-response surface: recovery-lock posture, the managed admin's reachability, and remote-lock messaging all converge here — rehearse what a locked, lost, and recovered Mac each look like at this screen and the runbook writes itself.
Seeding the Mac shell — Dock layout, Finder defaults, and the restraint doctrine that keeps users on your side.
The Dock is the first thing a user sees and the first surface IT is tempted to control, and it deserves a deliberate answer to the oldest shell question in endpoint management: how much of the user's workspace should IT shape? The tooling exists; the doctrine — seed, don't cage — matters more.
Dock Management
The Dock payload (Settings Catalog or a custom profile carrying the managed preference domain) defines contents — your pinned set (Company Portal, the browser, the collaboration stack, the LOB suite) in deliberate order — plus position/behavior settings and, critically, the merge-vs-lock decision:
Seeded (managed items present, user additions allowed): the knowledge-worker default — a useful day-one Dock that becomes theirs by Friday
Locked (contents immutable): kiosk and fixed-function Macs where the Dock is the workflow surface — lay it out with the deliberateness of a fixed-purpose launcher, because for those users it is the entire menu
Step-by-Step: Deploying a Managed Dock
Decide the pinned set and its order first. Five to eight items, business tools only, arranged in the order of the working day — this is fleet design, and it deserves ten minutes of argument before anyone opens the console.
Build the payload. Settings Catalog where the keys are surfaced; a custom profile carrying the Dock's preference domain for anything beyond it.
Make the merge-vs-lock decision explicitly. Seeded for knowledge workers, locked for fixed-function Macs — and write the choice down, because it is doctrine, not a checkbox.
Validate on a bench Mac. Confirm the managed items land in the intended order, and confirm that what users can still change matches your intent.
Assign so it lands during enrollment. Dock payloads land best during enrollment — re-shaping a tenured user's Dock mid-life is the redecorating-my-office move; ring it and announce it if you must.
Do
Pin five to eight business tools, ordered like the working day
Land the Dock payload during enrollment
Validate on a bench Mac that what users can still change matches intent
Don't
Lock knowledge-worker Docks — locked is for fixed-function Macs
Re-shape a tenured user's Dock mid-life without ringing and announcing it
Cage the workspace — seed it and let it become theirs by Friday
Finder and the Desktop Defaults
Finder management is mostly managed preference domains (the defaults system delivered by profile): new-window targets, extension visibility (show them — security hygiene disguised as a preference: invoice.pdf.app should look wrong), warning behaviors, and desktop iconography. Pair with the de-consumering set from the restrictions cookbook and the first-run experience reads intentional.
The deeper pattern this page introduces: any preference domain is manageable — the same mechanism that sets Finder defaults carries browser policy, Office behavior, and vendor-app settings; Dock and Finder are simply the first domains most admins learn.
Insights
Treat the pinned set as fleet identity: "the same five tools in the same five slots" on every managed Mac is cheap, classy design — users moving between machines feel the coherence, and helpdesk staff walking someone through a screen always know where things are.
The Finder extension-visibility setting plus Gatekeeper plus notification hygiene form a quiet anti-phishing trio on the endpoint — none of them headline a security review, all of them shrink the deception surface.
Queue deployment via profile and script, the driver story, and where Universal Print meets MacOS.
Mac printing under management is a small domain with outsized ticket volume — and a split personality: profiles carry simple queues cleanly, scripts carry everything else, and the print-server retirement question looms over both.
the hardware speaks driverless AirPrint/IPP EverywherePrinting payloadProfile-delivered queues — no driver packaging, one profile per site.
the queue needs exotic options or a vendor driverScript lanelpadmin via shell script, with the driver as a PKG the queue references.
The Two Deployment Lanes
The printing payload (profile-delivered queues): name, address/protocol (IPP being the modern default), location, and basic options — clean for the standard case of network printers speaking driverless AirPrint/IPP Everywhere, which modern office hardware overwhelmingly does. Driverless is the strategy: no driver packaging, no architecture splits, no vendor-installer archaeology.
The script lane (lpadmin via shell scripts): the escape hatch for everything the payload can't express — exotic options, conditional queues by site, and the legacy hardware that genuinely needs a vendor driver (which then becomes a PKG deployment the script's queue references). The script lane is also where removal lives: decommissioned printers linger forever unless something sweeps them, and a queue-hygiene script on a recurring schedule is the systemic fix.
Step-by-Step: Deploying a Site's Queues
Inventory the site's printers first. Per queue: name, address, protocol, location string, and — the fork in the road — whether the hardware speaks driverless AirPrint/IPP Everywhere.
Build the printing payload for the driverless set. One profile per site keeps assignments legible and retirements surgical.
Route the exceptions through the script lane. An lpadmin script per legacy queue, with its vendor driver packaged and deployed as the PKG the script's queue references.
Assign by site dimension (dynamic groups/filters) — the universal pattern: the Indianapolis Macs get the Indianapolis queues, and a device changing sites changes printers at next check‑in.
Verify on a bench Mac per site. The queue appears, a test page prints, and the queue is still present after a reboot — then, and only then, broaden the assignment.
The Universal Print Angle
Universal Print reaches MacOS via its Mac application — relevant for estates consolidating print onto one cloud fabric and retiring their print servers. Evaluate it as the estate decision it is: a Mac-only shop gains little over driverless IPP; an estate mid-migration to Universal Print gains coherence.
Insights
The Mac print triage ladder is short and worth memorizing: queue present? (profile/script landed) → printer reachable on this network? (VPN and VLAN realities) → driverless or driver? (and if driver, is it installed and current) — three questions route nearly every ticket, and the first two are generic delivery diagnostics, not print problems.
Print is where shared-space Macs earn complaints — for labs and hot-desk floors, deploy by location generously (every nearby queue) rather than per-desk precision; users forgive an extra printer in the list and never forgive a missing one.
The corporate-data-versus-consumer-cloud decision — service-by-service iCloud policy, Managed Apple Accounts, and the honest trade-offs.
No Mac restriction family carries more weight than the iCloud set: it decides whether corporate data can flow into consumer cloud storage — and unlike most restrictions, every option has real costs. This page is the decision framework, not just the toggle list.
The Toggle Anatomy
The restrictions surface controls iCloud service by service — sign-in itself, then Drive (with the Desktop & Documents sync as its own high-stakes line), Photos, Keychain sync, Mail/Contacts/Calendars, backup-adjacent services, and Private Relay. The three coherent postures:
Posture
Configuration
Trade
Open
Personal Apple Accounts allowed, services largely on
Maximum user goodwill; corporate files will live in personal iCloud Drive — defensible only where data classification genuinely tolerates it
Boundaried (the common corporate landing)
Sign-in allowed; Drive/Desktop-sync and Keychain sync off, Photos per appetite
Users keep the Apple-ecosystem conveniences; the corporate-document and credential egress paths close. Pair it with OneDrive carrying the sync-and-backup story so users lose a path, not a capability
Closed
Apple Account sign-in blocked
Clean data story; real UX cost (no personal Messages/FaceTime/Find My) — regulated-fleet territory, stated plainly in onboarding
Keychain sync deserves its own sentence: corporate credentials replicating to personal devices via iCloud Keychain is the quiet leak in otherwise-boundaried estates — turn it off early and let the sanctioned password manager be the answer.
Do
Decide this family before enrollment waves, not after
Turn Keychain sync off early — the sanctioned password manager is the answer
Pair Boundaried with OneDrive so users lose a path, not a capability
Attest the load-bearing toggles in the drift-detection rhythm
Don't
Retroactively close iCloud Drive on a fleet that's synced Desktop & Documents for a year — that's a data-migration incident
Let corporate credentials ride iCloud Keychain onto personal devices
Sell the Closed posture as cost-free — state the UX loss plainly in onboarding
Managed Apple Accounts
ABM-issued Managed Apple Accounts — org-owned identities, federable to Entra — are the corporate Apple identity: appropriate for Apple-service workflows under org control, and structurally separate from the personal-account question above. Most knowledge-worker Mac estates today run corporate identity = Entra (via Platform SSO), Apple Account = personal-but-boundaried — a sentence worth writing into the design doc because every auditor asks.
Insights
Decide this family before enrollment waves, not after: retroactively closing iCloud Drive on a fleet that's been syncing Desktop & Documents for a year is a data-migration incident with a policy name. The migration playbook's artifact audit should surface the inherited posture explicitly.
Whatever the posture, attest the load-bearing lines — the toggles that close data paths belong in the drift-detection rhythm, because this is the restriction family someone will eventually ask you to prove.
Pre-approving notification behavior — why your agents' prompts deserve policy, and the alert-style decisions per app.
MacOS asks users to approve each app's notifications — fine for consumer life, corrosive for fleet operations: a security agent whose alerts a user declined in week one is a sensor with its mouth taped shut. The notifications payload settles the question by policy, and it's the most-forgotten member of the agent-enablement kit.
What the Payload Decides
Per bundle identifier, the payload sets the notification posture: notifications allowed, alert style (banner — transient; alert — persists until acted on), lock-screen and Notification Center visibility, sounds, and badge behavior. The user-facing effect: the app simply has its notification rights from first launch — no prompt, no decline, no gap.
the prompt is actionable — compliance nudge, remediation, update deadlineAlert stylePersists until acted on; a banner that auto-dismisses was waved at, not communicated.
it's routine collaboration trafficBanner styleTransient and seeded only — how users tune their own message noise is their business.
Security and management agents (EDR, Company Portal, VPN clients): allowed, alert style for anything actionable — a compliance nudge or remediation prompt that auto-dismisses as a banner wasn't communicated, it was waved at
The collaboration stack (Teams/Slack/Outlook): allowed with standard banner behavior — seeded so day-one messages arrive, not locked beyond that; per the restraint doctrine, how a user tunes their own message noise is their business
Update and self-service prompts: allowed and styled to be seen — the enforcement story leans on users noticing deadlines; the payload is where you guarantee the noticing is possible
Step-by-Step: Shipping the Payload
Inventory the bundle identifiers that need a decided posture. The security and management agents first, then the collaboration stack, then the update and self-service prompts — the matrix above is the worksheet.
Decide each app's line deliberately. Allowed or not, alert vs banner, lock-screen and Notification Center visibility, sounds, badges — and record the why next to each entry, because the matrix outlives its author.
Build the payload entries per bundle ID and deploy them in the enrollment-time kit alongside PPPC, extension approvals, and login items — the four payloads that together mean "our stack activates silently and can speak."
Wire it into the new-agent checklist. Adding an agent later means adding its bundle ID here in the same change; the new-agent checklist should make that automatic.
Verification
Notification Center settings on a test device show each app's effective posture in ten seconds — confirm the agents arrived allowed and styled as decided, and trigger a real prompt (a compliance nudge, a test alert) to prove it surfaces. When the device-side view disagrees with what you shipped, the ManagedClient logs confirm what was actually delivered.
Insights
Diagnose "the agent never told the user" tickets here first: a missing payload entry explains a month of silently-failed compliance nudges, and the ten-second device-side check beats an hour of agent-log archaeology.
Don't blanket-allow everything: the payload's value is deliberateness — an app not on the matrix prompting the user normally is the system working; the matrix exists for the apps whose silence or noise is an operational decision.
Edge, Chrome, and Safari under management — preference domains, the extension regime, and one policy intent expressed three ways.
Browser policy on MacOS pursues a familiar set of intents — identity, security floor, extension regime, light branding — expressed through managed preference domains (the defaults-by-profile mechanism) plus Safari's payload surface.
Edge and Chrome: Preference Domains
Both browsers honor their full enterprise policy schemas on MacOS, delivered as managed preferences (Settings Catalog where surfaced, custom profiles carrying the vendor's domain otherwise — the schema documentation is the vendor's, the delivery is yours):
Identity: profile sign-in behavior, sync governance — decide which identities may sign in and what sync may carry, and apply the decision uniformly, because users notice incoherence between their tools
The extension regime: block-by-default, allow-list, force-install the corporate set — one doctrine, one review process, repo-versioned lists
Update channel: pinned to stable; the browser's updater is a self-updating-app citizen with its own page-worth of doctrine
Step-by-Step: Shipping a Browser Policy
Write the policy intent down first — identity, security floor, extension regime, update channel — and treat that document as the source of truth the profiles merely express.
Source the vendor's current policy schema and map each intent line to its keys; never guess key names — preference domains are case-sensitive contracts (the managed-preferences discipline).
Build the profile: Settings Catalog where the keys are surfaced, a custom profile carrying the vendor's domain otherwise.
Deploy to a test group and verify inside the browser. Both major browsers expose an internal policy page listing every policy in force and its source — the fastest proof that your managed values arrived and are being honored.
Broaden the assignment and version the profile in the repo with the schema-doc link that justified each key.
Safari: the Payload Citizen
Safari manages through Apple's payload surfaces rather than a vendor schema — narrower but real: the high-value lines (download behavior, the security-adjacent toggles, extension governance through its own model) live in the restrictions/Settings Catalog space. Estates that sanction Safari manage it deliberately; estates that don't should still set its floor, because it's present on every Mac regardless of the default-browser decision.
The Default-Browser Question
One sanctioned work browser per fleet — and on Mac the default-browser setting is famously user-adjacent: seed it via script/tooling during enrollment, accept that users can change it, and let Conditional Access and identity routing make the sanctioned browser the path of least resistance rather than fighting the OS for the checkbox.
Do
Write the policy intent down first — profiles merely express it
Verify inside the browser: the internal policy page lists every policy in force
Re-validate preference domains against vendor docs annually
Don't
Guess key names — preference domains are case-sensitive contracts
Fight the OS for the default-browser checkbox — seed it and route identity instead
Leave Safari without a floor just because it isn't the sanctioned browser
Insights
Keep the policy intent as one document and derive every browser's profile from it — configurations that diff to near-zero at the intent level are what auditors reward, and the single source of truth is what your future self rewards.
The Mac-specific trap is domain drift: vendor preference schemas evolve, and a three-year-old custom profile can carry keys the current browser ignores — the annual restriction pass should include re-validating the browser domains against current vendor docs.
The built-in CDN in your closet — caching Apple downloads on-LAN, and when one Mac saves a site's bandwidth.
Every Apple download — OS updates, App Store/VPP installs, iCloud assets — can be served from a Mac on your LAN instead of the internet, via the content caching service built into MacOS. On multi-device sites it's the cheapest bandwidth win available: one always-on Mac, one payload, done.
How It Works
A Mac with content caching enabled registers itself with Apple's infrastructure; client devices on the same network discover it automatically — no client configuration, no profiles on the consumers — and fetch Apple content from it at LAN speed, with the cache populating once from the internet. Any Apple hardware on that LAN fetching Apple content benefits with zero device-side setup, which makes a closet Mac mini the silent hero of provisioning days and OS-release weeks.
Apple CDNorigin — fills the cache once
→
Cache host Macalways-on, registered with Apple
→
Fleet devicesdiscover it automatically, zero setup
The Management Surface
The content-caching payload/settings family configures the cache host by policy: enablement, cache size limits and content types (shared Apple content vs iCloud data — corporate caches typically enable the former, decide the latter per data posture), and the topology options for multi-subnet sites (parent/child cache relationships, served-network ranges) where one closet Mac should answer for the whole building.
Step-by-Step: Standing Up a Cache Host
Pick the hardware for availability, not horsepower. A wired, always-on, never-sleeping Mac with disk headroom — the service is undemanding; the availability is the requirement.
Deploy the content-caching payload to that host: enablement, a deliberate cache size limit, and the content-type decision (shared Apple content on; iCloud data per your data posture).
Configure topology where the site needs it. Multi-subnet buildings want served-network ranges — and parent/child cache relationships on campus-scale sites — so one host answers for everyone.
Sequence it before the big events. Stand the cache up the week before an OS-release wave or a mass-provisioning day; discovering the need mid-saturation is the common order, and the wrong one.
Verification
The cache host reports its own economics — AssetCacheManagerUtil status and the served-bytes metrics make the win measurable: bytes-from-cache vs bytes-from-origin per month is the chart that justifies the mini. Fleet-side, the proof is felt, not configured: update waves that used to saturate the circuit, not saturating it.
Insights
Bring the network team a one-pager — cache host location, served ranges, and the first month's served-bytes chart. Bandwidth wins this cheap are rare, and the chart makes the case for a cache host at every constrained site without a single meeting.
The defaults system under management — domains, levels, cfprefsd realities, and testing plist payloads properly.
Dock and Finder introduced the trick; this page is the full mechanism — because any preference domain is manageable, and the admin who understands the defaults system stops being limited by what the Settings Catalog has surfaced.
The Mechanism
MacOS preferences live in domains (reverse-DNS plist namespaces — the browser's domain, Office's, the vendor agent's), read through the preferences daemon with a defined precedence: managed (MDM-delivered) values win over user-set values, by design. A custom profile carrying a domain's keys makes those keys managed — the app reads your value, Settings shows it locked where the app honors the convention. This is the entire browser-management and self-updater-suppression machinery, generalized.
The Craft
Source the keys from authority: vendor admin documentation first, then empirical capture — set the preference in the GUI on a bench Mac, read the domain's plist, and lift the key/value shape. Never guess key names; domains are case-sensitive contracts.
Force-by-policy vs set-once: profile-managed keys enforce continuously; some intents ("seed a default, let users change it") want a script-set preference instead — the seed-don't-cage doctrine expressed in mechanism choice.
Know the daemon: preferences are cached by the preference daemon — the classic bench confusion is editing a plist file directly and seeing nothing change; read/write through the defaults tool and test app behavior after a relaunch, which is what actually re-reads managed state.
Mind the channel: device vs user delivery decides which preference level your keys land at — the system-vs-user context lesson again.
Do
Source keys from vendor admin docs, then empirical capture on a bench Mac
Read and write through the defaults tool, then relaunch the app
Verify twice — the value arrived and the app honors it
Don't
Guess key names — domains are case-sensitive contracts
Edit plist files directly and expect live change — the daemon caches
Ship a new domain payload straight to the fleet
The Testing Discipline
Run every new domain payload through the same gauntlet:
Stage it on a bench Mac first — set the intended preference in the GUI, read the domain's plist, and confirm your payload's key/value shapes match what the app actually writes.
Deploy to a test group, never straight to the fleet.
Verify twice: defaults read proves the managed value arrived, and observed app behavior proves the app honors it (apps may ignore keys they didn't document — managed ≠ honored).
Version the profile in the repo with the vendor-doc link that justified each key.
This page is a watershed for most Mac admins: once you've watched a managed domain override a user preference live on a bench Mac, vendor-app policy stops being "whatever the Settings Catalog offers" and becomes "whatever the vendor's process reads" — a permanently larger toolbox.
Bridging Macs to Active Directory resources — without binding — for the estates whose file shares aren't done yet.
Platform SSO handles the cloud identity story; plenty of estates still have an on-prem tail — AD-gated file shares, intranet apps, print queues — and the Kerberos SSO extension is Apple's purpose-built bridge: AD tickets without AD binding.
Applies toEstates with an AD-gated on-prem tail
RequiresRealm reachability — on-prem network or VPN
PayloadKerberos SSO extension, targeting your AD realm
One ruleExactly one authority syncs the local password
What It Does
A configuration profile (the extension payload, targeting your AD realm) activates the built-in Kerberos single sign-on extension: the Mac acquires and renews Kerberos tickets for the realm when on-network/VPN, handles AD password expiry awareness and change flows, and can keep the local account password synced to AD where that legacy contract still matters. The user signs in once; the SMB shares and Kerberos-protected web apps stop prompting. The architectural point worth saying in reviews: this is the supported replacement for the bind-the-Mac-to-AD reflex — mobile-account binding is the legacy pattern; the extension delivers the resource access without the directory coupling.
Prerequisites
Realm reachability: tickets need domain-controller reachability — VPN or on-prem presence. The dependency is inherent, and the extension's value is precisely that it handles the acquire/renew rhythm gracefully across that intermittency.
One password-sync authority, decided up front: whether the extension syncs the local password is a design decision made against your Platform SSO design, because two password-sync authorities is the conflict pattern in identity form.
Step-by-Step: Deploying the Extension
Build the extension payload targeting your AD realm: realm and domain mappings, sync behaviors (password sync on or off, per the decision above), credential-UI behaviors, and the per-app/site scoping where needed.
Assign to a test group that can reach the realm and sign in once — tickets are acquired for the realm, and the SMB shares and Kerberos-protected web apps stop prompting.
Test the intermittency rhythm. Leave the network, return (or reconnect VPN), and confirm ticket renewal resumes without user ceremony — that grace is the feature you deployed.
Broaden, then date the retirement milestone. The extension is bridge infrastructure — each share moved to cloud storage and each intranet app modernized shrinks its realm, and the payload's retirement is a milestone worth dating.
Coexisting with Platform SSO
Platform SSO owns the Entra relationship; Kerberos SSO owns the AD realm relationship — they coexist on one Mac serving the hybrid reality, with one rule: exactly one authority syncs the local password.
Verification and Triage
The extension's status (tickets held, realm reachability) is inspectable device-side via the SSO diagnostic surfaces (the Platform SSO triage kit's sibling commands) — "the share prompts again" triages in two minutes as ticket-expiry vs reachability vs password-drift, in that order of likelihood.
Remote Help, screen-sharing permissions, and the consent architecture under every Mac support session.
Remote support on MacOS is a permissions problem before it's a tooling problem: screen recording and control are PPPC-governed, user-consent-anchored capabilities — and a support tool deployed without its enablement kit is a black rectangle at the worst possible moment.
Native optionRemote Help — an Intune Suite capability
Pre-grantableAccessibility and the standard PPPC list
Always user consentScreen Recording — by Apple's design
KitApp + PPPC + notifications + login item
The Tooling Landscape
Microsoft Remote Help (an Intune Suite capability) covers MacOS: identity-integrated, RBAC-scoped sessions with compliance-state visibility — the native pick for Intune estates that want support sessions living inside the same audited, role-scoped console as the rest of their management (session flows are web-based on MacOS; verify current capability scope per release, as the feature set is actively expanding).
Vendor remote tools (the established remote-support suites) remain common — same deployment shape regardless of logo.
Built-in screen sharing covers the technician-to-known-Mac case on managed networks — useful, narrow, not a helpdesk system.
The Enablement Kit (the Part That Actually Fails)
Whatever the tool, it's an agent-kit citizen, and the kit assembles in a known order:
Deploy the app via the pipeline, like any other managed app.
Pre-approve what policy can pre-approve with PPPC — Accessibility and the standard list per the vendor's documented payload — with the platform fact stated plainly: Screen Recording and remote-control-class permissions require user consent on modern MacOS; the capture consent itself is the user's click, by Apple's design.
So the workflow is the design: the user-facing "approve the screen-share prompt" moment scripted into the helpdesk opening ("you'll see a permission dialog — that's us; click Allow"), tested on a bench Mac per OS release, because consent UX moves.
Insights
The consent architecture is a feature in the security review, not a limitation: no silent screen capture is possible on this fleet, including by us is a sentence auditors and privacy officers both like — Apple made it true; you get to take credit for deploying inside it.
Session audit posture differentiates tools more than features do: who connected to what, when, recorded where — the RBAC-and-evidence lens applied to the one tool that literally watches screens.
Time Machine policy, the sync-first strategy, and a real answer to "are the Macs backed up?
"Are the Macs backed up?" deserves a designed answer, because the default one — "users have Time Machine if they set it up" — is a data-loss incident on a delay timer. The strategy has two coherent shapes; pick one on purpose.
the Mac holds nothing irreplaceable — knowledge-worker fleetsSync-firstOneDrive folder protection + the EACS rebuild model; "backup" becomes sync-coverage verification.
the population holds heavy local state — developer and creative fleetsImage-class backupTime Machine governed by payload, or an endpoint-backup agent — named populations, restore rehearsed.
Shape 1 — Sync-First (the Cloud-Native Answer)
The premise: the Mac holds nothing irreplaceable — OneDrive carrying Desktop/Documents (its Mac client supports the folder protection), corporate content living in synced services, and the EACS-and-rebuild recovery model replacing restore-from-backup entirely. Under this shape, "backup" is sync coverage verification: a custom attribute attesting folder-protection state fleet-wide, plus the iCloud-boundary decision ensuring corporate data syncs to corporate services. This is the right default for knowledge-worker fleets, and its KPI — sync coverage % — belongs next to encryption on the dashboard.
Shape 2 — Image-Class Backup (the Exception Tier)
Some populations genuinely hold local state worth versioned backup — developer Macs with heavy local environments, creative fleets with project archives mid-flight. The tools: Time Machine governed by payload (the Time Machine management keys: destination enforcement, excluded paths — notably excluding the corporate-synced folders so you're not backing up the cloud) or a third-party endpoint-backup agent deployed as a standard agent-kit citizen. Either way the rule holds: named populations, named destinations, restore rehearsed — an unverified backup is a hope with a schedule.
What Backup Is Not
FileVault is encryption, not backup; snapshots aid local rollback, not device loss; and personal iCloud backup of corporate content is a data-boundary leak that feels like safety — the account-controls page closes it by design.
Insights
The design test is the lost-MacBook drill: pick a real user, simulate total device loss, and time the path back to productive — sync-first fleets should measure in an hour (the rebuild promise); if the true answer is "hopefully their Time Machine drive," you've found the project.
The full VPP model applies: location tokens, device-based licensing, silent install on managed Macs, license reclaim on retire. Mac App Store coverage is thinner than the third-party canon at large — but where an app lives there (the Microsoft suite doesn't; plenty of utilities do), VPP is the lowest-toil lane and update handling rides the store.
PKG and DMG Types
Both are MDM-channel installs with Intune handling delivery and detection:
PKG: the workhorse for vendor installers. Intune reads the package's included apps (bundle ID + version) for detection — verify the auto-detected list matches reality, especially on multi-component packages, or "install succeeded" reporting lies.
DMG: for the simple drag-drop class; Intune extracts the .app to /Applications and tracks the bundle.
Both prefer signed packages; unsigned internal packages generally still deploy via the management channel, but signing your own (packaging page) removes a class of Gatekeeper-adjacent surprises and is cheap to do.
Scripts and Installomator
When the vendor's distribution defies both types — or you want install-and-keep-updated semantics — a shell script running Installomator (the community's label-driven installer covering hundreds of apps — tools page) downloads the latest version from the vendor, verifies its signature, and installs. One script pattern, many apps, vendor-fresh versions; the trade is that Intune's app reporting doesn't see script-installed apps natively — pair with a custom attribute reporting the installed version, and the gap closes.
Insights
Avoid the legacy "line-of-business" lane for new work — the modern PKG/DMG types with detection rules superseded it; old guides recommending the LOB wrapper predate them.
Update doctrine per lane: VPP → store-managed; PKG/DMG → re-upload new versions on your packaging rhythm; Installomator → vendor-current by design; Microsoft apps → MAU channels. Write the table for your estate once — every app should sit in exactly one row of it.
The Intune agent's two superpowers — scripted glue on a schedule, and fleet inventory columns you define yourself.
Assign a shell script and Intune quietly installs its management agent on the Mac — the layer that runs everything the MDM protocol can't express. Two vehicles ride it: scripts that act, and custom attributes that report.
Console pathDevices > MacOS > Scripts
Run asroot or signed-in user
FrequencyOnce, or recurring — every 15 min to weekly
RequiresIntune management agent — installs with the first script
Shell Scripts
Devices > MacOS > Scripts (and the agent surface): upload a zsh/bash script with settings that matter —
Run as: root (system tasks) or signed-in user (per-user defaults, user-context setup)
Frequency: once, or recurring (every 15 min → daily/weekly) — recurrence turns a script into a lightweight remediation loop: write it idempotent (check state, fix only if wrong, exit) and it enforces rather than just sets
Max retries for transient failures; notifications off for silent fleet work
The use cases: state the MDM protocol can't set, Installomator-driven installs, migration cleanups, the defaults write that has no payload yet. The hierarchy of enforcement: Catalog payload first, recurring script second, one-shot last. And the repo discipline: every script versioned with its why.
Step-by-Step: Deploying a Script Safely
Write it idempotent and test it on a bench Mac in the same context it will run — root vs signed-in user behave differently for paths, keychains, and defaults domains, and context mismatch is the top first-run failure.
Upload with deliberate execution settings: run-as context, frequency, max retries, notifications off for silent fleet work.
Assign to a test group first and read the per-device script results in the console before any broad assignment — a script that worked on the bench meets reality in the first hundred devices.
Broaden, then commit the script to the repo with its why, its rollback, and its owner.
Custom Attributes
The underused gem: a script whose stdout becomes a per-device inventory column in Intune. Declare the return type (string / integer / date), assign, and the agent reports the value on its cadence. Suddenly the console answers questions Intune never shipped:
Last backup timestamp from your backup agent's plist
Hardware truths: Apple silicon vs Intel, specific model capability flags
Any one-line fact a shell command can compute
Doctrine: one fact per attribute, computed fast, output terse (it's a column, not a log), and named like the data dictionary it is (LastBackupDate, InstalledZoomVersion). Attributes are the fleet's self-built telemetry layer — and equally queryable for reporting.
Insights
Script execution logs live in the Intune agent's log directory on-device — the first stop when a script "didn't run" (it usually ran; the log says what it returned).
Recurring scripts run on battery hardware: budget the schedule — daily for most, frequent for the few that earn it.
Scripts run as root on managed Macs are crown-jewel code: repo, review, and least-privilege them like the production automation they are.
Office via MAU channels, Defender with its full enablement kit, and Company Portal — the Microsoft stack done right.
The Microsoft suite is most fleets' first and largest Mac deployment — and a perfect showcase of every pattern this section teaches: PKG delivery, preference-domain configuration, and the three-profile agent kit.
Update engineMicrosoft AutoUpdate (MAU)
MAU channelsCurrent / Monthly Enterprise / Preview
Defender kitSix pieces, one deployment wave
Company PortalRequired, fleet-wide — deploy early
Microsoft 365 Apps
Deploy via the built-in Microsoft 365 Apps for MacOS app type (the one-click suite) or per-app PKGs for granular control. The real management story is Microsoft AutoUpdate (MAU): Office on Mac updates through MAU, and MAU is fully manageable via preference-file settings (com.microsoft.autoupdate2) — set the channel (Current / Monthly Enterprise / Preview) per ring, enforce deadlines, silence the UI to taste. Ring Office updates with the same pilot → broad rhythm you already run for OS updates; MAU's Monthly Enterprise channel exists precisely for change-controlled fleets.
Office configuration (sign-in behaviors, telemetry, macro-adjacent settings) rides preference domains per app (com.microsoft.Word et al.) — the Catalog carries many directly.
Microsoft publishes current versions of these profiles in the Defender-for-Mac deployment docs — deploy theirs, diff on updates. Once healthy, the risk score → compliance → Conditional Access loop closes, and device risk starts gating access exactly the way your security team expects.
Defender sensorcomputes the device risk score
→
Compliance policyconsumes the score into the verdict
→
Conditional Accessgates access on the verdict
Company Portal
Required, fleet-wide — it's the enrollment vehicle for user-approved devices, the Platform SSO broker host, and the user's compliance-status window. Deploy early; everything above assumes it.
Insights
Sequence-test the Defender kit on a wiped lab Mac measuring time-to-protected — the kit deployed out of order produces an installed-but-degraded sensor that looks green in app reporting. The agent-triage sequence verifies the end state.
MAU channel drift is the silent version-sprawl generator: one custom attribute reporting the configured channel keeps the fleet honest.
pkgbuild, signing, and notarization in the amounts a Mac admin actually needs — plus when to skip it all with Installomator.
Sooner or later a vendor hands you a bare .app, a zip, or "just run this" — and you become a packager. The good news: the Mac admin's packaging toolkit is three commands and one decision tree.
Buildpkgbuild wraps the .app--component … --install-location /Applications
Signproductsign with Developer ID InstallerCheap insurance against Gatekeeper friction
Verifypkgutil --check-signature + lab installBefore anything reaches the console
DeployUpload via the PKG app typeDetection rides the bundle version
The Minimum Viable Package
A component package wrapping an app for /Applications:
That artifact deploys via the PKG app type today. For multi-component or scripted installs (pre/postinstall scripts — the layer where install-time logic lives), pkgbuild --scripts and productbuild compose the bigger artifact; keep scripts idempotent and logged, the universal rule.
Signing and Notarization (The Honest Amount)
Signing: a Developer ID Installer certificate (from your org's Apple Developer account) + productsign turns your pkg into a signed one. Cheap insurance: signed packages sidestep a class of Gatekeeper friction and verify provenance forever after.
Notarization: Apple's malware-scan-and-staple for internet-distributed software. MDM-delivered packages live in a gentler trust path than user downloads, so strict notarization of internal wrappers is often skippable — but vendor binaries inside your package should already be signed and notarized by the vendor, and repackaging shouldn't disturb that. Rule of thumb: sign everything you build; notarize what users might ever download outside MDM.
Verify before upload: pkgutil --check-signature MyApp.pkg and a test install on the lab Mac.
Versioning Discipline
Detection rides bundle versions (CFBundleShortVersionString) — keep the pkg filename, the contained app version, and your repo tag in lockstep, treating the version string as a contract across the whole chain. "Why didn't the fleet update" is almost always a version that didn't increment somewhere in that chain.
Or: Don't Package
Installomator exists because most third-party Mac apps are publicly distributed with vendor signatures — a label-driven script that downloads, verifies, and installs the vendor's own artifact beats maintaining a private repackage of it. Reserve real packaging for: internal apps, vendor software without public distribution, and installs needing org-specific scripting. Inspect anything questionable first with Suspicious Package (tools page) — reading a pkg's payload and scripts before deploying it fleet-wide as root is not paranoia, it's the job.
the vendor distributes publicly with their own signed artifactInstallomatorDownload, verify, and install the vendor's own build — no private repackage to maintain.
the app is internal, unpublished, or needs org-specific install scriptingPackage it yourselfpkgbuild + productsign, versioned in the packaging repo.
Insights
Keep a packaging/ repo: source artifact, build script, signing notes, version history. Packaging knowledge is tribal until it's committed.
Apple silicon vs Intel is mostly solved by universal vendor binaries — but your detection and scripts should still handle both (uname -m), because the install paths occasionally differ.
The per-lane update doctrine — who updates what, on whose schedule, and how you prove currency.
Mac app deployment has four lanes; Mac app updating has four corresponding doctrines, and fleets that never wrote them down discover the gaps as vulnerability findings. The table first, the reasoning after:
Lane
Who updates
Your lever
VPP / Mac App Store apps
The MDM/Store machinery
The auto-update posture in VPP settings — turn it on and verify, the closest Mac gets to fire-and-forget
Whether you allow it to run — a real decision with its own page
The Doctrine by App Class
The doctrine, by app class:
Security agents and browsers → fastest lane available: vendor updater allowed or high-frequency Installomator — staleness here is the finding that matters
The business-critical workflow app → the validated lane: pinned deployment or scheduled Installomator behind a ring-1 pass; change control where change hurts
The long tail → automated by default: VPP auto-update plus a weekly Installomator sweep covers the canon without per-app ceremony
Proving Currency
Strategy without verification is hope: a custom-attribute script reporting installed versions for the watched set, rolled into the inventory rhythm, turns "are we current on Chrome" into a column. The audit-grade framing: every app has a named update lane, every lane has a cadence, and the watched set has version telemetry — three sentences that satisfy most security reviews because most estates can't say them.
Insights
The classic Mac failure mode is the lane orphan: an app hand-installed during a migration, in no lane, updating never — a recurring discovered-apps delta review catches them, and the fix is adoption into a lane, not a one-time update.
OS-update and app-update rhythms interact: the annual MacOS release is when self-updaters and agents most need to move fast — pre-stage vendor-support checks in ring 1 so the lanes are proven before the fleet's OS moves.
The community installer engine under Intune — labels, arguments, wrapper patterns, and the operating rhythm.
The deployment-options page names Installomator as the third-party canon's workhorse; this cookbook is the how: the open-source script that knows how to fetch, verify, and install hundreds of common Mac apps directly from vendors — each encoded as a label — turning "package and maintain Chrome forever" into "run the script with the label chrome on a schedule."
EngineInstallomator — open-source, label-driven
CoverageHundreds of common Mac apps, fetched vendor-direct
The wrapper fetches/embeds a pinned Installomator release and invokes it with the label plus your standard arguments — pin the engine version deliberately and update it on your schedule; the wrapper is repo-versioned like all fleet code
Arguments encode the UX doctrine: blocking-process behavior (kill, prompt, or defer when the app is running — choose prompt/defer for knowledge-worker apps and accept slower convergence), notification behavior (pair with the notifications payload so prompts actually surface), and logging verbosity for the triage trail
Verification rides labels too: each label carries the vendor's expected Team ID/signature — the engine refuses tampered downloads, which is the security argument that gets this pattern past review: vendor-direct fetch with cryptographic verification, not "scripts downloading the internet"
Recurring execution is the update engine: the same script on a schedule is the update lane — present-and-current converges every run
The Operating Rhythm
One wrapper, parameterized by label beats forty bespoke scripts — the label list per fleet is data, not code
Ring the schedule: ring-1 Macs run the sweep a few days ahead of fleet; a vendor shipping a broken build burns the canary, not the company
LOB apps (no label — they ride your PKG pipeline), apps under strict change control (the validated lane, not the auto-sweep), and anything whose license terms preclude vendor-direct fetch. Fit it to the canon; don't force the exceptions.
the app has a label and lives in the third-party canonThe Installomator sweepRecurring run — present-and-current converges every cycle.
it's an internal app with no labelYour PKG pipelinePackage, sign, and deploy it yourself.
the app sits under strict change control or license-restricted distributionThe validated lanePinned, ring-validated delivery — not the auto-sweep.
Insights
Read the label source before first deployment of any app — thirty seconds confirms what's fetched, from where, verified how; being able to say you do this is half the security-review battle.
The blocking-process argument is the user-experience signature of your whole rollout: silent kills of running browsers generate the exact resentment that restraint doctrines exist to avoid — defer-style settings cost convergence speed and buy goodwill; spend accordingly.
The Mac self-service surface — what Company Portal offers, where it trails Jamf Self Service, and how to make Available deployments shine.
Mac users — especially those arriving from Jamf estates — expect a self-service app store. Company Portal on MacOS is that surface under Intune: honest assessment, then optimization.
What It Does
Available-assignment storefront: VPP apps, LOB packages, and DMG/PKG deployments assigned as Available appear for on-demand install — the license-frugal, user-respecting alternative to required-everything
Device standing: compliance state and remediation guidance — the user-visible end of the compliance loop, where "your Mac needs an OS update" becomes actionable instead of mysterious
Jamf Self Service is the genre benchmark — arbitrary-script buttons, deep branding, policy-as-catalog-item. Company Portal's Mac catalog is narrower: app installs and compliance actions, yes; "click to run any admin-blessed workflow," less so. Two consequences for migrated estates: port the workflow buttons deliberately (the popular Self Service scripts become scripts on triggers, helpdesk-run device actions, or honest cuts — inventory them during migration, don't discover them as tickets), and set expectations in comms — "the app store part carries over; the magic-button part changes shape."
Making the Storefront Good
The difference between a dusty portal and a used one is curation: a deliberate Available catalog (the apps people actually request, not the license graveyard), naming/icons/descriptions treated as the retail surface they are, and the onboarding guide pointing at it on day one. Pair with notification rights so its compliance nudges surface, and keep the app itself current — it ships via the deployment pipeline like everything else and is the one app whose staleness users see daily.
Do
Curate Available around what users actually request
Treat names, icons, and descriptions as the retail surface they are
Point the day-one onboarding guide at the portal
Keep Company Portal itself current — its staleness is the one users see daily
Don't
Ship the license graveyard as the catalog
Let compliance nudges fire without notification rights
Discover Self Service workflow buttons as tickets — inventory them during migration
Insights
Self-service is your license-economics lever: every app moved from Required-everywhere to Available-on-request stops paying for shelfware — the VPP utilization review quantifies it, and finance conversations go better with the number.
Watch what users search for and can't find — request patterns are your catalog backlog, and a quarterly add-the-asked-for pass keeps the portal alive in the org's muscle memory.
Removing software cleanly on MacOS — what assignment removal does per lane, uninstall scripts, and the license cleanup.
Deployment gets the documentation; removal gets the incidents. Mac app retirement is lane-dependent, and the lanes behave differently enough that "just unassign it" is sometimes a removal and sometimes a shrug.
Removal by Lane
VPP apps: the managed-removal story — Uninstall assignment removes the app, and retiring the assignment frees the license back to the pool (the license-economics loop closing). The clean lane.
LOB PKG installs: here's the honest seam — PKGs install; they don't carry uninstallers. Removal means an uninstall script: stop the processes/agents, remove the app bundle and the vendor's support directories (Application Support, LaunchAgents/Daemons, preference files), and verify. Vendor-documented uninstallers where they exist; your own shell script where they don't — written at packaging time, because the engineer who knows what the installer scattered is the one deploying it, not the one retiring it three years later.
Installomator-managed apps: removal is also script-shaped; stop the recurring label first or the sweep politely reinstalls what you removed — the classic retirement footgun.
DMG-deployed apps: bundle removal is straightforward; the support-directory sweep still applies.
The Retirement Choreography
Stop new installs: Available assignments pulled, labels removed from the sweep
Remove from the installed base: Uninstall assignment or the uninstall script via the script pipeline, ringed like any change
Verify to zero: the discovered-apps view trending to zero is the exit criterion — retirement without verification is a vulnerability finding on a delay timer, because the abandoned app no longer has an update lane
Clean the metadata: licenses reclaimed, PPPC/extension/notification entries for the app pruned from the kit, the repo's label/app lists updated
Do
Write the uninstall script at packaging time
Stop the recurring label before removing the app
Verify discovered-apps trends to zero — the exit criterion
Reclaim licenses and prune the app's kit entries
Don't
Treat "just unassign it" as a removal — lanes differ
Leave LaunchAgents and support directories behind
Let the sweep politely reinstall what you removed
Skip the receipt cleanup (pkgutil --forget)
Insights
The support-directory residue is more than tidiness: leftover LaunchAgents from a half-removed agent can keep running — a retired security tool's orphaned daemon is both a performance ticket and an audit oddity. The uninstall script's completeness is the difference.
Keep a retirement template next to the packaging template — process list, paths, receipt cleanup (pkgutil --forget for the pedantic-clean finish), verification query — so every retirement is a fill-in-the-blanks exercise instead of archaeology.
Xcode, command line tools, Rosetta, and local admin reality — managing the fleet's most opinionated population.
Developer Macs are the hardest Mac population: enormous toolchains, strong opinions, legitimate elevation needs, and outsized blast radius if managed badly — they're also often why the org has Macs. The doctrine: secure the boundaries, stay out of the workflow.
The Toolchain Logistics
Xcode is the headline problem: a multi-gigabyte install that updates often. The lanes — VPP delivery of the App Store Xcode (viable, mind the bandwidth story on release days), or developer-driven installs under a policy that allows them for this population. Either way, first-launch realities (license acceptance, additional-components install) belong in a post-install script so "I installed Xcode but builds fail" stops being a ticket genre.
Command Line Tools: the lighter dependency half the org's scripts assume — deployable headlessly via script; bake it into the developer-fleet enrollment so git works on hour one.
Rosetta 2 on Apple silicon: translated tooling still exists in most shops — install it during enrollment for the developer dimension and the "bad CPU type" mystery never happens.
Package managers (Homebrew et al.): the pragmatic posture is acknowledged and bounded — allowed for this population, with EDR and Gatekeeper posture as the compensating layer, and the fleet's update doctrine noting that brew-installed tools are the developer's own lane. Pretending it's banned while everyone uses it is the worst of both worlds.
The Privilege Reality
Developers make the strongest admin-rights case — Docker-class tooling, simulators, system-adjacent debugging. The honest postures: admin-by-documented-exception for the population (with the hidden managed admin and audit posture intact), or standard-plus-JIT-elevation where third-party tooling provides it. What doesn't survive contact: standard-user-no-exceptions on a working dev team.
The Boundary Set That Stays Firm
Workflow flexibility, boundary rigidity: FileVault, compliance + CA, EDR present and unkillable, iCloud data boundaries, and the secrets-hygiene conversation (signing keys and tokens in the keychain, not in dotfiles synced to personal clouds). Developers accept boundaries they can see the reasoning for; they route around theater.
Do
Hold the boundary set: FileVault, compliance + CA, EDR present and unkillable
Give the population a first-class Dev-Mac dimension and fork deliberately
Install Rosetta 2 and Command Line Tools at enrollment
Pretend the package manager is banned while everyone uses it
Run standard-user-no-exceptions on a working dev team
Accumulate fifty quiet exceptions instead of one documented fork
Insights
Give the population a first-class dimension — Dev-Mac group/filter — and fork deliberately per policy: same security floor, different elevation/install posture, update rings that respect release weeks. A documented fork beats fifty quiet exceptions.
Sparkle frameworks, vendor updaters, and the allow-or-own decision for apps that patch themselves.
A large share of the Mac third-party canon ships its own updater — Sparkle-framework apps, Chrome/Edge's background services, the Zoom/Slack class. Each one asks the same question: let the vendor's updater run, or own the update yourself? Fleets that never answered it per-app are running both strategies at once, which is the same as neither.
the app is a browser or fast-moving, security-sensitive canonAllow the vendor updaterFastest patch latency, zero toil — and zero change control; staleness is the bigger risk here.
the app sits behind validation or change controlOwn the updateSuppress the updater and deliver on your ring cadence — and honor the treadmill, or the app ages silently.
The Two Postures
Allow the updater (vendor-managed currency): fastest patch latency, zero admin toil — and zero change control: the vendor's Tuesday is your Tuesday. Right for browsers and the security-sensitive canon where staleness is the bigger risk, and for fleets without validation-gated apps.
Own the update (suppress/ignore the updater, deliver via Installomator or packaging): your cadence, your ring-1 validation — and the treadmill obligation that comes with it: a suppressed updater plus a missed sweep equals an app aging silently, the worst outcome available.
The doctrine table from the update-strategy page assigns the posture per app class; this page adds the mechanics.
The Mechanics
Suppression is preference-domain work: most major updaters honor managed preferences (Sparkle's automatic-check keys, the browsers' update-policy domains already in your browser profile) — delivered like any managed preference, versioned in the repo
Standard-user interaction: some updaters elevate gracefully for standard users, some prompt for admin credentials forever — an updater that nags non-admins is a de-facto broken lane, and the fix is owning that app's updates rather than training users to ignore prompts
Verification is universal: whichever posture, the version-telemetry attribute proves it's working — vendor-managed currency measured is a strategy; assumed, it's a hope
Insights
Updaters are also launch agents and daemons — they belong in the agent-kit inventory and the retirement sweep: the Google/Microsoft updater daemons outliving their apps is the classic residue pattern.
The honest fleet usually lands split-posture: vendor-managed for the fast-moving canon, owned for the change-controlled few — write the split down, because the difference between "split by design" and "split by accident" is exactly one document.
The package manager your developers already installed — governed, secured, and made useful instead of pretended away.
The developer-Mac page names the honest posture — acknowledged and bounded; this page is the bounding: Homebrew as managed reality on the fleets that run it.
The Governance Model
Sanction it for named populations: the Dev-Mac dimension gets brew; the general fleet doesn't need it and the hardening posture shouldn't carry it. A policy line that says allowed, here, like this beats unenforceable prohibition everywhere.
Install it properly: a managed install script during enrollment for the dev dimension — correct ownership on the prefix, the standard-user account model respected (brew's design expectations and your elevation posture negotiated once, in the script, not per-user) — beats forty hand-installs with forty permission archaeologies.
Brewfiles as the team contract: a repo-versioned Brewfile per team declares the sanctioned toolchain — new-Mac setup becomes one bundle command, and the config-as-code reflex extends to the dev stack.
The Security Posture, Stated for Review
The questions security will ask, pre-answered: formulae install from public taps (supply-chain exposure comparable to any developer package ecosystem — npm/pip precedent applies, and so do its mitigations); the EDR layer watches execution regardless of install path; brew-installed software sits outside your update lanes — it's the developer's own lane, declared as such in the lane table; and an inventory attribute (brew list output, versioned) keeps the estate visible. The unacceptable variant is the unmanaged one: brew on every Mac, no inventory, no posture — which is what prohibition-in-name-only actually produces.
The Boundary
Corporate-deployed apps stay in your lanes — brew is for developer toolchain, not for "easier Chrome installs"; a fleet whose security agent arrived via brew has inverted the trust model. One sentence in the policy draws it.
Do
Sanction brew for named populations — the Dev-Mac dimension
Install it via a managed enrollment script, ownership correct
Declare team toolchains in repo-versioned Brewfiles
Keep a brew list inventory attribute reporting
Don't
Prohibit in name only — that produces the unmanaged variant
Let corporate apps or the security agent arrive via brew
Let casks blur into the corporate-app lane — formulae yes, casks by exception
Insights
The casks question is where most policies wobble: GUI apps via brew blur straight into the corporate-app lane. The clean line — formulae yes (toolchain), casks by exception — keeps the model legible, and Installomator already covers the GUI-app-currency need brew casks would otherwise tempt people with.
Private store distribution for MacOS — Custom Apps through Apple Business Manager, and where the lane beats your PKG pipeline.
Custom Apps are the private-store lane: vendor- or self-published apps delivered privately through Apple Business Manager, with store-grade installs and updates — and the lane has its own decision math against the four deployment lanes.
DistributionApp Store Connect — private audience = your ABM organization
LicenseDevice-licensed through Apps and Books
UpdatesAutomatic, store channel
SigningNone on your side — store-grade install behavior
The Model
The developer publishes to App Store Connect with your ABM organization as the private audience; the app lands in your Apps and Books, licenses like any VPP title, and deploys device-licensed through Intune — supervised-grade install behavior, automatic store-channel updates, no signing ceremony on your side. Updates are the headline win: a Custom App vendor shipping through the store has handed you the VPP auto-update lane, versus the PKG vendor handing you a repackaging treadmill.
The Decision Math
When a vendor offers both delivery shapes, the question is Custom App vs PKG, and the lane choice follows the app's shape: store-distributable apps (sandboxed, store-review-compatible) → Custom Apps, taking the update lane for free; apps needing what the store can't carry (privileged helpers, system extensions, kernel-adjacent components — the security-agent class) → PKG lane by necessity, with Installomator-or-pipeline carrying currency. Most vendor estates split exactly there, and the procurement language writes itself: store-compatible deliverables distribute as Custom Apps to our ABM organization; privileged components ship as signed, notarized PKGs with documented uninstall.
the app is sandboxed and store-review-compatibleCustom AppPrivate store delivery — the auto-update lane comes free.
the app needs privileged helpers, system extensions, or kernel-adjacent componentsPKG laneSigned and notarized, with Installomator-or-pipeline carrying currency.
Operational Notes
The classic stumble is audience configuration: an app that never appears in Apps and Books almost always means the vendor's private-audience setting and your ABM organization ID don't match — verify the org ID with the vendor before escalating anywhere else. License hygiene is standard VPP work (reclaim on retirement, watch utilization). And one platform-specific check: confirm the listing's MacOS availability explicitly — vendors occasionally publish their private audience more narrowly than they intend, and the gap surfaces as "the app isn't there" on deployment day.
Insights
Custom Apps quietly upgrades your trust story too: store distribution means App Review and notarization-by-construction — the Gatekeeper posture's happiest path — which is one more review-meeting sentence the PKG lane can't offer.
Native dialogs as fleet infrastructure — onboarding progress, update nudges, and consent moments, scripted.
swiftDialog turns one command-line call into a polished native dialog — branding, markdown, progress bars, buttons that return exit codes — and in fleet hands it's not a utility, it's the user-communication layer your scripts were missing. Four patterns carry most of the value, and each follows the same skeleton: deploy the binary, call it from a script with deliberate arguments, and route the exit code back into fleet logic.
Step 1Deploy the binaryPinned version, through the app pipeline, before any script calls it
Step 2Call it from a scriptDeliberate arguments from the central branding snippet
Step 3Route the exit codeEach button returns a code; the script branches on it
Prerequisites
The swiftDialog binary, deployed as managed software. Treat it like any other dependency: pin a tested version, deliver it through your app pipeline, and stage it before any script that calls it — a script that assumes the binary exists fails silently on the one Mac where it doesn't.
A central branding snippet. Keep the common arguments — logo path, accent color, window-title conventions — in one sourced include so every team's dialogs look like one fleet rather than five well-meaning experiments.
A notifications payload already in place, so any notification-style output is pre-authorized instead of prompting users mid-flow.
A bench Mac per OS release — dialog chrome and full-screen behavior are OS-version-sensitive, so every flow earns a re-check before your rings move to a new release.
Pattern 1 — The Enrollment Experience
The await-configuration window's one real gap is user-facing progress; the community's answer — Setup-Your-Mac-style swiftDialog flows — is a full-screen, branded "we're building your Mac" dialog driven by your provisioning script, each kit payload and app ticking a checklist as it lands. First impressions are fleet design, and enrollment is the strongest first impression a managed Mac ever makes. The working sequence:
Deploy the dialog binary first in the provisioning script order, so the progress UI exists before anything worth narrating happens.
Launch the full-screen dialog with your branded arguments and one list item per provisioning step.
Drive the checklist through the command-file mechanism: as each payload, agent, and app lands, the script appends a status update to the dialog's command file and the corresponding line ticks complete.
Exit to the desktop on completion — close the dialog deliberately and leave the user on a finished, working Mac rather than a mystery in progress.
Detect the blocking condition in the script: the app is running, the disk is nearly full, the uptime is absurd.
Present the choice as a dialog — "Chrome needs to restart to update — Now / In 1 hour" — offering only deferral options you actually intend to honor.
Route the exit code back into the script's defer logic: each button returns a distinct code, so "Now" proceeds, "In 1 hour" schedules the retry, and a deferral cap eventually converts the nudge into action.
The same skeleton serves restart pressure and disk-space appeals — anywhere the fleet needs something from a human and deserves to ask politely first.
Pattern 3 — Consent and Instruction Moments
The remote-support consent choreography and any workflow needing a guided user click follow one script: show a dialog containing a screenshot of the OS prompt the user is about to see, narrate it — "you'll see this — click Allow" — then trigger the action. Pre-narrated consent converts platform-mandated prompts from confusion into choreography, and it measurably cuts the abandoned-prompt rate that otherwise becomes tickets.
Pattern 4 — Data Capture
Dialog input fields (asset tags at first boot, building codes for printer mapping) returned to the script and written up as a custom attribute — the missing form layer for the handful of facts only humans know. Validate the input in the script before recording it; a free-text asset-tag field collects creative fiction unless the script enforces the expected format.
Verification
Bench-test every dialog flow per OS release: full-screen behavior, notification rights, and the command-file mechanism each deserve a five-minute re-check against the new OS before broad rings move.
Confirm exit-code handling end-to-end — press each button on a test Mac and verify the script takes the branch you expect; a mis-mapped exit code silently turns "defer" into "proceed."
Review the fleet's dialog inventory periodically so retired workflows stop interrupting users.
Insights
It's a dependency, not a script garnish: pin the version, deploy via your pipeline, test per OS release, and centralize the branding arguments — the discipline is what separates a communication layer from a popup generator.
The cultural payoff outruns the technical one: a fleet whose interruptions are branded, polite, and deferral-respecting trains users to read IT dialogs — which is exactly the audience you'll want already trained the day a security moment needs their attention.
FileVault, firewall, SIP, Gatekeeper, and OS floors — attesting the Mac's posture to Conditional Access.
Compliance on the Mac follows the standing contract: the compliance policy attests posture, and Conditional Access enforces access based on that attestation. The Mac policy's distinguishing signals are the OS-integrity trio — SIP, Gatekeeper, firewall — which together answer the question that matters most about a managed Mac: "is this still the Mac we configured?"
Console pathDevices > MacOS > Compliance policies
Applies toEnrolled Macs — ADE and user-approved alike
Key signalsFileVault, SIP, Gatekeeper, firewall, OS floor
Enforced byConditional Access — the policy attests, CA gates
Prerequisites
Enrollment working end-to-end — compliance evaluates enrolled devices only: ADE for corporate Macs, user-approved where it genuinely applies.
A Conditional Access design that consumes the signal — without it, noncompliance is a report, not a control.
Step-by-Step: Building the Policy
Create the policy under Devices > MacOS > Compliance policies, then work the settings deliberately:
Require encryption / FileVault — the attestation half of the FileVault page; grace-period the policy so newly-enrolled Macs mid-first-encrypt don't flap between states.
Require System Integrity Protection — SIP off means someone deliberately weakened the OS's self-defense from recovery mode; on a corporate Mac that's a conversation, and this setting starts it automatically.
Require Gatekeeper (Mac App Store / identified developers) — the unsigned-software floor for the fleet.
Set the minimum OS version — trail your DDM enforcement rings by a grace margin so the compliance floor follows the update rings instead of racing them; a Mac should only fail this check after missing a deadline you already enforced.
Set password requirements — modest where Platform SSO carries the identity story; the local password still gates FileVault unlock, so it can't be theater either.
Add the Defender machine risk score once the full kit is live — cap the acceptable ceiling and the live-threat loop closes.
Actions for Noncompliance
Sequence the actions: grace period (24–72h) → user notification → mark noncompliant → Conditional Access gates access. The ladder gives users room to self-correct while keeping enforcement credible — the design goal is that nobody is ever surprised by a block.
Step 1Grace period24–72 h of room to self-correct
Step 2User notificationThe nudge before consequences
Step 3Mark noncompliantThe verdict lands on the device record
Step 4Access gatedConditional Access enforces the verdict
Mode Notes
ADE and user-approved Macs evaluate the same policies — the difference is leverage: a user-approved Mac that goes noncompliant can simply unenroll, which is precisely why Conditional Access (not the device) holds the access keys, and why corporate Macs belong on ADE where management survives bad moods.
Verification
On a bench Mac, break one signal at a time — disable the firewall, lapse the OS floor — and confirm the policy marks the device noncompliant on the expected schedule and that access is actually gated downstream.
Confirm grace-period behavior on a freshly-enrolled Mac mid-first-encrypt: the device should hold steady through encryption, not flap.
Read the per-setting compliance report after first assignment — a setting reporting "not applicable" fleet-wide usually means a targeting or scoping mistake, not a healthy fleet.
Insights
SIP/Gatekeeper failures are rare and loud by design — alert on them individually rather than letting them blur into the noncompliance count; each one has a story.
The classic Mac false alarm: "encryption noncompliant" on a Mac that is encrypted — usually a PRK-escrow gap or an evaluation lag after enrollment. Check escrow state before re-pushing policy; the fix is rotation, not re-encryption.
Device-based access for Mac fleets — the compliance signal chain, the per-browser reality, and a rollout that locks nobody out.
Conditional Access is where the Mac's compliance verdict becomes enforcement: corporate data opens only on a managed, healthy Mac. The mechanism is a chain — enrollment establishes management, registration creates the Entra device record, compliance stamps the verdict onto it, the browser presents device identity, the policy reads the verdict and grants. Every Mac CA incident is one link failing; build and troubleshoot in chain order.
EnrollManagement establishedIntune manages the Mac
RegisterEntra device record createdThe anchor for the device claim
AttestCompliance stamps the verdictFileVault, SIP, Gatekeeper, firewall, OS floor
PresentBrowser carries device identityBroker, profile sign-in, or extension
GrantPolicy reads the verdictCompliant opens the door
The Device-Based Grant
The Mac's device-based control is Require device to be marked as compliant — the only device grant a Mac can satisfy, which keeps the design honest: the compliance policy is the access bar, so FileVault, SIP, Gatekeeper, firewall, and the OS floor are exactly what a Mac must prove to open the door. Pair it with the MacOS device-platform condition, remembering that platform detection rides user-agent strings: routing, never a security boundary.
The Browser Reality
A token can carry the device claim only if the browser can reach the device's identity. Platform SSO makes that respectable fleet-wide: the SSO extension brokers authentication, and browsers acquire device identity through it instead of certificate prompts. Per browser:
Browser
How it acquires device identity
Field notes
Safari
The device client certificate provisioned at registration; brokered silently where the SSO extension is active
Fully supported; without the broker, users get a one-time certificate-picker prompt — declining it reads as "blocked" in tickets
Microsoft Edge
Native — through the signed-in Edge profile
A signed-out Edge cannot present device identity and fails the policy; profile sign-in is the prerequisite
Chrome
The Microsoft Single Sign On extension, which talks to the SSO broker
Device-blind without it — force-install via managed browser policy rather than hoping users add it
Two universal failure modes: private-browsing windows and disabled cookies both break device checks by design. The extension force-install and profile sign-in defaults belong in your browser management profiles — the CA story is only as strong as the least-configured sanctioned browser.
What Unmanaged Macs Hit
The day device-based CA turns on, every unmanaged Mac touching scoped apps gets a block page — including executives' home machines and the BYO population nobody inventoried. The compliant-device grant deliberately does not block Intune enrollment itself, so the remediation path stays open; staging decides whether that path is smooth or a cliff:
Inventory first: the Entra sign-in logs' device-info detail shows exactly which Macs sign in unmanaged today — that list is the rollout backlog and the comms audience.
Open the enrollment doors before the gates close: ADE for corporate Macs, user-approved enrollment for sanctioned BYO — the BYO-Mac decision made as policy, not per ticket.
Communicate the block before the block: a one-paragraph note with the enrollment link converts most of the backlog before enforcement day.
Prerequisites
A compliance policy assigned and producing verdicts — at least one pilot Mac showing compliant before any CA policy references the signal; a compliant-device grant in front of an empty compliance estate blocks everything it scopes.
Platform SSO (or at minimum the SSO extension via Company Portal) deployed, plus the browser plan for extensions and profile sign-in.
Break-glass accounts: at least two emergency-access accounts excluded from every CA policy, tested on a schedule. Non-negotiable.
Step-by-Step: the First Device-Based Policy
Create the policy under Entra ID > Conditional Access > Policies, named for what it does — "MacOS — require compliant device — pilot".
Scope users to the pilot group and add the exclusions immediately — break-glass accounts and any service accounts that authenticate interactively — while the policy is still harmless.
Target resources: start with a meaningful-but-survivable set (mail and files are the classic), and expand toward all resources as confidence grows.
Set the device-platform condition to MacOS — and decide explicitly what happens to unknown platforms rather than inheriting that answer by accident.
Select the grant — Require device to be marked as compliant — and save in report-only mode, where the policy evaluates and logs every sign-in without enforcing.
Soak for one to two weeks. The report-only results in the sign-in logs show who would have been blocked and why; work that list to zero surprises, then flip to On for the pilot and widen deliberately.
Verification
A compliant pilot Mac signs into scoped apps from every sanctioned browser without prompts; its sign-in log entries carry the device ID and compliant state.
A bench Mac forced noncompliant (break one signal, per the compliance page's drill) is blocked with the message you expect — and recovers after remediation plus a check‑in.
An unenrolled Mac hits the block page and finds the path you designed for it: an enrollment invitation, not a dead end.
A break-glass account signs in from anywhere, unchallenged.
Lockout Pitfalls
The enrollment chicken-and-egg: a freshly enrolled Mac isn't compliant yet — registration plus the first check‑in take minutes — so day-one users can be enrolled and still blocked. Enrollment itself isn't stopped by the compliant-device grant, but anything else stacked into the policy (location fences, app scoping that catches the portals) can wall off the flow that creates compliance. Verify the new-Mac path end to end with the policy enabled.
Local-account vs Entra identity mismatches: registration anchors to the account that performed it. A second local account on the same Mac, or a browser signed in with a different identity than the one that registered, presents no device claim — blocked, despite the "managed" Mac. Multi-user Macs sit outside device-based CA's support envelope; design them out, not around. The PSSO triage page catches the registration-side variants.
Missing break-glass discipline: the lockout that matters is the one where admins scope themselves into a policy whose grant their own devices can't satisfy. Excluded emergency accounts — tested, monitored, documented — are the difference between an incident and an anecdote.
Do
Inventory unmanaged sign-ins from the Entra logs first
Open the enrollment doors before the gates close
Soak every policy in report-only for one to two weeks
Exclude break-glass accounts and test them on a schedule
Don't
Skip report-only — even for "obviously safe" edits
Stack conditions that wall off the enrollment path itself
Scope admins into a policy their own devices can't satisfy
Let per-app policy sprawl replace a few broad policies
Insights
Report-only is free production telemetry — organizations that skip it discover their unmanaged-Mac population at the help desk instead of in a log view. Never skip it, even for "obviously safe" edits to existing policies.
Users experience CA failures as outages, not policy: the block page is a UX surface — name the fix and link the enrollment guide there; ticket volume is set by that screen, not by the policy design.
Per-app policy sprawl ages badly: a few broad policies with deliberate exclusions beat dozens of app-specific ones, because six months in nobody can answer "what happens when a contractor opens the finance app from an unmanaged Mac" across forty policies.
The Endpoint security node's MacOS profiles — firewall, FileVault, Defender AV — and how they compose with compliance.
The Endpoint security node carries the focused MacOS profiles for the security stack — firewall, disk encryption, and the Defender sensor's tuning. The operating pattern: configure posture here, attest it in compliance, enforce through Conditional Access.
ConfigureEndpoint security profiles set the postureFirewall, FileVault, Defender AV tuning
AttestCompliance proves itThe policy reports what the profiles set
EnforceConditional Access gates accessNoncompliance becomes a control, not a report
Firewall
Endpoint security > Firewall (MacOS) is where the application firewall gets its fleet posture. Work it in order:
Enable the application firewall fleet-wide — the non-negotiable baseline.
Decide on block all incoming — aggressive but defensible on laptop fleets that host nothing; pilot it with the people who own AirPlay receivers and dev-mode local servers before enforcing broadly, because those forgotten exceptions surface in week one.
Enable stealth mode (drop probe responses) for the road-warrior posture.
Keep per-app allow/block entries short and reviewed — every entry is an exception estate to govern: minimal, justified, version-controlled.
Disk Encryption
The FileVault policy lives in this node — covered in its own page; mentioned here because audit conversations expect "where is encryption configured" to have one answer per platform, and for the Mac this is it.
Antivirus (Defender for Mac)
Once the Defender kit is deployed, the Antivirus profile (MacOS) manages the sensor's behavior: real-time protection, cloud-delivered protection, scan exclusions (minimal, justified, version-controlled), tamper protection where available. The division of labor: the kit makes Defender exist and function (PPPC + extensions + login items); the AV profile tunes it; MAU keeps it current.
What Deliberately Isn't Here
MacOS restriction-flavored security (Gatekeeper settings, software-source controls, USB-adjacent restrictions) lives in the Settings Catalog, not Endpoint security — the one-home-per-setting doctrine: decide the owner per area (this node for the security stack, the Catalog for OS restrictions) and document the split, or per-setting conflict reports become a hobby.
Verification
After the firewall profile lands, confirm on a test Mac that the firewall reports enabled and that compliance attests it — the profile-sets, compliance-proves loop closing end-to-end is the proof the design works.
Verify the Defender sensor reports healthy in its console after the AV profile applies — a tuned profile on a sensor whose enablement kit never landed is configuration without effect.
Re-check the per-app exception list on a calendar; exception lists only ever grow unless someone owns the review.
Insights
Build the Mac security story as one slide with four verbs: encrypt (FileVault), sense (Defender), gate (compliance + Conditional Access), recover (escrowed keys, rotation). A clean verb-per-control architecture is the selling point to every auditor and CISO who reads it.
Firewall "block all incoming" pilots reveal the forgotten exceptions — AirPlay receivers in conference rooms, dev-mode local servers — in week one; run the pilot with the people who own those workflows, not after them.
MacOS's built-in execution control — notarization checks, quarantine, the background scanners, and what management adds.
Before any EDR agent arrives, MacOS already runs an execution-control stack: Gatekeeper deciding what launches, XProtect scanning for known malware, and the remediation machinery cleaning up. Management's job is locking the posture and not breaking the machinery.
Launch gateGatekeeper evaluates the appCode signature, notarization, quarantine state
Background scanXProtect matches known malwareSignature definitions ride Apple's update plumbing
RemediationThe removal machinery cleans upApple-managed, invisible when healthy
Gatekeeper: the Launch Gate
Gatekeeper evaluates apps at launch — code signature, notarization (Apple's malware-scan-and-ticket for developer-distributed software, the same regime your own PKGs must satisfy), and quarantine state (the download flag that triggers first-launch evaluation). Set the managed posture via restrictions/Settings Catalog:
Set the floor: App Store and identified developers. Signed-and-notarized software runs; random unsigned downloads don't. The corporate default.
Decide the override question deliberately. Users can traditionally approve exceptions (the right-click ritual, OS-version-dependent); managed fleets decide whether that override exists at all. Standard-user fleets with a curated app pipeline can close it; developer fleets generally keep it with EDR as the compensating eye.
Know what your pipeline bypasses. MDM-delivered apps skip quarantine by design — your deployment pipeline is the trusted channel, which is exactly why the pipeline's own signing and notarization hygiene matters as much as the user-facing gate.
XProtect and Friends
The built-in signature scanner (XProtect), the remediation tool that removes what's found, and the background update mechanism that keeps their definitions current — all Apple-managed, all invisible when healthy. The management rules: never block their update path (they ride Apple's update plumbing — network allow-lists that strangle Apple services starve the scanners), and treat them as the floor the EDR conversation builds on, not the enterprise detection story by themselves.
The Composite Posture
Gatekeeper (launch control) + XProtect (known-malware floor) + notarized pipeline + EDR (behavioral detection) + attested boot integrity — five layers, each named in the security review, each covering the others' gaps. Present it exactly that way: a layer model with an owner and an attestation story per layer reads as architecture; a list of enabled checkboxes reads as luck.
Do
Set the floor: App Store and identified developers
Decide the user-override question deliberately, per population
Keep the scanners' Apple update path open on every network
Treat a blocked LOB app as a packaging finding
Don't
Strangle Apple services with allow-lists — definitions starve
Treat XProtect as the enterprise detection story
Bless the agents while leaving the gate unmanaged
Fix a signing problem by weakening fleet posture
Verification
Confirm the posture landed: on a test Mac, attempt to launch an unsigned, non-notarized download — the denial should match your policy's intent, and the denial language should match what your helpdesk documentation tells users to expect.
Confirm the scanners' update path on every managed network configuration, including the most restrictive — a quarterly check against proxy/allow-list changes keeps the malware-definition floor current.
Insights
The classic self-inflicted wound: a PPPC/extension kit meticulously built for the EDR agent, while an unmanaged Gatekeeper posture lets users approve anything — lock the gate the same week you bless the agents.
The passcode payload, Touch ID, lockout behavior, and how Platform SSO changes what the local password even is.
Mac password policy is the familiar lock-policy conversation with one twist particular to this platform: under Platform SSO, the local password's identity changes — it can become the Entra credential's local shadow, which reframes every requirement you set.
The Payload Surface
The passcode payload (Settings Catalog) carries the classics: minimum length and complexity classes, history, maximum age, auto-lock timeout and grace period, and failed-attempt lockout behavior. Calibrate deliberately:
Length over composition theater — a 12+ character minimum beats character-class bingo; modern guidance (and user sanity) favors length + breach-resistance over mandatory punctuation
Rotation: justify it or drop it — forced periodic change is legacy-compliance muscle memory; with FileVault and lockout in place, current guidance leans against arbitrary rotation. If a framework mandates it, document that as the reason
Timeout humane, lockout real: screen-lock minutes that match office reality, failed-attempt thresholds that frustrate brute force without wiping the CFO's Mac over a child's curiosity
Touch ID and the Convenience Layer
Allow it — biometric unlock atop a strong password is better security and better UX, and the payload's biometric toggles let regulated fleets dissent deliberately. The same one-liner resolves the FileVault interaction: Touch ID unlocks the session; the pre-boot unlock still wants the password — one onboarding sentence, zero tickets.
The Platform SSO Reframe
With Platform SSO password sync, the local password aligns with Entra — so Entra's password protection becomes the real policy engine (banned-password lists, smart lockout), and the payload's job shrinks to local hygiene: lock timing, attempt limits, Touch ID posture. Set the payload to complement the identity-side policy rather than duplicate it — two authorities enforcing subtly different complexity rules is the classic two-masters conflict wearing a password costume, and the user at the login window is the one who feels it. (Secure Enclave/key-based Platform SSO modes shift the story further — toward the hardware-bound credential future where the password recedes entirely.)
Pair humane auto-lock timing with a real lockout threshold
Document the framework when rotation is genuinely mandated
Don't
Enforce composition theater — punctuation quotas over length
Force periodic rotation out of legacy muscle memory
Let the payload and Entra enforce dueling complexity rules
Set lockout so tight a child's curiosity wipes a Mac
Verification
Apply the payload to a test Mac and live the policy: set a password that violates it and confirm the OS refuses with comprehensible language; let the auto-lock fire and confirm the timeout and grace period behave as designed.
Walk the failed-attempt ladder on a bench Mac to confirm the lockout threshold and recovery behavior — before a curious child finds them for you.
On Platform SSO fleets, reset a test account's Entra password and confirm the login-window sync behavior matches what your helpdesk script promises.
Insights
Compliance attests the result — payload sets, compliance proves, Conditional Access enforces; the standing trio, Mac edition.
Audit the lockout + recovery path end-to-end once: forgotten password → FileVault recovery-key flow → reset → re-sync — the rehearsed path is a ten-minute helpdesk script; the unrehearsed one is a lost afternoon and an angry executive.
Hardware-rooted device identity on Mac — Secure Enclave attestation, ACME issuance, and the end of trust-by-assertion.
The deepest question in device trust is "how does the service know this is the Mac it thinks it is?" — and for years the answer was assertion: the MDM record said so. Managed Device Attestation (MDA) replaces assertion with cryptography: the Secure Enclave proves the device's identity and properties to Apple's attestation servers, and your infrastructure receives certificates rooted in silicon, not in hope.
Key propertyHardware-bound, non-exportable by construction
How the Proof Works
Through the ACME payload (the modern certificate-issuance protocol with an attestation extension), the Mac requests an identity certificate; the Secure Enclave generates a hardware-bound key (non-exportable, by construction) and Apple's attestation service vouches for the request — attesting the device's genuine-Apple-hardware identity and properties like serial number. The issuing CA can therefore enforce: certificates only for proven hardware, keys that cannot leave it. A cloned or spoofed device can't complete the dance — there's no Enclave to vouch.
Secure Enclavemints the hardware-bound key
→
Apple attestation servicevouches for genuine hardware
→
Issuing CAcertificates only for proven hardware
What It Buys, Concretely
Phishing-resistant device identity: the certificate underpinning 802.1X, VPN, and MDM client identity becomes unstealable — exfiltrated-credential attacks against device certs stop working
Trust-tier honesty: services can distinguish "attested hardware identity" from "asserted identity" — the foundation under serious Conditional Access stories
The strategic arc: MDM communication and enterprise PKI moving from software-held secrets to silicon-held proofs — access decisions anchored below the OS, where malware can't reach
Prerequisites
Apple silicon-era hardware with a Secure Enclave, running a current MacOS.
ACME-capable issuing infrastructure — this is where most estates wait: your PKI must speak the protocol, and Cloud PKI-class services and modern CA platforms are the typical path.
MDM support for delivering the ACME payload, plus the certificate-consuming profiles (network auth, VPN) ready to reference the new issuance chain.
Adoption Path
Start where the value concentrates: the device-identity certificates behind network auth — the certs whose theft would matter most.
Stand up the ACME issuance chain alongside the existing one and issue to a pilot ring first, treating the CA's attestation-enforcement settings as the control under test.
Let SCEP carry the long tail while the ACME estate grows — migrate by certificate class, not by flag day.
Update the trust documentation: which certificate classes are attestation-backed, which are legacy-issued, and what each class is allowed to authenticate to.
Verification
Inspect a pilot Mac's issued certificate: confirm it chains to the ACME issuance path and that the private key reports as hardware-bound.
Attempt issuance without valid attestation against the enforcing CA — the refusal is the control working; file the evidence for the audit binder.
Confirm the consuming services (802.1X, VPN) authenticate with the attested certificate before retiring legacy issuance for that class.
Insights
In security reviews, MDA is the answer to the question auditors are learning to ask: "what stops a cloned device certificate?" — and "the private key physically cannot leave the Secure Enclave, and issuance required hardware attestation" is the strongest sentence in the Mac trust story.
This capability area moves quickly — re-check what your issuing infrastructure and Intune's certificate surface support at deployment time; six-month-old answers expire.
Per-device credential hygiene for the managed administrator — rotation patterns, escrow realities, and honest tooling assessment.
The account-strategy page creates a hidden managed administrator; this page keeps its credential from becoming the fleet's skeleton key. The goal is simple to state and demanding to operate: unique per device, rotated automatically, retrieved auditably — and the honest Mac story is that you assemble this capability rather than toggle it.
The Threat Being Solved
A shared admin password across a Mac fleet is one compromised device away from being a fleet credential — and one departed technician away from being an ex-employee's credential. Static-shared fails both tests; per-device rotation answers both.
The Patterns, Honestly Ranked
Platform/tooling-native rotation where available: the ecosystem is converging on managed local-admin rotation for the Mac — evaluate what your current Intune surface and EDR/management tooling offer at deployment time (this capability area moves; six-month-old answers expire), and prefer native escrow-and-rotate over anything hand-rolled.
Script-based rotation with secure escrow: the established assemble-it pattern — a scheduled script generates a per-device secret, sets it locally, and escrows it to a secured store (a vault/secret-manager via API, with the Graph-automation mindset applied to retrieval auditing). The design tests: where does the secret rest, who can read it, is retrieval logged per event, and what happens when escrow is unreachable mid-rotation. Treat the rotation script itself as security-critical code — repo-versioned, reviewed.
What fails review: rotation that logs the new password anywhere observable (unified log, script output, the MDM's plaintext attribute surface), shared-static "but it's long," and FileVault-key-as-admin-password conflations — the FileVault escrow is its own system with its own rotation story; keep them separate.
Do
Rotate to a unique secret per device
Escrow before set — an outage must never strand a Mac
Log every retrieval as a per-event audit record
Re-roll after every retrieval — post-use rotation is the gold standard
Don't
Log the new password anywhere observable — unified log, script output, plaintext attributes
Accept shared-static "but it's long"
Conflate the FileVault recovery key with the admin credential
Building the Script-Based Pattern
Choose the escrow store first — a secret manager with API access, per-secret ACLs, and per-read audit events. The store's audit log is the control; pick the store for its logging, not its convenience.
Write the rotation script: generate a strong random secret, escrow it, then set it on the managed admin account — escrow before set, so an escrow outage can never strand a Mac with a password nobody holds.
Schedule it through the script pipeline on your chosen cadence, with an additional rotation triggered after every retrieval.
Wire the retrieval workflow: helpdesk requests the credential through the store — RBAC-gated, logged per event — uses it on the bench, and the post-use rotation re-rolls it automatically.
The Operating Loop
Rotation cadence (post-use rotation is the gold standard — every retrieval triggers a re-roll), retrieval rare and auditable, and the credential's use confined to the bench-and-break-glass scenarios it exists for. If helpdesk retrieves admin credentials daily, the finding isn't the rotation system — it's whatever workflow gap (self-service, elevation tooling, device actions) is forcing manual admin access.
Verification
Pull two devices' escrowed credentials and confirm they differ — uniqueness is the entire point, and a generation bug that produces collisions defeats it silently.
Retrieve a credential through the sanctioned workflow, confirm the retrieval logged who/when/which device, and confirm the post-use rotation fired afterward.
Simulate escrow unreachability on a bench Mac and confirm the script's failure mode matches the design: no password change without a stored copy.
Insights
Pair rotation with elevation tooling in reviews: rotation secures the break-glass; self-service elevation (the Privileges-style tooling from the standard-user strategy) shrinks how often anyone needs it — two controls, one slide, and the "why do techs know admin passwords" question dies properly.
The unified log, the Endpoint Security framework, and deciding what Mac telemetry reaches your SIEM.
Mac security visibility runs on two systems with different jobs: the unified log (everything the OS narrates) and the Endpoint Security framework (the real-time event stream security products subscribe to). Knowing which carries what keeps both your diagnostics and your SIEM design honest.
you're reading the OS's own narration — auth events, Gatekeeper decisions, profile changesThe unified logLocal and rotating; query with log by predicate, ship only named predicates.
you need real-time security events — process execution, file activity, authenticationThe Endpoint Security frameworkDeploy an entitled agent that subscribes; you don't tap it directly.
The Unified Log
MacOS's firehose — system, subsystem, and app events, queried with the log tool by predicate and time window. For the admin it's primarily a troubleshooting surface (the ManagedClient story lives there), but security-relevant narration lives there too: authentication events, Gatekeeper decisions, profile changes. Two operational truths: it's local and rotating (it's not your audit trail unless something ships it), and private-data redaction means some fields log as opaque placeholders by design — plan around it rather than fighting it.
The Endpoint Security Framework
The modern detection substrate: a kernel-mediated API streaming real-time security events — process execution, file activity, authentication — to entitled subscribers. This is what your EDR agent consumes; it replaced the kernel-extension era (the system-extension migration story), and its existence explains the architecture: you don't tap the framework — you deploy and feed agents that do. Multiple subscribers coexist, with the performance-contention caveat that every additional subscriber inspects every event.
What Reaches the SIEM (the Design Decision)
The pragmatic Mac telemetry tiers:
EDR-forwarded events — the security backbone; the agent's pipeline is the shipping mechanism, and sensor-coverage % is the metric
MDM-side audit truth — enrollment, compliance state, action history via Graph — fleet-level security narrative without touching devices
Targeted unified-log shipping — only for specific, named predicates a detection genuinely needs (auth events on high-value Macs, say) via a collection agent; shipping the raw firehose is a SIEM-bill incident, not a strategy
Write the tier table down — "what Mac events do we have?" is an incident-response question best answered before the incident.
Insights
The notification/PPPC kit is upstream of all of this: an EDR agent without its approvals streams nothing — telemetry coverage is an enablement-kit metric before it's a SIEM metric.
Rehearse one retrieval: pick a security question ("what executed on this Mac at 14:02"), answer it from your actual pipeline, time it. The gap between the architecture diagram and that timing is your real logging posture.
CrowdStrike, SentinelOne, and friends under Intune — the deployment kit, Defender coexistence, and the health telemetry that proves coverage.
Whether the sensor is Defender or a third party, Mac EDR deployment is the same composite problem: an Endpoint Security framework subscriber that needs silent enablement, configuration, and proof of life. This page is the vendor-agnostic playbook.
Applies toAny ES-framework sensor — Defender or third party
Vendor configuration — managed preferences or the vendor's profile, carrying tenant/site tokens so activation is zero-touch
The sequencing rule from every enrollment page: the kit lands in the enrollment window so the Mac is never post-desktop and unsensored. Vendor documentation provides exact bundle IDs and payload values — transcribe from the current doc, not from a blog post or memory; these identifiers change across agent versions.
The Coexistence Question
One ES-framework heavyweight per Mac is the doctrine — two full EDR agents double-inspecting every event is the performance-conflict page's origin story. Defender-plus-third-party estates run deliberately: one agent in full EDR mode, the other absent or in a passive/coexistence mode the vendors document and support — an architecture decision made once, not a per-device accident. Document which agent owns full EDR mode and pin the passive role in the vendor's supported configuration, so an engineer can answer "who owns detection on this Mac" without a packet capture.
Proving Coverage
The metric that precedes all threat metrics: % of fleet with a healthy, communicating sensor. Assemble it from the vendor console's device list reconciled against Intune inventory — the delta list (managed Macs absent from the EDR console) is the work queue, and a custom attribute reporting agent presence/version makes the gap visible inside Intune itself. Compliance can then enforce what telemetry proves.
Insights
Agent updates are the self-updating-app decision at its highest stakes: most EDR vendors run their own update channels — allow them (staleness is the worse risk), pin ring-1 Macs to the vendor's early channel, and let the canaries absorb the bad-sensor-build day so the fleet doesn't.
The OS-release cycle is EDR's annual exam: vendor support statements for the new MacOS belong in your upgrade gate — the fleet's OS doesn't move until the sensor's support does.
Platform SSO's key-based modes — hardware-bound credentials, the passwordless arc, and what changes at the login window.
Platform SSO's password-sync mode keeps two credentials aligned; its key-based modes retire the alignment problem: the Mac's identity to Entra becomes a Secure Enclave-bound cryptographic credential — unphishable, unexportable, and bound to the silicon that minted it.
Mints atPlatform SSO registration — no registration, no credential
The Mode Ladder
Platform SSO's authentication methods, in ascending ambition:
Password sync: local ↔ Entra alignment — the password-policy page's world, familiar and transitional
Secure Enclave key: registration mints a hardware-bound key; that key authenticates to Entra — the user's local password stays purely local (machine unlock), while cloud auth rides the Enclave credential satisfying phishing-resistant MFA by construction. Token theft and password phishing against this credential stop being meaningful sentences.
The trajectory beyond — platform credentials behaving as passkeys across the WebAuthn world, Touch ID as the gesture — is where Apple and Microsoft are both steering; design new deployments assuming key-based is the destination and verify current Intune/Entra surfacing per release, because this surface is actively shipping.
What Changes Operationally
The login-window story simplifies (local password = local concern; no drift class, so the drift-triage family shrinks), registration carries even more weight (the Enclave key mints at PSSO registration — the unregistered Mac isn't just prompting more, it has no modern credential), and recovery flows re-center on re-registration rather than password reset. Conditional Access gains its strongest Mac input: phishing-resistant-MFA policies satisfiable natively, no security keys to ship.
The Composition Slide
This page plus MDA is the Mac trust story complete: the device proves itself via Enclave attestation; the user authenticates via Enclave-bound credential — identity and device trust rooted in the same silicon, which is the one-sentence answer when review asks why the Mac posture is strong.
Insights
Migration sequencing for existing PSSO estates: key-based modes change the registration contract, so treat the move like the account-model migration it is — ring it, with comms, because "your Mac will ask you to register again" unannounced is a phishing-drill false alarm you scheduled for yourself.
The application firewall, content-filter extensions, and the layered network posture on managed Macs.
The Mac's network-defense story is two distinct mechanisms admins routinely conflate: the built-in application firewall (inbound, app-identity-based) and the network/content filter extension framework (the rich layer your security stack rides). Managing each for what it is keeps the story straight.
the question is inbound and per-app — which apps may accept connectionsApplication firewallEnabled fleet-wide, stealth per taste, block-all on the high-assurance tier.
the question is flow inspection, protective DNS, or per-app VPNFilter extensionsThe layer your security stack rides — deployment is an agent-kit exercise.
The Application Firewall
MacOS's firewall is inbound, per-application: signed apps get allow/deny decisions rather than port rules. The managed posture via the firewall payload: enabled fleet-wide, stealth mode per taste, block-all-incoming on the high-assurance tier, logging on. The right-sized expectation: this is laptop-grade inbound hygiene — the instrument is app-identity rather than port/subnet rule craft, so design it around "which apps may accept connections" and let heavier network policy live a layer up. It's the floor; attest it via compliance-adjacent scripting and move up a layer for the real policy.
The Filter-Extension Layer
Modern Mac network security is filter extensions — the Endpoint Security framework's networking siblings: content filters inspecting/deciding flows, DNS proxies enforcing protective resolution, and the per-app VPN/relay plumbing. Your EDR/web-protection stack implements its network features here, which makes deployment an agent-kit exercise: the extension approval payload, the filter configuration, notifications — pre-approved at enrollment or prompting at the worst time. The coexistence rule sharpens: filter slots are contended territory — one content-filter authority per fleet, vendor-documented exceptions only, or the agent-conflict page gains a networking chapter.
The Composite Posture
Layered and named for review: application firewall (inbound floor) → DNS filtering (cheap, broad) → content-filter extension (the policy engine) → relay/ZTNA for corporate access — each layer owned, each attested, with a traffic-class matrix documenting which control owns which flows.
The triage tell for filter-layer trouble: networking that breaks per-app or per-category (not per-network) is extension territory — check the filter's health and approval state before blaming Wi-Fi, and know your stack's bypass/fail-open behavior before the incident where it matters.
Compliance frameworks made operational — generating, deploying, and auditing Mac baselines from the NIST project.
When the auditor says "CIS Level 1" or the contract says "NIST 800-171," the Mac answer is the MacOS Security Compliance Project (mSCP) — NIST's open-source framework that turns benchmark prose into deployable, auditable artifacts. This page is the operating model.
A rules database (each rule: the control, its framework mappings — CIS, NIST, STIG-class — the check logic, and the fix) plus generators that emit, per your chosen baseline: configuration profiles (the settings a payload can enforce), scripts (checks and remediations for what profiles can't express), and documentation mapping every control to its framework citation — the audit-evidence layer pre-built. You select the framework tailoring, generate, and the abstract benchmark becomes concrete fleet artifacts.
The CIS Apple macOS Benchmark
mSCP is the engine; the CIS Apple macOS Benchmark is the most commonly cited destination it tailors to. CIS publishes a separate benchmark per major macOS release — at the time of writing the live set is macOS 26 Tahoe (v1.1.0), macOS 15 Sequoia (v2.1.0), macOS 14 Sonoma (v3.1.0), macOS 13 Ventura (v4.0.0) and macOS 12 Monterey (v4.0.0), plus a Cloud-tailored variant for each. The version skew matters operationally: a control's recommendation number, its key, and even whether it ships as a profile payload or a script can change between, say, Sonoma v3.x and Sequoia v2.x — never reuse a Ventura profile against a Sequoia fleet and assume parity.
Each benchmark grades recommendations into Level 1 (L1) and Level 2 (L2) profiles. L1 is the defensible default — controls that meaningfully reduce attack surface with minimal impact on usability, the floor you can apply fleet-wide without a help-desk surge. L2 is defense-in-depth for high-sensitivity endpoints — stricter controls (think aggressive auditing, tighter com.apple.* restrictions, hardware-feature lockdowns) that will break workflows and need a documented exemption process. There is no separate "server" profile for macOS the way there is for Windows or Linux; macOS is a workstation benchmark, so when an auditor says "CIS Level 1" for a Mac fleet, they mean L1 workstation.
No MS baselineMicrosoft baselines are Windows-only — CIS + mSCP are the Mac source of truth
The honest framing: there is no Microsoft security baseline for macOS — Microsoft ships security baselines only for Windows. So unlike the Windows baseline you can import as a profile inside Intune, the Mac story is "obtain the benchmark from CIS, generate deployable artifacts with mSCP, and enforce them yourself." CIS PDFs are free for non-commercial use; the machine-readable build kits and CIS-CAT Pro scanner are member benefits. Practically, most shops drive the benchmark through mSCP (it carries the CIS mappings) rather than hand-transcribing the PDF — generate against your OS version, then deploy via Settings Catalog and custom profiles with the check scripts running as custom attributes for per-rule evidence.
Generate against your OS version (rules are release-specific — the annual OS pass includes regenerating)
Tailor honestly: exemptions are first-class in the framework — the developer fleet's deviations get documented exemptions with rationale, not silent skips
Deploy the layers in their lanes: profiles via custom/Settings Catalog, check scripts as custom attributes reporting per-rule state, remediations through the script pipeline — and ring the rollout like any baseline change, because a compliance baseline is one: pilot ring first, broad rings after the soak, rollback notes per rule
Audit continuously: the check-script outputs rolled into reporting = per-control compliance percentage, charted — the burn-down the auditor actually wants
The Relationship to Your Existing Baseline
Your restrictions cookbook and mSCP overlap heavily by design — reconcile rather than duplicate: the framework becomes the system of record for controls it covers (one home per setting), your cookbook keeps the org-specific remainder, and the conflict-check between them is a one-time diff that prevents a standing mystery.
Insights
mSCP's killer feature is the mapping: one deployed rule set, evidenced once, satisfies multiple frameworks' citations simultaneously — which converts "we also need to answer the STIG question" from a project into a re-export.
ADE no-shows, approval snags, missing bootstrap tokens, and profiles that "applied" but didn't — the Mac failure catalog.
Mac enrollment failures cluster along two seams — supply-chain issues at Setup Assistant, identity issues at sign-in — plus two Mac-only suspects: profile approval state and the bootstrap token. Triage in that order: supply chain, network, identity, then the Mac-specific state.
Step 1Supply chainSerial assigned in ABM, token sync run
Step 2NetworkCaptive portals and TLS inspection at Setup Assistant
Step 3IdentitySign-in issues at the identity layer
Work the ladder in order — each rung is cheap to check and rules out everything beneath it:
Confirm the serial is assigned. The Mac must be assigned to Intune's MDM server in ABM, and the token sync must have run since — check that the device appears in Intune's enrollment-program devices list with a profile before blaming anything else.
Check the network at Setup Assistant. Captive portals and TLS inspection break first contact with the activation and enrollment services; a staging VLAN with clean egress is the standard hedge.
Check date/time skew on long-shelved hardware — clock drift produces TLS failures with vague errors that look like anything except a clock.
Already activated past Setup Assistant?Erase All Content and Settings brings an Apple silicon Mac back to ADE in minutes — the legitimate fast fix, not an admission of defeat.
User-Approved Path: Approval Limbo
The Company Portal flow stalls when the user skipped the System Settings approval step — symptoms: enrolled-ish, but profiles won't land and the portal nags. Verify with profiles status -type enrollment (it states user-approved status plainly); the fix is finishing the approval, and the prevention is the three-screenshot guide.
The Mac-Specific Suspects
Bootstrap token missing (profiles status -type bootstraptoken) — breaks deep operations (DDM updates, some account flows) on Macs that enrolled through odd paths. ADE re-enrollment is the clean restoration.
Profile "applied" but behavior unchanged — check scope first (filters/groups), then ground truth on-device: sudo profiles show lists exactly what landed; if the payload's there and behavior isn't, the payload's keys are wrong for this OS version (custom-profile archaeology), not the delivery.
Stuck at "awaiting final configuration" — one of the await-config wave's profiles is failing to land; thin the wave on a test profile to bisect.
Verification After Any Fix
The clean retest is erase-to-ADE, not retry-in-place — partial enrollment state contaminates the second attempt and manufactures phantom bugs. Erase, re-enroll, and confirm profiles status -type enrollment reports the expected state before declaring the cause found.
Insights
Two commands answer 80% of "what is this Mac's state": profiles status -type enrollment and sudo profiles show. Put them in the helpdesk runbook verbatim.
profiles commands, the ManagedClient log stream, Intune agent logs, and install.log — where each Mac answer lives.
Mac diagnostics reward routing the question to the right source before reading anything: every class of question has one stream that answers it directly, and the skill is choosing the stream, not reading faster. The router table:
Question
Source
What's the enrollment/supervision/token state?
profiles status -type enrollment (+ -type bootstraptoken) — one paste ends the debate
What profiles actually landed, from where?
sudo profiles show — the device-side truth to diff against the portal's per-setting report
What is MDM doing right now?
Console.app filtered to subsystem com.apple.ManagedClient (the mdmclient stream) — watch a sync live: check‑ins, profile installs, declarations, errors with actual reasons
/var/log/install.log — the installer's own narrative; every PKG/DMG app type failure explains itself here
Is the agent stack healthy?
The triage sequence: PPPC grants → systemextensionsctl list → login items
Everything, for a support case
sysdiagnose — the Mac's everything-bundle; Company Portal also sends Intune-side logs with an incident ID from its Help menu
The Live-Watch Technique
The single most instructive Mac-admin hour: Console.app on com.apple.ManagedClient, then trigger a sync from Intune and watch — profile delivery, DDM declarations, errors in real prose. One live-watched sync converts MDM from folklore into observable mechanics — and the habit pays for itself on the first profile that "applied" without applying.
Remote Collection
No bench access? Company Portal's send-logs covers the Intune agent side remotely (incident ID for support), and the device blade's sync + per-profile reporting covers the server side. For the genuinely deep cases, talk a user through sysdiagnose (one keystroke chord or one Terminal line) — the bundle uploads anywhere and contains everything above.
Insights
install.log is the most under-visited file in Mac administration — app-install tickets that survive an hour of portal-staring die in three minutes of reading it.
Log with a question: the table is the router, and the answer is usually a dozen lines once you're in the right stream — aimless scrolling through the firehose is how afternoons disappear.
install.log archaeology, VPP ghosts, and PKG exit codes — the lane-by-lane triage for Mac app delivery.
Mac app failures triage by lane, because each deployment lane fails differently. Two questions open every investigation — was it assigned, did the device hear about it (sync health) — then the lane determines the rest.
Step 1Was it assigned?Scope and targeting before anything else
Step 2Did the device hear?Sync health — a quiet Mac installs nothing
Step 3Branch by laneVPP, PKG, or script — each fails differently
VPP Lane
The MDM commands an App Store install; failures cluster in three:
Store-side eligibility: app region/OS requirements vs the device's reality — check the store listing's OS and region requirements against the failing device before suspecting anything deeper
Stuck command states: an install command queued against a device that was asleep mid-flight — sync, re-evaluate, and only then escalate
PKG/LOB Lane
The installer ran and the OS wrote the story to install.log (/var/log/install.log — readable directly or via the unified-log tooling): every package, every script phase, every exit code. The triage pair:
Read the log's verdict — a nonzero exit names the failing phase; preinstall/postinstall script failures are the usual culprits and the log shows their output
Reproduce manually: run the same PKG via installer in a root shell on a test Mac — rehearse in the same root context management uses; what fails interactively with a visible error fails identically but silently under management
Installomator-class failures live in the script's own logging: download/verification failures (vendor URL moved, Team ID mismatch — the verification working), blocking-process deferrals reading as "never installed," and the recurring-sweep-reinstalled-it inversion during retirements.
install.log is the most underused file in Mac administration — it's been quietly recording every installation verdict all along, and the admin who reads it first skips forty minutes of guessing. Make it the runbook's literal first step for this ticket class.
Registration that never happens, token state that rots into prompt loops, and password drift after a reset — diagnosed with one command.
Platform SSO failures rarely look like identity problems. The reports are "Office keeps prompting," "the new Mac never asked me to register," and "my password works on the website but not on the Mac." All three trace back to one of three failure modes, and one command tells you which. Read the diagnostic surface first, then match the symptom to the mode below.
Diagnostic commandapp-sso platform -s (run as the signed-in user)
Log subsystemscom.apple.AppSSO · com.apple.ManagedClient in Console.app
Server-sideEntra ID › Sign-in logs (filter on the device and user)
The diagnostic surface
Run app-sso platform -s as the affected user before theorizing. It reports the real state: whether the device and user are registered, the device and user registration objects, token health, and the SSO extension configuration as the Mac actually sees it. One paste of its output settles most arguments faster than any amount of symptom description. For the why behind whatever state it shows, filter Console.app to com.apple.AppSSO (and com.apple.ManagedClient for the profile delivery side) — see the logging page's predicates.
1. Registration never happened
app-sso platform -s shows the device and/or user as not registered. The post-enrollment registration prompt is the load-bearing moment, and it usually fails by simply not appearing. Causes, in order:
The profile didn't land or didn't fire. Confirm the Single sign-on extension profile is present and applied: sudo profiles show should list the Platform SSO payload, and the ManagedClient stream shows its delivery. No profile, no prompt — if it's missing, this is a delivery problem first.
The user dismissed or deferred the prompt. Users defer the registration prompt indefinitely. Re-trigger it (sign out / sign in, or the configured re-prompt), and back it with comms during onboarding so registration is an expectation, not a surprise.
A stale Company Portal / SSO extension on an older image. Platform SSO depends on a current Company Portal and SSO extension build. On Macs imaged before the current enrollment kit, update those components.
Make the unregistered population a report, not a mystery: surface registration state through compliance policy.
2. Registered, but apps prompt in a loop
app-sso platform -s shows the device registered, but tokens are stale and apps re-prompt repeatedly. Network changes, long sleeps, password resets, or a Conditional Access policy change can all leave token state rotted. Work the escalation ladder, climbing only when the rung below fails — and capture the app-sso output at each step so you know what actually changed:
Re-authenticate. Trigger a fresh interactive sign-in in a prompting app; a successful sign-in often refreshes the token state on its own.
Refresh SSO state. Sign the user out and back in to force the extension to rebuild its token cache.
Re-register. The clean-slate move: remove the user registration and let the prompt re-run, re-establishing the registration objects from scratch.
3. Password drift after a reset
The "old password unlocks the Mac, the new one doesn't" window. In password-sync mode, the local account password and the Entra password can briefly diverge after an identity-side reset, because the local password only updates on the next online sign-in. The fix is exactly that: have the user sign in once while online (network reachable, at the login window or in an app) and the sync completes. The ticket disappears entirely if you tell users up front: after a password reset, sign in once while online before relying on the new password at the login window.
Insights
Distinguish SSO broken from access denied. A Conditional Access block presents to the user as a sign-in failure that looks identical to a broken SSO. The Entra sign-in logs name the blocking policy in one lookup — check them before re-registering, because a real fraction of "Platform SSO is down" reports are compliance findings doing their job.
Push reachability, captive networks, TLS inspection, and the connectivity floor under Mac management.
Every Mac management function — sync, app commands, remote actions — rides the same connectivity floor: APNs wakes the device, HTTPS carries the payload. When Macs go quiet or commands crawl, this floor is the first suspect, and its three legs fail in usefully distinguishable ways.
Intunequeues commands, serves payloads
→
APNsthe wake-up channel — 5223/443
→
Macfetches work over HTTPS
The Floor's Anatomy
The Mac maintains a persistent APNs connection (the 5223/443 story to Apple's push ranges); management pushes arrive as wake-ups; the MDM client then fetches work over HTTPS from Intune's service endpoints. Three legs — push, fetch, and Apple's own services (activation, VPP/App Store, update CDNs) — and each fails differently:
Push blocked: devices respond to nothing until they poll — the "sync from the portal does nothing, sync from the device works" signature
Fetch degraded: pushes arrive, payloads stall — large app deployments crawling while small profile changes land
Apple services strangled: installs and updates fail with store-flavored errors while management looks healthy
The Usual Network Suspects
TLS inspection: APNs and Apple services use certificate pinning — inspection breaks them by design; the fix is the inspection-bypass list from Apple's published hosts/ranges, delivered to the proxy team as architecture, not as a request
Captive portals and 802.1X gaps: the enrollment-day classic — pre-auth network states where the Mac can't reach anything; the open provisioning SSID hedge exists for this
Egress filtering by hostname-of-the-week: Apple's endpoints are ranges and evolving hostnames — allow by Apple's published requirements doc, reviewed on a calendar, not by whack-a-mole
Sleep semantics: a closed MacBook lid is not an incident — power-state awareness belongs in the stale-device thresholds, tuned per fleet so a long weekend doesn't read as an outage
The Verification Kit
Device-side: Apple's push-diagnostic surface and a curl-class reachability script against the documented endpoints — runnable by helpdesk, output pasteable into tickets. Fleet-side: check‑in distribution by network site — one office's Macs lagging is a firewall finding wearing a fleet costume.
Insights
Build the network requirements one-pager before the first escalation: Apple's ranges, Intune's endpoints, the no-inspection list, the ports — handed to network engineering as a standing artifact. Mac estates feel this acutely because Apple's certificate pinning makes inspection failures absolute rather than degraded — there is no "mostly working" APNs.
When the management stack becomes the workload — ES-subscriber contention, CPU triage, and the exclusion choreography.
"My Mac is slow since IT got it" is sometimes user folklore and sometimes precisely true: every Endpoint Security subscriber inspects every event, and a fleet running EDR + DLP + a legacy agent + an updater zoo has built a measurable tax. This page is the triage and the architecture answer.
The Triage
Name the consumer: Activity Monitor (or top via a diagnostic script for fleet-scale collection) during the complaint window — the offender is usually identifiable in sixty seconds, and "which process" splits the tree: a vendor agent burning CPU is a tuning/version finding; kernel-task-adjacent heat is often thermals or the OS mediating a misbehaving subscriber
Check the interaction, not just the agent: the classic pattern is two scanners scanning each other — EDR inspecting the backup tool's file sweep, DLP inspecting the EDR's logs — multiplicative load no single vendor's dashboard owns
The fix for scanner-on-scanner load is mutual exclusions, vendor-documented: each agent's paths/processes excluded from the others' inspection — per the vendors' published coexistence guidance, never improvised, because a hand-rolled exclusion is a detection hole with a performance excuse. Version the exclusion sets in the repo and revisit them when any agent majors.
Do
Name the consumer first — Activity Monitor during the complaint window
Apply mutual exclusions exactly as the vendors publish them
Correlate spikes with OS updates, agent waves, and sweep windows
Measure before and after — turn "feels slower" into a distribution
Don't
Improvise exclusions — a hand-rolled one is a detection hole with a performance excuse
Run two heavyweight ES subscribers in full mode
Leave a retired tool's orphaned daemon resident
The Architecture Answer
Standing load is a stack-design finding: the one-heavyweight-ES-subscriber doctrine, the agent-kit inventory as the registry of everything resident, and the retirement sweep actually removing what's decommissioned — the orphaned daemon from a retired tool is the purest form of pointless load. A fleet that can't list its resident agents can't reason about its baseline.
Insights
Measure before and after: a custom attribute sampling load/battery-impact indicators turns "feels slower" into a distribution — and turns your exclusion work into a before/after chart leadership understands.
The political note: performance is how security stacks lose user consent — the developer fleet especially will route around an agent that costs them build time. A tuned stack isn't a luxury; it's what keeps the coverage map honest.
Missing keys, failed enablement, and the locked-out morning — the FileVault failure catalog and its fixes.
Intune enables FileVault through a Disk encryption policy and escrows a personal recovery key (PRK) to the device record. Three things go wrong, and they need different fixes — so confirm which one you have before you touch the Mac. Start with two facts: what Intune thinks (device record → Recovery keys) and what the Mac knows (sudo fdesetup status).
Console pathEndpoint security › Disk encryption (macOS — FileVault)
Key escrowedPersonal recovery key (PRK), on the device record
Local truthsudo fdesetup status
Fleet viewReports › Encryption report
1. Policy says encrypt, but the Mac isn't encrypted
The Disk encryption profile is assigned and shows as applied, yet fdesetup status reports FileVault is Off. Work the causes in this order — cheapest first:
Enablement is deferred until the user signs out. FileVault can only turn on at a login-window event, so Intune arms it and waits. sudo fdesetup status will say "Deferred enablement appears to be active for user". This is normal — the user just hasn't logged out/restarted yet. Have them restart; if it must happen sooner, push a notification asking them to sign out.
The profile never actually landed. Confirm delivery before blaming FileVault: sudo profiles list should show the FileVault payload, and the policy should report Succeeded for the device. If it didn't arrive, this is a delivery problem — work enrollment and profile issues first.
The signed-in user has no secure token. FileVault enablement requires a secure-token holder; users created by some scripted/automated provisioning paths don't get one. Check with sysadminctl -secureTokenStatus <username>. If it's DISABLED, grant it (an existing token-holder runs sysadminctl -secureTokenON <username> -password -) — this is a bench fix, not a policy fix.
Across the fleet, the Encryption report (Reports › Encryption report, or pull it via Graph) lists every Mac's encryption and key-escrow state — that's how you find the stragglers without touching each device.
2. The Mac is encrypted, but no key is in escrow
The quiet, dangerous one: fdesetup status says FileVault is On, but the device record's Recovery keys tab is empty. You have encryption with no recovery path. Two common causes:
The Mac was encrypted before Intune managed it — common after a Jamf-to-Intune migration. The key was escrowed to the old MDM (or to a user's iCloud, or nowhere Intune can see).
A recovery key rotated but didn't re-escrow — the disk is encrypted with a key Intune doesn't hold.
The fix is to generate a new personal recovery key and escrow it. Intune does this automatically once the FileVault profile reapplies at a login event, but for already-encrypted Macs the reliable, hands-off way is the open-source Escrow Buddy (a login-window authorization plugin) deployed as a package: it regenerates and escrows the PRK at the next login for exactly the gap population the Encryption report identifies. See the open-source toolbox. Track escrow coverage (encrypted Macs with a key in Intune ÷ all encrypted Macs) and drive it to 100% — re-check it after any migration.
3. A user is locked out at the pre-boot screen
Forgotten password, or an account that lost its secure token. The user is stuck at the FileVault pre-boot login and can't reach the desktop. The recovery flow:
Retrieve the personal recovery key. In Intune, open the device → Recovery keys → show the FileVault personal recovery key. This is RBAC-gated and audit-logged — only roles with the Get FileVault key permission can read it, and every read is recorded.
Unlock the disk. At the pre-boot screen the user presses the ? next to the password field, then enters the recovery key. macOS boots and prompts them to set a new password for the account.
Set the new password and confirm they can sign in normally on the next restart.
Confirm the key rotated and re-escrowed. A used recovery key should be considered burned. Trigger a rotation (reapply the policy / next login with Escrow Buddy in place) and verify a new key now shows on the device record — otherwise you've quietly slid back into problem #2.
Rehearse this once a quarter on a test Mac so the first time you do it for real isn't live.
Verify a Mac is fully covered
On the Mac:sudo fdesetup status → FileVault is On, and fdesetup haspersonalrecoverykey → true.
In Intune: the device's Recovery keys tab shows a personal recovery key, and the Disk encryption policy reports Succeeded.
Fleet-wide: the Encryption report shows the device as encrypted with a key escrowed — both columns, not just the first.
Insights
Encryption coverage and escrow coverage are two different numbers. A Mac that's encrypted but has no key in Intune looks green on "encrypted" and is a disaster waiting for a forgotten password. Report on the escrowed-key percentage, not just the encrypted percentage.
Why a Mac sits past its DDM update deadline — and how to tell which of four causes you actually have before touching the device.
When a Mac doesn't move to its target version, the cause is almost always one of four things, and the fixes don't overlap — so confirm which one you have first. Start with two facts: what Intune declared (the DDM software-update policy — target version and deadline) and what the Mac knows (softwareupdate --list and the update logs). The four causes, in the order they're worth checking:
Fleet viewReports > Device compliance, and the per-device hardware inventory (model, OS, free storage)
Local truthsoftwareupdate --list · /var/log/install.log
Silicon prerequisiteBootstrap token escrowed (sudo profiles status -type bootstraptoken)
1. The deadline hasn't passed, or the declaration never arrived
Before treating a Mac as failing, confirm it is actually overdue and that it heard the deadline at all. A Mac inside its enforcement window is compliant, not broken.
Check the policy math. Compare the target version and the enforced-install deadline in the update policy against today's date. DDM enforcement windows are designs — a device inside the window simply hasn't been forced yet.
Confirm the declaration reached the device. A Mac that hasn't checked in hasn't received the update declaration. Verify recent check-in on the device record, then watch the declaration land on-device: Console.app filtered to subsystem com.apple.ManagedClient shows the software-update declaration arriving and its status. If the Mac is quiet, this is a connectivity problem — work network and APNs issues first.
Confirm the bootstrap token is escrowed. On Apple silicon, MDM-driven updates need the bootstrap token to authorize the install without a user password. Check with sudo profiles status -type bootstraptoken; if it's missing, no amount of deadline pressure will install the update — restore it via ADE re-enrollment or by having a secure-token user run sudo profiles install -type bootstraptoken.
2. The Mac can't take the target version
The declaration arrived and the deadline passed, but the update still won't install because the device is ineligible. Two common reasons:
The hardware aged out of the release. The target major doesn't support this model — confirm against Apple's supported-models list for that release. This is a refresh-planning problem, not a delivery one; exclude the model from the policy or replace the device.
Storage starvation. A macOS major upgrade needs substantial free space (Apple typically wants well over 20 GB free, more for the download plus install). The 128 GB Macs are the usual stragglers. Confirm on-device with df -h /System/Volumes/Data; pre-sort the fleet by the free-storage column in hardware inventory. Because the sync-first data posture keeps user files in OneDrive, clearing local space is usually safe — but verify sync coverage before deleting anything.
3. The conditions for an automatic install are never met
The Mac is eligible and has heard the deadline, but the install never fires because macOS requires power and connectivity it never gets.
Never on AC power. macOS will not begin a major update on battery. The desk-drawer MacBook that's never plugged in overnight never installs. Confirm by reading the deferral reason in /var/log/install.log and the ManagedClient stream.
The download never completes. A multi-gigabyte installer that loses to an evening VPN or a saturated link never finishes. Sites without content caching feel this hardest — stand up a caching server, or stage the update during a window with bandwidth.
DDM escalates pressure (and finally forces a restart) as the deadline nears, but if the conditions are structurally absent, fix the conditions. Pair the deadline with a user-facing heads-up — a Nudge prompt or a swiftDialog message — so the eventual forced restart isn't a surprise.
4. The update mechanism is genuinely wedged
Eligible, powered, connected, past deadline — and still stuck. The update daemons are in a bad state or a partial download won't clear. Work the ladder:
Restart the Mac. This clears most wedged-daemon and stuck-download states on its own.
Inspect and clear the download. Read /var/log/install.log and the ManagedClient stream for the actual failure; softwareupdate --list confirms whether the Mac still sees the update as available. Re-trigger from Intune after the restart.
Scripted reinstall. For the stubborn cases, a tool like erase-install downloads a fresh installer and reinstalls macOS in place — the scripted rung of the recovery ladder.
Rebuild. On a sync-first fleet, a Mac that has resisted an hour of update surgery is a rebuild decision: Erase All Content and Settings returns an Apple silicon Mac to a clean state in minutes. See re-enrollment and recovery.
Read the pattern across the fleet
Before chasing individual devices, look at the shape of the lag in the compliance and inventory reports — it usually names the cause:
One model lagging → eligibility (cause 2).
One site lagging → bandwidth / missing content caching (cause 3).
One enrollment ring or cohort lagging → declaration delivery (cause 1).
Scattered individuals → conditions and wedges (causes 3 and 4).
Insights
Diagnose from the report, confirm on the bench. The distribution tells you which of the four causes you're looking at faster than any single device will — but the actual fix still gets verified in install.log and the ManagedClient stream on the device.
Twenty-plus vetted projects from the Mac Admins ecosystem — the richest open-source bench in endpoint management.
The Mac admin's open-source shelf — the MacAdmins deployment canon, software-update enforcement, security and identity, end-user experience, plus the cross-platform Intune core.
Looking for everything across platforms? Browse the central Open-Source Toolbox — all 144 tools in one filterable, searchable place.
🧰 Intune core & tenant automation
Tenant-wide Graph automation, config-as-code, backup, and assignment analysis.
ugurkocde/IntuneAutomation — Curated library of ready-to-run Microsoft Graph PowerShell scripts (and Azure Automation runbooks) for Intune device operations, app management, compliance reporting, and monitoring.
MG-Cloudflow/Intune-Toolkit — WPF/PowerShell GUI to view and bulk-manage Intune policy and app assignments, audit what a security group has assigned, and back up/restore/document configurations.
Microsoft365DSC/Microsoft365DSC — PowerShell Desired State Configuration module that extracts, deploys, and continuously monitors full-fidelity Microsoft 365 (including Intune, Entra, and CA) tenant config as code, flagging and remediating drift.
Azure/enterprise-azure-policy-as-code — EPAC manages Azure Policy and policy assignments/exemptions as code in Git with CI/CD plan-and-deploy pipelines, giving admins desired-state governance and compliance enforcement at scale.
merill/graphxray — Browser DevTools extension that captures the Microsoft Graph calls behind clicks in the Entra/Intune portals and auto-generates equivalent PowerShell, C#, Java, or Go, so admins can script any portal action.
microsoft/EntraExporter — Microsoft PowerShell module that exports an entire Entra/Azure AD tenant configuration to versionable JSON files for Git-based backup, change tracking, and audit of identity and CA policies.
microsoftgraph/msgraph-bicep-types — Microsoft Graph Bicep extension that lets admins declare Entra/Graph resources (groups, apps, service principals) as Infrastructure-as-Code in Bicep templates alongside Azure resources.
microsoftgraph/msgraph-sdk-python — Microsoft's actively maintained Python SDK for Microsoft Graph, used to script tenant-wide Intune/Entra automation and reporting from Python instead of PowerShell.
DanielChronlund/DCToolbox — PowerShell module for Microsoft 365 security work, with cmdlets to export/import and bulk-deploy Conditional Access policies as JSON for managing CA as code across tenants.
fleetdm/fleet — MIT-licensed open-source cross-platform device management platform built on osquery and Apple's native MDM/DDM, letting admins manage profiles, OS updates, software, and CIS-benchmark compliance from one GitOps/API workflow alongside (or instead of) Intune.
micromdm/nanocmd — Go library and reference server that abstracts Apple MDM v1 commands into reusable workflows, useful for building automated command sequences against NanoMDM for older devices where declarative management isn't available.
cmdmnt/commandment — A full open-source Apple MDM server (Python/TypeScript) for enrolling and managing iOS and macOS devices, useful as a self-hostable reference MDM for labs and protocol study.
petarov/apple-mdm-clients — Java client libraries for Apple's Device Assignment (ABM/ADE/DEP) and legacy App-and-Book (VPP) management APIs, letting admins automate device assignment and license workflows from JVM tooling.
ProfileManifests/ProfileManifests — Community preference-manifest repository for Apple system and third-party app settings that powers ProfileCreator and iMazing Profile Editor, giving admins up-to-date payload keys for building configuration profiles.
🛠️ MDM internals & provisioning
MDM servers, enrollment, Autopilot/ADE, imaging, and profile authoring.
macadmins/outset — boot/login script orchestration; structure for everything that must run at the right moment
macadmins/contour — Apple device-management configuration toolkit (Rust) that validates, normalizes, and generates .mobileconfig profiles and DDM JSON declarations against Apple's embedded schema, so admins can author and lint Intune-deployable profiles/declarations offline and in CI.
micromdm/nanodep — Go tools and library (depserver reverse proxy, depsyncer) for talking to Apple's DEP/ADE API, letting admins script Automated Device Enrollment profile assignment and device sync against Apple Business/School Manager.
ProfileCreator/Configuration-Profile-Reference — A version-controlled Markdown mirror of Apple's Configuration Profile Reference, letting admins diff exactly which profile payload keys changed between OS releases (which Apple's docs don't surface).
📦 App packaging & delivery
Build, package, wrap, and ship apps — Win32, PKG, VPP, winget, and CI pipelines.
autopkg/autopkg — recipe-driven app packaging automation; the upstream of many a pipeline
ugurkocde/IntuneBrew — PowerShell tool that automates downloading, packaging, and uploading 1,200+ macOS apps (.pkg/.dmg) to Intune with metadata, icons, and automatic version/update detection.
ennnbeee/IntuneAppAssigner — Interactive PowerShell tool for bulk-assigning or replacing app assignments (including Apple VPP/license assignment) across Android, iOS, macOS, and Windows apps in Intune.
scriptingosx/quickpkg — Command-line tool that quickly builds a signed, properly versioned .pkg from an installed app, dmg, zip, or xip, giving admins a fast way to repackage software for Intune macOS app delivery without a full AutoPkg pipeline.
mas-cli/mas — MIT-licensed CLI for the Mac App Store that scripts search, install, and update of App Store apps, useful in Intune shell-script and onboarding workflows to provision MAS software non-interactively.
hjuutilainen/munkiadmin — Native macOS GUI for managing Munki repositories (pkginfo, catalogs, manifests) without hand-editing plists, useful for admins who run Munki as a self-service software layer beside Intune MDM.
notverypc/AutoPromo — Tool that automatically promotes apps between Munki catalogs (e.g. testing to production) based on pkginfo metadata, automating staged software rollout in AutoPkg/Munki pipelines that complement Intune deployment rings.
🔄 Updates, drivers & remediation
OS and driver updates, patch compliance, drift, and self-healing remediations.
ninxsoft/Mist — fetch MacOS installers/firmware on demand
dan-snelson/DDM-OS-Reminder — MDM-agnostic swiftDialog/LaunchDaemon tool that surfaces Apple DDM-enforced macOS update deadlines to end users with clear, localized reminders, filling the gap left by Apple's subtle native DDM notifications as Intune moves update enforcement to DDM.
huexley/DDMStatus — Lightweight macOS menu-bar app that reads install.log and shows the live Apple DDM update enforcement status (deadline, required version, days remaining) so users and admins can see at a glance whether a DDM-pushed macOS update is pending.
🛡️ Security, hardening & identity
Baselines, hardening, app vetting, Conditional Access, and identity posture.
maester365/maester — PowerShell test-automation framework that runs hundreds of curated security checks (EIDSCA, CISA SCuBA, CIS) against a tenant's identity, device, and app config and alerts on drift via GitHub Actions or Azure DevOps.
cisagov/ScubaGear — CISA's PowerShell tool that assesses a Microsoft 365 tenant against the SCuBA secure-configuration baselines (incl. Entra/CA) using Open Policy Agent and outputs HTML/JSON/CSV compliance reports.
Cloud-Architekt/EntraOps — PowerShell/DevOps project that classifies and monitors privileged access across Entra RBAC systems using Microsoft's Enterprise Access Model, helping admins identify and protect over-privileged identities.
jamf/aftermath — Swift-based open-source macOS incident-response framework from Jamf Threat Labs that collects and analyzes forensic artifacts (logs, browser data, persistence, processes) on a compromised Mac, deployable via Intune for DFIR triage.
dafthack/MFASweep — PowerShell script that logs a test account into many Microsoft endpoints (Graph, ARM, EWS, web, ActiveSync, ADFS) to reveal protocols and Conditional Access gaps where MFA is not actually enforced.
CompassSecurity/EntraFalcon — Lightweight PowerShell tool that enumerates Entra ID privileged objects, risky role/app assignments and misconfigurations into interactive HTML reports, letting admins audit identity attack surface with no extra modules or Graph consent.
silverhack/monkey365 — Self-contained PowerShell security-assessment framework with 200+ checks for M365, Azure and Entra ID, scoring tenant configuration against CIS and best-practice benchmarks in a single HTML report for admins.
kayasax/EasyPIM — PowerShell module that manages Entra PIM role, group and Azure-resource settings and assignments as code, with drift detection, WhatIf and audit reporting so admins can govern privileged access without raw ARM/Graph calls.
🔬 Diagnostics & device control
Logs, device queries, remote control, and lab / emulation.
utmapp/UTM — MacOS VMs on Apple silicon; the lab in a window
JayRHa/IntuneDeviceTroubleshooter — WPF/PowerShell troubleshooting console giving a unified Intune+Entra device view with built-in actions (sync/restart), actionable recommendations, and one-click remediation triggering.
ninxsoft/LowProfile — Free macOS app that inspects Apple configuration-profile payloads (including signed ones) and flags deprecated or duplicate keys, helping admins debug and validate the .mobileconfig profiles they deploy through Intune.
jessepeterson/mdmb — Simulates fake Apple devices enrolling and checking in with an MDM server, so admins can load-test, protocol-test, and validate their MDM infrastructure without real hardware.
📊 Reporting & monitoring
Dashboards, KQL packs, Power BI, and inventory reporting.
SMSAgentSoftware/IntuneAssignmentsReport — Azure Automation + Power BI reporting solution that pulls all Intune assignments (25+ item types) from Graph into a dashboard so admins can audit what is assigned where.
merill/idPowerToys — Generates a PowerPoint document of a tenant's Conditional Access policies so admins can review, share, and audit CA design without granting portal access.
AzureAD/AzureADAssessment — Microsoft's PowerShell tooling that collects Entra/Azure AD tenant configuration and hybrid component data and produces Power BI assessment reports on identity, app, and Conditional Access posture.
petripaavola/IntuneDeviceDetailsGUI — PowerShell tool that produces searchable HTML 'Resultant Set of Policy' reports for a device, surfacing assigned apps, policy conflicts, Win32 detection scripts, BitLocker keys, and LAPS for fast troubleshooting.
munkireport/munkireport-php — Modular open-source reporting dashboard for macOS fleets (works standalone or alongside Munki, Jamf, or Intune) surfacing hardware, disk, FileVault, profile, and patch-status data the Intune console doesn't expose at that depth.
ugurkocde/IntuneMonitoring — Deploy-in-seconds Azure Workbook that gives a single-pane-of-glass view of device health, enrollment, compliance and app deployment across the tenant without an app registration.
ugurkocde/KQL_Intune — Curated library of KQL queries and Azure Workbooks (Audit, Compliance, Device, Operational) for analyzing Intune diagnostic data piped into a Log Analytics workspace.
haavarstein/intune-dashboard — Client-side browser dashboard that inspects a live tenant via Graph (managed devices, app deployments, BitLocker, compliance, Win11 readiness) or visualizes CSV exports with no backend.
JayRHa/PowerBiDashboards — Ready-made Power BI (.pbix) dashboard templates for Microsoft Intune endpoint analytics and device-management reporting.
PowerStacks-BI/BI-for-Intune — Open-source Power BI template collection (Intune KPI, Support Desk, Windows 11 Migration Tracker, Windows Update for Business) for building Intune executive and operational reports.
microsoft/intune-tenant-doc — Microsoft-published PowerShell script that connects to any tenant via read-only Graph and exports a full Intune configuration inventory as per-platform and combined Markdown documentation.
✨ End-user experience
Dialogs, self-service hubs, and quality-of-life for users.
macadmins/SupportCompanion — Open-source macOS end-user helper app providing a menu-bar self-service hub for device info, app inventory, pending patches, knowledge-base links, and one-click admin actions, integrable with Intune Company Portal to cut help-desk tickets.
Insights
Adoption rule for anything on this shelf: read the source of what you run before you run it, pin versions, and treat community tooling with tenant write-access like the privileged code it is — repo-versioned, reviewed, least-privilege app registrations.
Architecture Corner
RBAC and Scope Tags
Delegated administration that survives growth — roles decide what admins can do, scope tags decide what they can see.
The single-admin tenant doesn't scale past one site, one acquisition, or one bad day. Intune's answer is two orthogonal controls — design both before you need them.
The Two Axes
Control
Question it answers
Mechanism
Role (RBAC)
What actions can this admin perform?
Built-in or custom roles with granular permissions
Scope tag
Which objects can this admin see and touch?
Tags stamped on devices, policies, apps, profiles
An admin's effective access = role permissions ∩ objects bearing their scope tags.
Roles — Start Built-In
Help Desk Operator: view everything in scope, run remote actions (sync, restart, remote lock) — the tier-1 workhorse; no policy editing.
Policy and Profile Manager: configuration authoring without tenant-wide settings.
Read Only Operator: auditors, NOC dashboards.
Custom roles only when a real gap appears (e.g., "may wipe but not delete") — every custom role is documentation debt.
Assign roles to Entra groups, never individuals, with the assignment's scope groups limiting which users/devices the role acts on.
Scope Tags in Practice
Create tags per administrative boundary: Site-Indianapolis, BU-Healthcare, Region-EMEA.
Devices inherit tags automatically from their enrollment profile — set the tag on the enrollment profile and every device enrolling through it is born correctly tagged. This is the linchpin; manual tagging never keeps up.
Tag policies/apps to match. An object with no tag carries Default — visible to everyone holding Default, which is why step 4 matters:
Remove the Default tag from delegated admins' role assignments, or the whole model is decorative.
A Pattern That Scales
Central platform team: full roles + Default tag — owns baselines, the tenant-wide connectors and service tokens, and this site's Graph automation.
Site/BU IT: Help Desk Operator + their site tag — they service their devices, can't see anyone else's, can't break the baseline.
Connectors stay central, always. Tenant-wide connectors and certificates exist exactly once per tenant; their blast radius is every enrolled device, not one site. Delegation stops at the connector layer.
Do
Assign roles to Entra groups, never individuals
Set scope tags on enrollment profiles so devices are born tagged
Keep tenant-wide connectors and service tokens with the central team
Don't
Leave the Default tag on delegated admins' role assignments
Create custom roles before a real gap appears
Promise data isolation in reports before validating the monitor blades
Insights
Audit logs record actor + action — RBAC makes the log mean something when HR calls.
Scope tags don't partition reports as cleanly as objects; validate what delegated admins see in monitor blades before promising data isolation.
Acquisitions: tag the acquired fleet on day one (their own enrollment profiles → automatic tags) and you can delegate their legacy IT safely while integration proceeds.
The honest playbook for crossing to Intune — per platform, because the bridge is different on each.
The first truth of MDM migration: on mobile platforms, a device holds one management profile — no co-management, no silent hand-off; every device crosses via unenrollment + re-enrollment, and your job is making that crossing boring. The desktop platforms each bend that truth their own way. Universal regardless of fleet: inventory before touching anything — export the old MDM's device list and reconcile it against your enrollment source of truth, because every migration surfaces devices nobody knew existed, and you want to find them on paper, not at wipe time.
Corporate / ADE devices — the wipe wave
In ABM, reassign serials from the old MDM server entry to the Intune server entry (token setup).
Wipe (from the old MDM, or hands-on). At activation, the device hits the Remote Management screen pointing at Intune — supervised, locked, clean.
User signs in via Setup Assistant modern auth; VPP apps and policy land; done.
Cost: on-device app data is lost (managed-app cloud data survives — Outlook/Teams/OneDrive rehydrate). Communicate exactly that, nothing softer.
BYOD / unsupervised — user-driven
Old profile removed by the user (or retired by the old MDM) → enroll fresh via account-driven or web-based enrollment. Carrot beats stick: gate access on Intune compliance via Conditional Accessafter a generous migration window, and the long tail migrates itself.
Sequencing the Shared Dependencies
Asset
Constraint
Move
VPP location token
Lives in exactly one MDM at a time
Either migrate the location token at cutover (apps under it stop deploying from the old MDM), or use a second ABM Location for Intune during transition and shift licenses between locations
New token for Intune; reassign devices in ABM in waves
Conditional Access
The enforcement cutover
Run "compliant in old MDM or Intune" during transition if the old MDM has a compliance connector; otherwise date-based cutover with loud comms
Watch Activation Lock: clear it via the old MDM's bypass codes before wiping devices it manages — Intune has no codes for devices it never supervised.
Android's crossing runs the same one-profile law, with mode-specific bridges:
Legacy device administrator fleets — there is no in-place path; the device admin → Android Enterprise migration is a re-enrollment program of its own, and it's overdue by definition.
Corporate AE devices (fully managed, dedicated): factory reset → re-provision against Intune via QR / zero-touch. In the zero-touch portal, repoint the configuration at Intune first so resets land in the right console automatically; for dedicated fleets, stage by site with spare devices absorbing the swap.
Work profile BYOD: the gentlest crossing — old work profile removed (user or old MDM), fresh work-profile enrollment from Company Portal; personal data never in play. Same carrot: Conditional Access enforcement after the window.
Managed Google Play: bind your enterprise to Intune and re-approve the app catalog; private apps move with the enterprise binding, and app configuration policies are rebuilt against the new console, not exported.
Windows is the exception to the one-profile law — it has an actual bridge:
From ConfigMgr: co-management attaches both consoles to the same device and slides workloads to Intune one at a time — compliance first, then updates, then apps — with a pilot collection in front of every slide. No wipe, no re-enrollment; the migration is a sequence of workload decisions.
From a third-party MDM: unenroll from the old agent, then enroll via auto-enrollment (Entra-joined devices pick management up nearly silently) — or treat the migration as the hardware-refresh moment and let Autopilot deliver the clean target state instead of carrying the old image's sins forward.
Domain-joined estates: the real decision is identity, not MDM — Entra join vs. hybrid sets the ceiling on everything after; migrate to the target join state, not a mirror of the old one.
The Mac crossing runs the same ABM-reassignment mechanics as any Apple fleet — and since most arrivals come from Jamf, the real project is translation:
ADE Macs: reassign serials to Intune's MDM server entry in ABM, then erase (EACS makes this a 10-minute return-to-service, not a rebuild) → Setup Assistant lands enrollment, bootstrap token escrows, policy flows.
FileVault: recovery keys do not migrate — plan a re-escrow wave immediately post-enrollment and measure escrow coverage before declaring any Mac migrated.
The agent kit (PPPC, system extensions, login items) must be staged in Intune before the first wave, or security tooling greets migrated users with permission prompts.
Wave Plan That Works
Ring 0 (IT, 1 week): every enrollment path, every app, every crossing pattern you'll use.
Ring 1 (one site/department): real users, real helpdesk load data — staff the desk off this number.
Waves by site: corporate-device batches sized to helpdesk capacity (200–500 devices/wave is typical), BYOD self-service in parallel.
Cleanup: old MDM read-only for 30–60 days (audit trail, stragglers), then decommission and release its service tokens.
Do
Export and reconcile the old MDM's inventory before touching anything
Size corporate-device waves to helpdesk capacity
Keep the old MDM read-only for 30–60 days before decommissioning
Don't
Lift-and-shift the old design — migrate to the target state
Discover unknown devices at wipe time instead of on paper
Release the old MDM's service tokens while stragglers remain
Insights
The migration is the once-a-decade chance to fix sins: enrollment types, naming, scope tags, baseline hygiene. Migrate to the target design, never lift-and-shift the old mess.
Running endpoint management in GCC, GCC High, and DoD — what changes, what doesn't, and how to write scripts that survive both worlds.
Government and sovereign-cloud tenants run the same Intune with different plumbing and a delayed feature train. If you operate in (or sell into) these environments, internalize the deltas.
The Environments
Environment
Identity / Graph endpoints
Notes
Commercial
login.microsoftonline.com / graph.microsoft.com
The default everything on this site assumes
GCC (Moderate)
Commercial endpoints, compliance-bounded tenant
Closest to commercial behavior
GCC High
login.microsoftonline.us / graph.microsoft.us
Separate cloud; separate endpoints everywhere
DoD
login.microsoftonline.us / dod-graph.microsoft.us
As above, stricter
The Apple side is identical in all of them: same ABM, same APNs (devices still need the standard Apple network paths), same VPP. Apple doesn't have a "gov cloud" — your sovereignty boundary is on the Microsoft half.
Feature Lag Is Real
New Intune capabilities ship commercial-first and reach GCC High/DoD later — sometimes weeks, sometimes quarters. Operating rules:
Before designing around anything recent (new enrollment types, fresh Settings Catalog payloads), check Microsoft's Intune for US Government feature parity documentation rather than assuming the blog post applies to you.
Pilot in the actual target cloud. A commercial demo tenant proves nothing about your GCC High reality.
Write Cloud-Portable Automation
Hardcoded graph.microsoft.com is the classic landmine — scripts work in the lab, fail mysteriously in the customer's GCC High tenant. Parameterize the base URLs in every script (this site's foundation pattern adapts in two lines):
Token endpoint: https://login.microsoftonline.us/<tenant> for GCC High/DoD
Scope: https://graph.microsoft.us/.default to match
Same applies to anything anchoring on product release channels or rings — government clouds can trail, so version-anchored automation (update enforcement targets, app version checks) should read the environment's actual current state rather than assuming worldwide release timing.
Do
Parameterize token and Graph base URLs in every script
Pilot in the actual target cloud
Check the US Government feature-parity doc before designing around new capabilities
Don't
Hardcode graph.microsoft.com
Treat a commercial demo tenant as proof of GCC High behavior
Reuse app registrations or credentials across clouds
Insights
Documentation links in vendor blogs default to commercial portal URLs; your portal is intune.microsoft.us-side — train new admins early or they'll "lose" the tenant weekly.
Compliance frameworks (FedRAMP High, IL4/IL5) constrain connectors and integrations more than core MDM — every third-party MTD/telecom/reporting integration needs its own authorization story before it touches the tenant.
Mixed-estate consultancies: keep separate app registrations and credential vaults per cloud. Cross-cloud credential reuse is both impossible and an audit finding for trying.
Federation, directory sync, and the personal-Apple-ID conflict problem — identity decisions that shape your whole Apple estate.
Managed Apple Accounts (MAAs) are org-owned Apple identities issued through ABM. Several capabilities simply don't exist without them — decide your MAA posture early, because retrofitting identity is the worst kind of project.
Identity typeOrg-owned Apple Accounts issued through ABM
FederationMicrosoft Entra ID — work credentials, Conditional Access, MFA
If you're in the last row and staying there, your MAA strategy can legitimately be "none yet." Write that down as a decision, not an accident.
Federation: Make Apple Sign-In = Work Sign-In
ABM > Settings > Accounts (Managed Apple Accounts): federate with Microsoft Entra ID. Users authenticate to Apple services with their existing work credentials — your Conditional Access and MFA apply, no second password is born, offboarding disables the Apple identity with the Entra account.
Add directory sync (SCIM) from Entra ID so MAAs provision/deprovision automatically rather than on first sign-in — at scale, lifecycle automation is the difference between an identity system and a pile of accounts.
Entra IDwork credentials, Conditional Access, MFA
→
ABMissues Managed Apple Accounts
→
Apple servicesoffboarding follows the Entra account
The Domain-Capture Conflict
Federating a domain triggers Apple's conflict handling for personal Apple IDs already using work email addresses — and there are always more than anyone expects. Affected users are prompted to change their personal Apple ID's email (their purchases and data follow the renamed personal account; nothing is seized).
Run this as a managed mini-project, not a checkbox:
Check the conflict count first. ABM shows how many personal accounts are using your domain before you commit — get the number, then size the communication effort to it.
Announce with a runway. Tell affected users what is coming, what they need to do, and when — well before anything changes for them.
Publish a one-page FAQ answering the only question users actually care about: "what happens to my apps and purchases?" (They follow the renamed personal account; nothing is seized.)
Then flip federation. Surprise-federating a domain is how Apple identity projects acquire a bad reputation that outlives the project.
Insights
MAAs are deliberately constrained consumer-wise (limited purchasing, controlled iCloud scope) — that's the point; they're work identities. Set user expectations accordingly.
iCloud storage for MAAs and managed-account data separation on personal devices both flow from ABM-side settings — review them as policy decisions, not defaults.
Username format: match UPNs exactly. Every divergence between Entra UPN and MAA identifier becomes a helpdesk ticket with your name in the post-mortem.
App registration to first authenticated call — the PowerShell foundation every script on this site builds on.
Whatever platform your fleet runs on, your tenant can be automated end to end through Microsoft Graph. Every script in this section is plain PowerShell calling the REST API directly: no SDK modules, no dependencies, runs identically on PowerShell 5.1, PowerShell 7, and Azure Automation.
RequiresEntra app registration with application permissions
AuthClient credentials — secret for testing, certificate or Managed Identity in production
App inventory, app licensing, and install-status reports
DeviceManagementServiceConfig.Read.All
APNs certificate, ADE tokens
Grant admin consent.
Certificates & secrets: create a client secret for testing. For production, use a certificate or run from Azure Automation with a Managed Identity — secrets in scheduled scripts are how breaches start.
The Foundation Script
Save this as GraphFoundation.ps1 — every other script on this site embeds these two functions.
Scriptclient credentials
→
login.microsoftonline.comreturns the bearer token
→
graph.microsoft.compaged GETs, auto-retry on 429
<#
.SYNOPSIS
Foundation for Microsoft Graph automation - pure REST, no module dependencies.
Authenticates with client credentials and provides a Graph request wrapper
with automatic paging and throttling (429) handling.
.NOTES
Permissions: assign per-script least privilege (see table on this page).
Production: prefer certificate credentials or a Managed Identity over secrets.
#>
[CmdletBinding()]
param(
[Parameter(Mandatory)] [string]$TenantId,
[Parameter(Mandatory)] [string]$ClientId,
[Parameter(Mandatory)] [string]$ClientSecret
)
function Get-GraphToken {
param(
[Parameter(Mandatory)] [string]$TenantId,
[Parameter(Mandatory)] [string]$ClientId,
[Parameter(Mandatory)] [string]$ClientSecret
)
$body = @{
client_id = $ClientId
client_secret = $ClientSecret
scope = 'https://graph.microsoft.com/.default'
grant_type = 'client_credentials'
}
$tokenResponse = Invoke-RestMethod -Method POST `
-Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" `
-ContentType 'application/x-www-form-urlencoded' `
-Body $body
return $tokenResponse.access_token
}
function Invoke-GraphRequest {
<#
GET: follows @odata.nextLink paging and returns all results.
POST/PATCH/DELETE: returns the response (often empty / 204).
Retries automatically on 429 using the Retry-After header.
#>
param(
[Parameter(Mandatory)] [string]$Uri,
[ValidateSet('GET', 'POST', 'PATCH', 'DELETE')] [string]$Method = 'GET',
$Body = $null
)
$results = [System.Collections.Generic.List[object]]::new()
$nextUri = $Uri
while ($nextUri) {
try {
$params = @{
Method = $Method
Uri = $nextUri
Headers = @{ Authorization = "Bearer $script:GraphToken" }
ErrorAction = 'Stop'
}
if ($null -ne $Body) {
$params.Body = $Body | ConvertTo-Json -Depth 10
$params.ContentType = 'application/json'
}
$response = Invoke-RestMethod @params
if ($null -ne $response.value) {
$results.AddRange(@($response.value))
}
elseif ($null -ne $response -and $response -ne '') {
$results.Add($response)
}
$nextUri = $response.'@odata.nextLink'
}
catch {
$statusCode = $null
try { $statusCode = [int]$_.Exception.Response.StatusCode } catch { }
if ($statusCode -eq 429) {
$retryAfter = 10
try {
$retryAfter = [int]@($_.Exception.Response.Headers.GetValues('Retry-After'))[0]
}
catch { }
Write-Warning "Throttled by Graph (429). Waiting $retryAfter seconds..."
Start-Sleep -Seconds $retryAfter
continue # retry the same URI
}
throw
}
}
return $results
}
# --- Demo: your fleet at a glance, grouped by OS ---
$script:GraphToken = Get-GraphToken -TenantId $TenantId -ClientId $ClientId -ClientSecret $ClientSecret
$uri = "https://graph.microsoft.com/v1.0/deviceManagement/managedDevices" +
"?`$select=id,deviceName,operatingSystem,osVersion,lastSyncDateTime&`$top=1000"
$devices = Invoke-GraphRequest -Uri $uri
Write-Host "Found $($devices.Count) managed devices." -ForegroundColor Cyan
$devices | Group-Object operatingSystem | Sort-Object Count -Descending |
Format-Table @{ n = 'Platform'; e = { $_.Name } }, Count -AutoSize
Things Worth Knowing Before You Script
Know your operatingSystem filter values. Each platform's collection on Useful Graph Calls lists the exact strings and quirks for that fleet.
$select everything you report on. Unselected calls return fat objects; at fleet scale that's real time and real throttling exposure.
v1.0 vs beta: stay on v1.0 unless a property forces you to beta — beta contracts change without notice. Each script page notes when beta is required.
Test in Graph Explorer first. Paste the URI, see the shape of the data, then script it.
Export your entire iOS/iPadOS fleet to CSV — supervision, compliance, OS spread, storage, and sync health in one pass.
The report you'll run weekly: every iOS/iPadOS device with the fields that actually drive decisions, plus console summaries of OS version spread, supervision coverage, and compliance.
Fleet-wide Android inventory with security patch aging, management-mode breakdown, and replacement-planning data.
The fleet-wide Android inventory to run on a schedule, built with the columns that matter on this platform: security patch age (your compliance-floor evidence), management mode, and OEM distribution (your update-support and replacement-budget evidence). Sovereign-cloud portable like every script on this site.
PatchAgeDays sorted descending puts your risk at the top of the CSV — the over-180 bucket is usually hardware past its OEM support window, i.e., a procurement conversation, not a nagging campaign.
Mode breakdown sanity-checks reality against design intent — BYOD work profiles appearing in a "corporate-only" tenant is a policy gap announcing itself.
Feed PatchAgeDays straight into your minimum-patch-level compliance decision: set the floor where it captures the stragglers without strafing the median.
90 daysdefault -PatchWarnDays window before a device flags STALE
180 dayspatch age that usually means hardware past its OEM support window
Fleet-wide Windows inventory with join-type split, Autopilot coverage, encryption rate, and build distribution — your cloud-migration KPIs in one CSV.
The fleet-wide Windows inventory to run on a schedule, with the columns this platform's strategy runs on: join type (the hybrid → Entra migration KPI), Autopilot coverage, encryption rate (the BitLocker attestation), and OS build distribution (the update-ring reality check).
Find, report, and safely retire iOS devices that stopped checking in.
Stale records rot every metric you have — compliance percentages, license counts, app install rates. This script finds iOS devices beyond a sync threshold and (optionally) retires or deletes them, with -WhatIf support and an exclusion list so the CFO's drawer-iPad survives.
PermissionsRead.All to report; ReadWrite.All to retire or delete
Default threshold90 days without a sync (-DaysStale)
Default actionReport — nothing changes until you opt in
Safety rails-WhatIf support plus a serial exclusion list
Retire vs Delete
Retire removes company data and management when the device next checks in. Harmless for truly dead devices; the right action for live-but-forgotten ones.
Delete removes the Intune object. If the device powers on later, it's unmanaged but still holds whatever it had. For supervised ADE devices, prefer retire/wipe flows so Activation Lock is handled — never delete a record before clearing AL.
Run -Action Report first. Always.
Monthly: run with -Action Report, eyeball the CSV, chase surprises (a whole site going stale = network problem, not device problem).
Quarterly: -Action Retire -DaysStale 120 -WhatIf, review, then drop -WhatIf.
Keep retired records around a cycle before any Delete pass — and for supervised hardware, your asset process (Activation Lock clearance, ABM reassignment) owns deletes, not this script.
ReportMonthly, -Action ReportEyeball the CSV — a whole site going stale is a network problem, not a device problem
RetireQuarterly, -WhatIf firstReview the plan, then drop -WhatIf; devices clear at next check‑in
DeleteAsset process onlyAfter Activation Lock clearance and ABM reassignment — never first
Sync, restart, or lock iOS devices at scale by serial number — plus an APNs certificate health check.
The remote actions you click one-at-a-time in the console — Sync, Restart (supervised), Remote lock — driven by a serial list instead. Overnight kiosk restarts, post-change fleet syncs, incident lockdowns.
Commands queue via APNs — an offline device executes when it next comes online. "Command sent" means accepted by the service, not completed on glass.
ScriptPOST remote action
→
Intunequeues the command
→
Deviceexecutes at next contact
Bonus: APNs Certificate Health Check
The check referenced throughout this site — wire it into your monitoring so certificate expiry never surprises you. Permission: DeviceManagementServiceConfig.Read.All.
# Requires a valid $script:GraphToken (see foundation above)
$apns = Invoke-GraphRequest -Uri 'https://graph.microsoft.com/v1.0/deviceManagement/applePushNotificationCertificate'
$daysLeft = [math]::Floor(([datetime]$apns.expirationDateTime - (Get-Date).ToUniversalTime()).TotalDays)
[PSCustomObject]@{
AppleId = $apns.appleIdentifier
Expires = $apns.expirationDateTime
DaysRemaining = $daysLeft
Status = if ($daysLeft -lt 0) { 'EXPIRED' } elseif ($daysLeft -le 30) { 'RENEW NOW' } else { 'OK' }
}
if ($daysLeft -le 30) {
Write-Warning "APNs certificate expires in $daysLeft days. Renew with the SAME Apple ID: $($apns.appleIdentifier)"
}
Catch exhausted app licenses and expiring VPP tokens before silent install failures do.
When a VPP app runs out of licenses, installs fail silently — no user error, no admin alert, just devices missing apps. This report surfaces token health and per-app license headroom in one pass.
EXHAUSTED: buy more licenses in ABM (free apps included — just raise the quantity) and sync the token under Tenant administration > Connectors and tokens > Apple VPP tokens.
Token lastSyncStatus failing: usually an ABM password change or token re-download elsewhere — re-download the .vpptoken from ABM and update the connector.
Run it weekly on a schedule; alert on any non-OK row. This single report prevents the most baffling class of "app won't install" tickets.
One scheduled script watching all three Apple lifelines — APNs certificate, VPP tokens, and ADE tokens.
Three annually-expiring Apple credentials can each take down a different slice of your fleet: the APNs certificate (all commands), VPP tokens (app deployment), and ADE server tokens (new-device enrollment). This script checks all three and exits non-zero on any warning — drop it in Azure Automation on a daily schedule and wire the failure to your alerting.
Renewal calendar still applies — this script is the safety net, not the process. Two named owners per credential, renewal at 11 months.
The -GraphBase/-LoginBase parameters make it sovereign-cloud portable — pass the .us endpoints in GCC High/DoD.
In Azure Automation, swap the secret for a Managed Identity token and alert on the runbook's failure status — the non-zero exit is designed for exactly that.
30 daysdefault -WarnDays expiry warning window
48 hoursADE sync age that flags SYNC STALE
11 monthscalendar renewal point — the script is the safety net, not the process
Enforce a fleet-wide naming convention on supervised iOS devices with the setDeviceName action.
IOS-IND-4F7K2M in the console, on the lock screen, and on the asset label beats Tom's iPhone (3) every day of the week. Supervised devices accept a remote rename via Graph — this script applies a template across the fleet.
The rename is queued via APNs like any action — offline devices pick it up at next contact.
A user on an unsupervised device can rename it right back; this convention game is for supervised corporate fleets (Settings Catalog can also block user renaming — search "device name").
Pair with the lock screen asset tag so the name on glass matches the name in the console.
Find every device missing or failing a required app — by name, with exportable failure detail.
"Is Outlook actually on every device?" deserves a better answer than scrolling the portal. This script resolves an app by display name and reports per-device install state, exporting the failures for follow-up — and Reading the States below tells you where to take what you find.
failed + an error detail → start at App Install Failures; license exhaustion and storage are the leaders.
failed + an error detail → start at Android App Install Failures; storage pressure and Play connectivity are the leaders.
failed + an error detail → start at Win32 App Failures; content download and disk space are the leaders.
failed + an error detail → start at App Install Failures on Mac; license exhaustion and storage are the leaders.
notInstalled with no error → the install command may simply be queued (device offline) — check LastSync before escalating.
A wall of failures sharing one timestamp usually means a VPP token or APNs event, not a device problem.
A wall of failures sharing one timestamp usually points at the service side — check the Managed Google Play connection under Tenant administration before blaming devices.
When the console doesn't have your setting — every platform's escape hatch for deploying configuration the UI hasn't surfaced.
Every platform eventually presents the same moment: the setting exists, the vendor documented it, and the Intune UI doesn't have a checkbox for it yet. Each platform has a custom lane for exactly this — different formats, same discipline: check the built-in surface first, document everything you hand-craft, and treat custom payloads as code.
The Settings Catalog covers most of Apple's MDM surface, but Apple ships payloads faster than any console can expose them. The escape hatch: build a .mobileconfig yourself and deploy it as a custom profile.
When to Reach for Custom
A brand-new payload from this year's iOS release
Vendor-supplied profiles (Wi-Fi gear, SSO/PKI vendors often hand you one)
Settings Catalog has the payload but not the one key you need
Always check the Catalog first — custom profiles are invisible to Intune's reporting granularity (it knows the profile applied, not each setting).
Build It
iMazing Profile Editor (free): every Apple payload with inline documentation — the community's standard tool.
Apple Configurator: fine for basics.
Hand-edit XML when you must; validate with plutil -lint profile.mobileconfig.
Example: Encrypted DNS (DNS over HTTPS)
A clean, modern example — point devices at a protective DNS resolver system-wide:
Devices > iOS/iPadOS > Configuration > Create > Templates > Custom — name it, upload the file, assign.
Rules That Save You Pain
Every PayloadUUID must be unique — generate fresh ones per profile (uuidgen); duplicating a UUID across profiles makes the device treat them as the same profile, with replacement chaos.
Changing content? Keep the identifiers, bump nothing else — same identifiers = clean in-place update.
Signing is optional via MDM delivery (the MDM channel is the trust); don't burn time on it.
Document every custom profile in your wiki with the payload reference link — future-you cannot read XML intent.
Android Enterprise deliberately has no raw-profile upload lane — there is no XML file to hand-craft. The "custom" surfaces are structured instead, and they cover the same ground:
The Two Custom Lanes
OEMConfig — the OEM publishes a schema app (Knox Service Plugin, Zebra OEMConfig) exposing every hardware knob the manufacturer supports, far beyond the generic policy surface. This is where barcode-scanner settings, hardware-key remapping, and firmware controls live.
App configuration policies — managed-config key/value payloads delivered to any app that declares restrictions. For apps whose schema Intune renders, it's a form; for the rest, the JSON editor is the custom escape hatch:
The key names and types come from the app's own managed-configuration schema — the vendor's admin guide or the app's Managed Google Play listing defines them; nothing here is invented.
the setting is a manufacturer hardware knob — scanners, key remapping, firmwareOEMConfigThe OEM's schema app exposes every knob the hardware supports.
you're configuring an app that declares managed configurationsApp configuration policyForm when Intune renders the schema; JSON editor for the rest.
Rules That Save You Pain
OEMConfig schemas are versioned with the OEM app — pin and test before letting the schema app auto-update across a production fleet.
Scope OEMConfig by manufacturer with an assignment filter — a Zebra schema assigned to a Samsung does nothing useful and clutters reporting.
One OEMConfig profile per device is the safe assumption; consolidate settings rather than stacking profiles.
The Settings Catalog now exposes most of the CSP surface, but Windows has carried a custom lane for years and it still earns its keep: custom OMA-URI profiles, speaking directly to CSP nodes the Catalog hasn't surfaced — plus ADMX ingest for third-party apps that ship Group Policy templates.
the CSP node is documented but the Settings Catalog hasn't surfaced itCustom OMA-URIOne row per node — the data type must match the CSP docs exactly.
a third-party app ships Group Policy templatesADMX ingestIngest the template first, then set its policies by URI.
When to Reach for Custom
A CSP node documented by Microsoft but not yet in the Catalog (new OS releases ship CSPs ahead of UI)
Third-party ADMX policies (Chrome and Edge are built in these days; your niche vendor's template isn't)
A Catalog setting that exists but lacks the one sub-key you need
Custom OMA-URI
Devices > Windows > Configuration > Create > Templates > Custom. Each row is one CSP node:
The data type must match the CSP documentation exactly (String, Integer, Boolean, String XML) — a type mismatch is the classic silent-looking failure that actually surfaces as a remediation-failed error code.
ADMX Ingest (Third-Party Templates)
Two-step pattern — first ingest the template, then set its policies:
# Step 1 - ingest the ADMX file (paste the file's XML as the String value)
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/YourApp/Policy/YourAppAdmx
Data type: String
Value: <the full contents of YourApp.admx>
# Step 2 - configure a policy the template defines
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/YourApp~Policy~YourCategory/YourPolicyName
Data type: String
Value: <enabled/>
The Step-2 URI path comes from the ADMX's own category/policy names — read the template, don't guess.
Rules That Save You Pain
Catalog first, always — custom OMA-URI rows report a per-URI status code, but decoding those codes means a trip to the CSP docs; Catalog settings report in plain English.
One profile per concern, named for the CSP it touches — a twenty-row custom grab-bag is unmaintainable.
Document the CSP reference link per row; the URI alone tells future-you nothing.
Macs get two custom lanes in Intune, and choosing the right one matters:
Lane 1: Custom .mobileconfig
The same craft as any Apple platform — when the Settings Catalog lacks the payload, build the profile yourself and deploy via Devices > MacOS > Configuration > Templates > Custom. Build with iMazing Profile Editor (free, every payload documented inline), validate with plutil -lint, and a compact example — a managed login-window banner:
For app preference domains (com.vendor.app), Intune's Preference file template deploys managed preferences without you wrapping them in profile XML — give it the domain and the plist, done. Reach for this when you're configuring an app rather than the OS; reach for Lane 1 when you need a real MDM payload type.
you need a real MDM payload type the Settings Catalog lacksCustom .mobileconfigBuild it in iMazing Profile Editor, validate with plutil, deploy via Templates > Custom.
you're configuring an app's preference domainPreference file templateHand Intune the domain and the plist — no profile XML wrapping.
Rules That Save You Pain
Every PayloadUUID must be unique (uuidgen per profile); reused UUIDs make profiles replace each other unpredictably.
Same identifiers + changed content = clean in-place update; new identifiers = a second profile.
Test on the bench unit per OS release — Apple deprecates payload keys, and custom profiles don't warn you.
Document every custom payload with its reference link; the agent-channel scripts are the answer when no MDM payload exists at all.
The copy-paste Graph endpoints an endpoint admin reaches for weekly — per platform.
Quick reference — all relative to https://graph.microsoft.com/v1.0 unless marked beta. Paste into Graph Explorer or feed to the foundation script.
Calls that work identically everywhere:
# Single device, trimmed
GET /deviceManagement/managedDevices/{id}?$select=deviceName,osVersion,complianceState,lastSyncDateTime
# Devices that haven't synced since a date (add your platform filter)
GET /deviceManagement/managedDevices?$filter=lastSyncDateTime le 2026-03-01T00:00:00Z
# Settings Catalog policies / compliance policies
GET /deviceManagement/configurationPolicies
GET /deviceManagement/deviceCompliancePolicies
# Recent Intune audit events (who wiped what)
GET /deviceManagement/auditEvents?$top=50&$orderby=activityDateTime desc
# Sync any device (POST, empty body)
POST /deviceManagement/managedDevices/{id}/syncDevice
# --- Devices ---
# All iOS/iPadOS devices (iPadOS reports as iOS)
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'iOS'
# Find a device by serial
GET /deviceManagement/managedDevices?$filter=serialNumber eq 'F2LXK3ABCD12'
# Supervision and version, trimmed
GET /deviceManagement/managedDevices/{id}?$select=deviceName,isSupervised,osVersion,complianceState
# --- Remote actions (POST, empty body) ---
POST /deviceManagement/managedDevices/{id}/rebootNow # supervised
POST /deviceManagement/managedDevices/{id}/remoteLock
POST /deviceManagement/managedDevices/{id}/retire
POST /deviceManagement/managedDevices/{id}/requestRemoteAssistance
# --- Apple service health ---
# APNs certificate (expiry watch!)
GET /deviceManagement/applePushNotificationCertificate
# ADE (DEP) tokens and their sync state
GET /deviceManagement/depOnboardingSettings
# Force an ABM sync (respect the 15-minute rate limit)
POST /deviceManagement/depOnboardingSettings/{id}/syncWithAppleDeviceEnrollmentProgram
# ADE enrollment profiles under a token
GET /deviceManagement/depOnboardingSettings/{id}/enrollmentProfiles
# --- Apps & VPP ---
# VPP tokens (state, expiry, lastSyncStatus)
GET /deviceAppManagement/vppTokens
# All apps -> filter client-side where '@odata.type' eq '#microsoft.graph.iosVppApp'
GET /deviceAppManagement/mobileApps?$top=999
# Install status for one app
GET /deviceAppManagement/mobileApps/{id}/deviceStatuses
# --- App protection (MAM) ---
GET /deviceAppManagement/iosManagedAppProtections
# All Android devices (covers every Android Enterprise mode)
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'Android'
&$select=id,deviceName,manufacturer,model,osVersion,androidSecurityPatchLevel,deviceEnrollmentType,complianceState
# Patch-level floor check (ISO dates compare correctly as strings)
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'Android' and androidSecurityPatchLevel le '2026-03-01'
# Noncompliant Android only
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'Android' and complianceState eq 'noncompliant'
# App protection (MAM) policies
GET /deviceAppManagement/androidManagedAppProtections
The mode fingerprint (deviceEnrollmentType values), targeting rules, and the rest of the cookbook live on the dedicated page: Useful Graph Calls — Android.
# --- Devices ---
# All Windows devices
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'Windows'
&$select=id,deviceName,model,manufacturer,osVersion,complianceState,lastSyncDateTime
# Find a device by name
GET /deviceManagement/managedDevices?$filter=deviceName eq 'LAPTOP-7F3K2'
# --- Autopilot ---
# Registered Autopilot identities (serial, model, profile assignment status)
GET /deviceManagement/windowsAutopilotDeviceIdentities
# --- Remote actions (POST) ---
POST /deviceManagement/managedDevices/{id}/rebootNow
POST /deviceManagement/managedDevices/{id}/windowsDefenderScan
# body: { "quickScan": true }
POST /deviceManagement/managedDevices/{id}/windowsDefenderUpdateSignatures
# --- BitLocker ---
# Escrowed recovery key IDs (key retrieval is a separate, heavily-audited permission)
GET /informationProtection/bitlocker/recoveryKeys
# --- Remediations (beta) ---
GET https://graph.microsoft.com/beta/deviceManagement/deviceHealthScripts
# --- Devices ---
# All Macs
GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'macOS'
&$select=id,deviceName,model,osVersion,complianceState,lastSyncDateTime
# Find a Mac by serial
GET /deviceManagement/managedDevices?$filter=serialNumber eq 'C02XK3ABMD6T'
# --- Remote actions (POST, empty body) ---
POST /deviceManagement/managedDevices/{id}/rebootNow # supervised
POST /deviceManagement/managedDevices/{id}/shutDown # supervised
POST /deviceManagement/managedDevices/{id}/remoteLock # sets a 6-digit PIN - record it
# --- Apple service health (shared Apple plumbing) ---
GET /deviceManagement/applePushNotificationCertificate
GET /deviceManagement/depOnboardingSettings
# --- Scripts (beta) ---
GET https://graph.microsoft.com/beta/deviceManagement/deviceShellScripts
The operatingSystem filter value is the string macOS as Graph reports it — one of the rare places that spelling is load-bearing, so copy it exactly.
Three habits: $select what you report on, page via @odata.nextLink (the foundation script does it for you), and prototype in Graph Explorer before you script.
# All Android devices (covers every Android Enterprise mode)
GET /v1.0/deviceManagement/managedDevices?$filter=operatingSystem eq 'Android'
&$select=id,deviceName,manufacturer,model,osVersion,androidSecurityPatchLevel,deviceEnrollmentType,ownerType,complianceState,lastSyncDateTime
# Patch-level floor check (ISO dates compare correctly as strings)
GET /v1.0/deviceManagement/managedDevices?$filter=operatingSystem eq 'Android' and androidSecurityPatchLevel le '2026-03-01'
# Noncompliant Android only
GET /v1.0/deviceManagement/managedDevices?$filter=operatingSystem eq 'Android' and complianceState eq 'noncompliant'
deviceEnrollmentType values you'll meet on Android Enterprise — the mode fingerprint:
# Corporate-owned Android
(device.deviceOSType -contains "Android") and (device.deviceOwnership -eq "Company")
# Everything from one enrollment token/profile - self-maintaining by design
(device.enrollmentProfileName -eq "Dedicated-Warehouse-Scanners")
# Naming-convention fleets (corporate modes where IT controls device names)
(device.displayName -startsWith "SCAN-")
Verify deviceOSType in your tenant
Android Enterprise devices register with OS-type strings that have varied across modes and eras (Android, AndroidEnterprise, AndroidForWork). Before trusting a rule fleet-wide, list a few known devices' actual values — -contains "Android" is the forgiving starting point; tighten once you've seen your tenant's reality.
Assignment Filter Expressions
# OEM-scoped (keep Zebra OEMConfig off Samsungs)
(device.manufacturer -eq "Zebra Technologies")
# Mode-scoped via enrollment profile
(device.enrollmentProfileName -startsWith "COPE-")
# OS floor for a policy needing modern APIs
(device.osVersion -ge "13")
The filters-over-dynamic-groups guidance applies unchanged: filters evaluate at delivery time, dynamic groups lag — enrollment-critical Android policy should be filter-shaped.
The copy-paste targeting cookbook — per-platform rules, and when to use a filter instead of a group.
Targeting is half of endpoint management. Two tools, one decision rule: filters evaluate instantly at policy delivery; dynamic groups take time to calculate. Prefer filters for include/exclude shaping, keep dynamic groups for membership you reuse across many assignments (licensing, CA, app bundles).
you're shaping one assignment's include/exclude and delivery timing mattersAssignment filterEvaluates instantly at policy delivery — the shape for enrollment-critical targeting.
you reuse one membership across many assignments — licensing, Conditional Access, app bundlesDynamic groupReal group membership, but it takes time to calculate after enrollment.
Dynamic Device Group Rules (Entra ID)
# All corporate iPhones and iPads
(device.deviceOSType -in ["iPhone","iPad"]) and (device.deviceOwnership -eq "Company")
# All personal (BYOD-enrolled) devices
(device.deviceOSType -in ["iPhone","iPad"]) and (device.deviceOwnership -eq "Personal")
# Everything enrolled through a specific ADE profile (THE workhorse - see note)
(device.enrollmentProfileName -eq "ADE-Corporate-1to1")
# Shared iPad fleet
(device.enrollmentProfileName -eq "SharedIPad-Production")
# Kiosks by naming convention (pairs with the Bulk Device Rename script)
(device.displayName -startsWith "KIOSK-")
# iPads only, any ownership
(device.deviceOSType -eq "iPad")
The enrollmentProfileName trick
Entra's device object has no "supervised" attribute — but every device from a given ADE profileis supervised. Targeting by enrollmentProfileName is how you build "all supervised corporate devices" in practice, and it self-maintains forever.
Assignment Filter Expressions (Intune)
Create under Tenant administration > Filters (platform iOS/iPadOS), then attach at assignment time with include/exclude mode:
# Corporate-owned only
(device.deviceOwnership -eq "Corporate")
# A specific enrollment profile
(device.enrollmentProfileName -eq "ADE-Corporate-1to1")
# iPads, excluding one model family
(device.model -startsWith "iPad") and (device.model -notContains "iPad mini")
# OS floor for a policy that needs newer-release features (DDM updates etc.)
(device.osVersion -startsWith "17") or (device.osVersion -startsWith "18")
Dynamic Device Group Rules (Entra ID)
# Corporate-owned Android
(device.deviceOSType -contains "Android") and (device.deviceOwnership -eq "Company")
# Everything from one enrollment token/profile - the same self-maintaining trick
(device.enrollmentProfileName -eq "Dedicated-Warehouse-Scanners")
# Naming-convention fleets (corporate modes where IT controls device names)
(device.displayName -startsWith "SCAN-")
Verify deviceOSType in your tenant
Android Enterprise devices register with OS-type strings that have varied across modes and eras (Android, AndroidEnterprise, AndroidForWork). Before trusting a rule fleet-wide, list a few known devices' actual values — -contains "Android" is the forgiving starting point; tighten once you've seen your tenant's reality.
Assignment Filter Expressions (Intune)
# OEM-scoped (keep Zebra OEMConfig off Samsungs)
(device.manufacturer -eq "Zebra Technologies")
# Mode-scoped via enrollment profile
(device.enrollmentProfileName -startsWith "COPE-")
# OS floor for a policy needing modern APIs
(device.osVersion -ge "13")
The full Android query cookbook — enrollment-type values, patch-level Graph filters — lives in Useful Graph Calls — Android.
Dynamic Device Group Rules (Entra ID)
# All corporate Windows devices
(device.deviceOSType -eq "Windows") and (device.deviceOwnership -eq "Company")
# Everything from one Autopilot deployment profile (self-maintaining)
(device.enrollmentProfileName -eq "Autopilot-UserDriven-Standard")
# Virtual machines by model + naming convention
(device.displayName -startsWith "BOT-") and (device.deviceModel -contains "Virtual")
# Kiosk/shared PCs by naming convention
(device.displayName -startsWith "KIOSK-")
The enrollmentProfileName trick on Windows
The attribute populates with the Autopilot deployment profile name — which makes "all devices that came through Autopilot profile X" a one-line, self-maintaining group that never needs manual upkeep.
Assignment Filter Expressions (Intune)
# Corporate-owned only
(device.deviceOwnership -eq "Corporate")
# Physical machines only (exclude VMs from BitLocker, baselines, etc.)
(device.model -notContains "Virtual")
# One hardware family for a driver-sensitive policy
(device.manufacturer -eq "Dell Inc.") and (device.model -startsWith "Latitude")
# OS floor for a feature-gated policy
(device.osVersion -startsWith "10.0.2")
Dynamic Device Group Rules (Entra ID)
# All Macs (the OSType value Entra registers for Mac MDM enrollments)
(device.deviceOSType -eq "MacMDM")
# Corporate ADE Macs via enrollment profile (self-maintaining)
(device.enrollmentProfileName -eq "ADE-Mac-Standard")
# Naming-convention fleets
(device.displayName -startsWith "MAC-")
MacMDM is the value
Entra registers Intune-enrolled Macs with deviceOSType of MacMDM — not the OS marketing name, not "Mac". Build one known-good Mac, check its device object, and you'll never guess again.
Assignment Filter Expressions (Intune)
# Corporate-owned only
(device.deviceOwnership -eq "Corporate")
# Model families (laptops vs desktops get different power/security posture)
(device.model -startsWith "MacBook")
# OS floor for a policy that needs a recent release
(device.osVersion -ge "14")
Rules of the Road
Dynamic membership can lag minutes-to-hours after enrollment — a brand-new device missing "everything assigned to the dynamic group" is usually just early. Filters don't have this problem, which is why enrollment-critical policy (identity/SSO, Wi-Fi) should be filter-shaped.
Never nest dynamic groups inside dynamic groups when you can avoid it; each layer adds calculation delay.
Name groups and filters with one convention — IOS-DG-Corporate-All, IOS-FLT-Supervised — so assignment screens read like sentences.
Name groups and filters with one convention — AND-DG-Corporate-All, AND-FLT-Dedicated — so assignment screens read like sentences.
Name groups and filters with one convention — WIN-DG-Corporate-All, WIN-FLT-Physical-Only — so assignment screens read like sentences.
Name groups and filters with one convention — MAC-DG-Corporate-All, MAC-FLT-Laptops — so assignment screens read like sentences.
Everything that must be true in Entra and Intune before the first Windows PC enrolls.
Before you register a single device hash or flip the Autopilot switch, several things must already be true in your tenant. Miss one and you'll burn hours debugging enrollment failures that have nothing to do with enrollment. This page is the pre-flight checklist a senior engineer runs once per tenant — get it right and every subsequent step in this guide works as documented.
If you're standing up a brand-new tenant from scratch, read the basic tenant setup guide first, then return here for the Windows-specific layer. If the tenant is already live with other platforms, most of the foundational work is done — scan this list anyway, because the Windows-specific items (MDM authority scope, subscription activation, RBAC scope tags) are frequently skipped until they cause pain.
Applies toWindows 10 21H2+ / Windows 11, Entra-joined and Hybrid-joined
Min licensingMicrosoft Intune Plan 1 (standalone) or M365 E3/E5, EMS E3/E5, or Business Premium
MDM authorityMust be set to Microsoft Intune (not SCCM/hybrid)
GotchaLicensing assigned to a group is fine, but the user must have the license resolved at enrollment time — not eventually
Licensing
Every user who enrolls a Windows device must hold an Intune license at the moment of enrollment. The right license lands through any of these SKUs:
SKU
Includes Intune?
Includes Entra ID P1?
Autopilot eligible?
Microsoft 365 E3 / E5
✅
✅
✅
Microsoft 365 Business Premium
✅
✅
✅
EMS E3 / E5
✅
✅ (E3) / P2 (E5)
✅
Intune Plan 1 (standalone)
✅
❌ — buy separately
✅
Intune Plan 2 / Suite
✅ + advanced features
❌ — buy separately
✅
Microsoft 365 F1 / F3 (Frontline)
✅
P1 (F3 only)
✅ (limited)
Entra ID P1 is not optional for Windows
Autopilot dynamic device groups require Entra P1.
Automatic MDM enrollment (the plumbing under every Autopilot flow) requires Entra P1.
Conditional Access — which you will need for a compliant-device gate — requires Entra P1.
Assign licenses via a group in Entra admin center > Groups > your license group > Licenses. Verify the assignment landed: Entra admin center > Users > select a user > Licenses. For the full edition story — including subscription activation and what Enterprise features require E3/E5 — see Windows Editions, Licensing, and Entitlements.
Windows Edition: Pro vs. Enterprise
Intune manages both Windows Pro and Enterprise, but several features you will want — Windows Hello for Business cloud trust, some BitLocker silent encryption paths, LAPS integration, and certain CSP nodes — behave differently or require Enterprise. The field-tested answer: target Enterprise and use subscription activation (formerly "step-up") to silently upgrade Pro licenses to Enterprise at enrollment, rather than buying Enterprise OEM images.
Confirm your M365/EMS SKU includes Windows Enterprise E3 or E5. M365 E3, E5, and Business Premium all include Windows Enterprise E3 via subscription activation.
Enable subscription activation. Navigate to Devices > Windows > Enrollment > Windows Subscription Activation and toggle it on. The device must reach WUfB/activation servers at first boot.
Deploy a Settings Catalog profile with the WindowsLicensing/UpgradeEditionWithProductKey or the subscription-based activation CSP if you have edge cases (air-gapped, GCCH).
OEM devices ship as Pro — that's fine
Buy standard Windows 11 Pro OEM hardware. Subscription activation upgrades the device silently during Autopilot, before the user reaches the desktop. No manual key entry, no re-imaging.
Entra ID Configuration
Intune rides on Entra identity. Before the first enrollment, verify these Entra settings are deliberate — they ship with defaults that may not match your intent.
Set the MDM authority to Microsoft Intune. In Intune admin center > Tenant administration > Tenant status, confirm MDM authority: Microsoft Intune. If it shows SCCM or hybrid, the migration to standalone is a significant project — do it before proceeding.
Configure device join settings. In Entra admin center > Devices > Device settings: set Users may join devices to Entra ID to All or to a specific pilot group. Set Maximum number of devices per user appropriately (the default 50 is usually fine; 0 = unlimited). Review Require Multifactor Authentication to register or join devices — enabling this requires the MFA prompt before Autopilot OOBE completes.
Decide on join type before proceeding. Entra join (cloud-native) vs Hybrid join (domain-joined + Entra-registered) is an architectural decision that determines your Autopilot profile type and your connector requirements. If this is not already decided, read Entra Join vs Hybrid Join before touching a profile.
Entra Groups for Staged Rollout
You need groups before you can assign anything. Create them now, not reactively mid-deployment. The minimum set for a Windows rollout:
Group name pattern
Type
Used for
WIN-Autopilot-Devices
Dynamic device — (device.devicePhysicalIds any _ -contains "[ZTDId]")
Targeting Autopilot profiles
WIN-Pilot
Dynamic device or assigned
Scoped policy/app rollout, first 10–50 devices
WIN-Broad
All devices or dynamic
Production-wide policy assignment
WIN-Intune-Licensed
Assigned (users)
License assignment, MDM user scope
WIN-BreakGlass-Exclusion
Assigned
Excluded from Conditional Access gates
Dynamic group propagation is not instant
Dynamic device groups can take 5–30 minutes to populate after a device registers.
If an Autopilot profile targets a dynamic group and the device hasn't resolved into it yet, the profile won't apply at OOBE.
Always test group membership resolution in your pilot before committing to production.
Device Naming Convention
Set your naming template before any device enrolls — renaming enrolled devices is possible but adds a restart and support noise. Autopilot supports a naming template at profile creation time using the variables %SERIAL%, %RAND:n%, and the profile prefix. A solid pattern is CORP-WIN-%SERIAL% or a location-code prefix like NYC-%SERIAL%. Fifteen characters maximum (NetBIOS limit). Agree on the pattern with the service desk and asset management teams now.
RBAC and Scope Tags
If your organization has more than one team managing devices (geo teams, business units, helpdesk vs senior engineers), scope tags must be established before devices enroll. A device inherits scope tags from its enrollment profile or from direct assignment — retroactively scoping a fleet of enrolled devices requires a bulk Graph operation or a re-enrollment. Get this right upfront.
Step 1Define rolesIdentify which teams need which capabilities: Helpdesk (read + remote lock), Deployment engineer (full device config), App admin (apps only).
Step 2Create scope tagsIntune admin center > Tenant administration > Roles > Scope tags. One tag per org boundary (region, BU, device tier).
Step 3Assign rolesTenant administration > Roles > select role > Assignments. Tie each assignment to a scope tag and an admin group.
Step 4Tag enrollment profilesSet scope tags on Autopilot profiles and ESP profiles before assigning to devices. Tags flow to enrolled devices from the profile.
The full RBAC model — custom roles, built-in role limits, and multi-tenant admin patterns — is covered in RBAC and Scope Tags.
Pre-Flight Checklist
Confirm before first enrollment
Every enrolling user has an Intune + Entra P1 license resolved (not pending)
MDM authority is Microsoft Intune in tenant status
Entra device settings: join permissions scoped, MFA-at-join decision made
Join type decided: Entra join vs Hybrid join — Autopilot profile type depends on this
Subscription activation enabled if targeting Enterprise upgrade from Pro OEM hardware
Dynamic Autopilot device group created and rule validated
Pilot and broad device groups in place
Device naming template agreed and entered in the Autopilot profile before first device
Scope tags created and assigned to enrollment profiles
Break-glass admin account excluded from all Conditional Access policies
Common skips that cost you later
Assigning licenses to a group but not verifying individual user resolution
Leaving MDM user scope at None — automatic enrollment silently fails
Creating Autopilot profiles before deciding on join type
Using All Users / All Devices for every assignment from day one — no rollback lever
Naming devices with more than 15 characters or using disallowed characters
Skipping scope tags "until later" — retroactive tagging at scale is painful
Insights
License resolution lag bites at scale. If you onboard 500 users via a bulk CSV import and immediately start deploying devices, the group-based license assignment may still be propagating. Build a 30-minute buffer or validate a sample before triggering the Autopilot wave.
The MDM user scope in Entra automatic enrollment is a separate gate from license assignment. Even a fully licensed user won't auto-enroll if the MDM user scope is set to None. This is configured at Entra admin center > Mobility (MDM and MAM) > Microsoft Intune — covered in the next step of this guide.
Entra join is the right default for net-new fleets. Unless you have a hard dependency on legacy Kerberos or on-premises resources that can't move to modern auth, start with Entra join. Hybrid adds a domain controller dependency, a connector, and additional sync delay — see Entra Join vs Hybrid Join for the full trade-off.
Windows Pro OEM + subscription activation is cheaper than Enterprise OEM images. The upgrade happens silently during Autopilot. You don't need to maintain a separate Enterprise image or deal with OEM key management.
Scope tag debt is real. Teams that skip scope tags ship a single flat namespace. Six months later when a second region or BU comes on board, they can't delegate management without a disruptive re-enrollment or bulk Graph scripting. Fifteen minutes of scope tag design now saves days of remediation later.
Wire Entra automatic enrollment so a join means a managed device — the plumbing under every Autopilot flow.
Automatic MDM enrollment is the mechanism that turns an Entra join event into an Intune management event — without it, a device can join Entra ID and still land completely unmanaged. Every Windows deployment path, from Autopilot user-driven to GPO-based hybrid enrollment, depends on this single configuration being correct. Get it wrong and devices silently enroll nowhere; get it right and you never have to think about it again.
The setting lives in Entra ID, not in Intune. The Intune portal will redirect you there, but the authoritative location is Entra admin center > Devices > Device settings and the MDM configuration under Mobility (MDM and MAM). This page walks every field in that blade and explains the decisions you have to own.
Applies toWindows 10/11, Entra ID-joined and hybrid-joined
Console pathEntra admin center > Devices > Mobility (MDM and MAM) > Microsoft Intune
RequiresEntra ID P1 (included in M365 E3/E5 and EMS E3/E5); Intune license on users in scope
GotchaMDM scope set to "None" is the #1 reason Autopilot devices arrive in Entra but not in Intune
Step 1 — Open the MDM Configuration Blade
Step 1Navigate to MobilityEntra admin center > Devices > Mobility (MDM and MAM) > Microsoft Intune
Step 2Set MDM user scopeChoose All, Some (group-scoped), or None; this is the enrollment gate
Step 3Verify URLsLeave MDM discovery, terms-of-use, and compliance URLs at defaults unless you have a reason to change them
Step 4Review MAM scopeEnsure MAM scope doesn't unintentionally overlap with your MDM scope for the same users
MDM User Scope — The Core Decision
The MDM user scope setting controls which users trigger automatic enrollment when they Entra-join a device. This is a three-way decision:
Scope value
Who enrolls
When to use it
All
Every licensed user in the tenant
Mature tenants with broad Intune rollout; Autopilot fleets where all devices should be managed
Some
Members of one or more Entra security groups
Staged rollouts, pilot rings, or tenants with mixed-management populations (some users BYOD-only)
None
Nobody — enrollment is blocked
Dev/test tenants only; never in production if Windows management is the goal
All vs Some — think before you pick All
Setting scope to All means any licensed user who Entra-joins any device — including personal ones registered via "Add a work account" flows — will trigger enrollment. This is usually fine for corporate-owned devices but can surprise users who register personal laptops.
If your tenant has a BYOD population using MAM-WE (app protection without enrollment), set MDM scope to Some and scope it to a group that excludes those BYOD users, or they may inadvertently trigger full enrollment.
The MDM URLs — Leave Them Alone (Mostly)
Three URLs appear under the scope setting: MDM terms of use URL, MDM discovery URL, and MDM compliance URL. When you select Microsoft Intune as your MDM authority, all three auto-populate to the correct Intune endpoints. Do not change them unless you are running a custom enrollment service or a third-party MDM alongside Intune (rare and complex).
MDM terms of use URL. Shown to the user during enrollment. Defaults to https://portal.manage.microsoft.com/TermsofUse.aspx. You can point this at a custom terms page, but the Intune default is functional and meets most compliance requirements.
MDM discovery URL. The endpoint Windows contacts to locate the MDM service. Default: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc. Never change this for Intune-only environments.
MDM compliance URL. Where the device is directed if it fails compliance evaluation. Default points to the Intune Company Portal. Leave it.
If the URLs are blank
A blank MDM discovery URL is a symptom of the Microsoft Intune entry being in a broken state — usually because the tenant was reconfigured after a test period with a third-party MDM. Delete the entry and re-add Microsoft Intune to get the defaults back.
MAM User Scope — The Interplay That Trips Everyone
Directly below the MDM settings is the MAM user scope. MAM-WE (Mobile Application Management without enrollment) and MDM enrollment are mutually exclusive on a per-user basis: if the same user is in scope for both MDM and MAM, MDM wins on a corporate-owned Entra-joined device, and MAM takes effect only on personally-owned devices that register rather than full-join.
The practical rule: if a user should be fully managed by Intune MDM, they must be in MDM scope. If they're BYOD-only and should only have MAM app protection policies applied, they must be in MAM scope but out of MDM scope. Putting the same user in both scopes with All for each is a misconfiguration you'll debug for days — devices enroll, apps behave unexpectedly, and the root cause is invisible until you check this blade.
Entra Device Settings — Join and Registration
Automatic enrollment is half the picture. The other half is whether users are allowed to join devices to Entra in the first place. Navigate to Entra admin center > Devices > Device settings and review:
Users may join devices to Entra ID. Set to All or a specific security group. If this is set to None, no Entra join succeeds — Autopilot will fail at the join step with a cryptic error. For hybrid-joined devices, join happens via the on-premises AD; this setting only gates cloud-native joins.
Maximum number of devices per user. Default is 50. No action needed for most fleets, but in shared-PC scenarios or high-turnover environments this can become a quota issue.
Require multifactor authentication to join or register devices. Leave this off during initial rollout. Enabling it before your MFA policies are solid will cause Autopilot failures at the join step — user can't complete MFA during OOBE without network access to their authenticator in some scenarios.
Entra ID Registered settings (for BYOD registration). If you have a BYOD population, ensure Users may register their devices is configured; this is separate from Entra join and governs the MAM-WE registration path.
Automatic Enrollment and Autopilot — the Dependency
Autopilot is not a separate enrollment mechanism — it is a configuration experience that runs on top of the standard Entra join + automatic MDM enrollment flow. When a device boots into Autopilot OOBE and the user signs in, the sequence is: Autopilot profile fetched → user authenticates to Entra → device joins Entra → automatic MDM enrollment triggers via the MDM discovery URL → Intune receives the enrollment and starts pushing the Autopilot deployment profile. If automatic enrollment is not configured, the Entra join succeeds but the MDM enrollment never fires, and the device sits in Entra with no Intune record. This is a silent failure — the user gets a desktop, but it's unmanaged.
Before you choose an enrollment path, confirm automatic enrollment is wired correctly. It is the prerequisite every path depends on. For GPO-based auto-enrollment of hybrid-joined machines, see GPO auto-enrollment and bulk methods — that flow uses a separate MDM enrollment trigger via Group Policy, but the MDM discovery URL configured here is still the endpoint it contacts.
Corporate fleet, all users in Intune, Autopilot deploymentMDM scope: AllSimplest path; every licensed user who joins a device gets managed automatically
Mixed tenant — some users BYOD MAM-only, others fully managedMDM scope: Some (group-scoped)Place fully-managed users in a group; BYOD users stay in MAM scope only
Pilot rollout — testing Autopilot with a subset of IT before broad deploymentMDM scope: Some (pilot group)Expand the group as confidence grows; avoid All until the first wave validates
Verification
Confirm the blade. Go to Entra admin center > Devices > Mobility (MDM and MAM) > Microsoft Intune. MDM user scope should show your intended value; URLs should be populated.
Test-enroll a device. Take a device (or an Autopilot-registered VM), sign in with a user in scope, complete OOBE or join via Settings > Accounts > Access work or school, then check Intune admin center > Devices > All devices for the new record within a few minutes.
Check the device's MDM enrollment state. On the device, run dsregcmd /status and verify MDMUrl shows the Intune enrollment endpoint and MDMEnrollmentState is enrolled.
Common misconfiguration symptoms
Device in Entra but not in Intune → MDM scope is None, or the enrolling user is not in the scoped group
Autopilot completes OOBE but policies never arrive → same root cause as above
MDM discovery URL is blank → broken Microsoft Intune entry in the Mobility blade; re-add it
Enrollment fails for BYOD users trying to register personal devices → check that MAM scope is set and the Entra ID Registered setting allows registration
Insights
Automatic enrollment is a tenant-wide prerequisite, not a per-deployment setting. Every Windows enrollment path — Autopilot, co-management, GPO-based hybrid, and manual — depends on this blade being correctly configured. Validate it before any other step.
Scope to a group for your first pilot, then expand to All. Switching from Some to All is instantaneous and affects all future joins; it doesn't retroactively enroll already-joined devices, so the risk of widening scope is low.
The "None" state is almost never intentional in production. If you inherited a tenant and Autopilot devices aren't showing in Intune, the MDM scope being None is the first thing to check — it's the most common root cause and the fastest fix.
MFA on device join is a trap for new deployments. Enable it only after your Conditional Access and MFA rollout is fully validated; requiring MFA during OOBE enrollment breaks Autopilot for users who can't complete MFA before they have a managed device.
MAM and MDM scope overlap is a support ticket waiting to happen. Document which groups are in which scope and enforce it with naming conventions. "MDM-Managed-Users" and "MAM-Only-BYOD" are clear; "Intune-Users" is not.
Get hardware hashes into the Autopilot service — OEM, manual, and Device Preparation paths.
Before a device can flow through an Autopilot deployment profile, the Autopilot service has to know it exists. That knowledge comes from a hardware hash — a 4K string that uniquely fingerprints the machine from its SMBIOS data, network adapter info, and TPM. Getting those hashes into your tenant is the first concrete step after wiring automatic MDM enrollment, and how you do it depends entirely on where the devices are coming from.
There is also a newer path — Autopilot Device Preparation — that eliminates pre-registration entirely. Understanding when to use the hash-based classic flow versus the new model is the real decision this page helps you make.
Applies toWindows 10 / 11, Intune + Entra ID P1
Console pathDevices > Enrollment > Windows Autopilot devices
RequiresGlobal Admin or Intune Service Admin for import; reseller relationship for OEM path
GotchaHash import triggers a background sync — devices are not assignment-ready for up to 15 minutes after upload
The Four Registration Paths
Path
Who does it
When to use
Pre-registration required
OEM / reseller direct
Your hardware vendor
New hardware from a CSP or OEM with Autopilot programme support
✅ Yes (at order time)
Manual CSV import
IT, via PowerShell + console
Existing fleet, ad-hoc adds, small batches, devices not sourced through a registered reseller
✅ Yes
Intune diagnostics auto-registration
Automatic, on Intune-managed devices
Converting already-enrolled devices into Autopilot-registered devices without hands-on collection
✅ Yes (done automatically)
Autopilot Device Preparation
Not applicable
New Entra-joined corporate deployments where you want zero pre-registration overhead
❌ No
Path 1 — OEM and Reseller Direct Registration
This is the cleanest path for new hardware at scale. Your hardware vendor (Dell, HP, Lenovo, Surface, etc.) registers the hardware hash directly into your tenant at time of order, provided your Microsoft reseller relationship is configured. In practice: give your reseller your Intune tenant ID, place the order, and the devices appear in Devices > Enrollment > Windows Autopilot devices before the boxes arrive.
Get your tenant ID to the reseller early
The reseller needs your Entra tenant ID (not your domain name). Find it at Entra admin center > Overview. Pass it with the purchase order — retroactive registration after shipping is manual work.
Path 2 — Manual CSV Import via Get-WindowsAutopilotInfo
For existing fleet or devices from non-registered channels, you collect the hardware hash with the Get-WindowsAutopilotInfo PowerShell script and import the resulting CSV.
Install the script on the target device. From an elevated PowerShell prompt: Install-Script -Name Get-WindowsAutopilotInfo -Force. The device needs internet access to reach the PowerShell Gallery, or you can pre-stage the script.
Run the collection.Get-WindowsAutopilotInfo -OutputFile C:\hash.csv. The CSV contains the serial number, Windows product ID, and hardware hash columns Intune expects. Add -GroupTag YOURTAG here if you want group tags baked in at collection time — saves a manual edit step later.
Import the CSV. Navigate to Devices > Enrollment > Windows Autopilot devices > Import. Upload the CSV. The import is asynchronous — click Refresh after a few minutes.
Trigger a sync. After import, hit Sync on the Autopilot devices blade. Wait up to 15 minutes before the device appears and is eligible for profile assignment.
CSV format pitfalls
The CSV header must be exact: Device Serial Number,Windows Product ID,Hardware Hash — extra columns or BOM characters break the import silently.
Collecting from a device that has already completed OOBE will still work, but the device must be wiped and re-imaged for Autopilot to run; the hash is valid but OOBE has already fired.
Do not collect hashes from VMs unless you are specifically testing — VM hashes fail Autopilot's TPM checks on physical deployment.
Path 3 — Intune Diagnostics Auto-Registration
For an already-managed Windows fleet, Intune can register devices into Autopilot without any manual hash collection. Enable Convert all targeted devices to Autopilot inside an Autopilot deployment profile assignment, or use the dedicated Windows Autopilot deployment profiles > Properties > Assignments toggle. Intune pushes an enrollment status update that registers the hardware hash the next time the device checks in. This is the lowest-friction path for brownfield conversion of an existing managed fleet.
Group Tags — The Dynamic Targeting Lever
A group tag is a free-text string written into the Autopilot device record. It is the primary way you drive device identity and naming conventions and membership in dynamic Entra groups, which in turn control which Autopilot deployment profile applies.
A dynamic device group rule targeting group tag looks like:
Set the group tag at CSV collection time (-GroupTag parameter), at import via the console, or edit it post-import on individual device records. Common schemes: Corp-Win11, Kiosk-Retail, PreProv-Finance. Keep tags consistent — they are case-sensitive in dynamic group rules.
One tag, one profile
A device can only have one group tag, and the Autopilot profile assigned is the highest-priority match. Design your tag taxonomy before bulk-importing hundreds of devices.
Import and Sync Delays — What to Expect
Hash-based registration is not instantaneous. After a CSV import or OEM batch registration, the devices enter a background sync queue. The realistic timeline:
Import accepted: visible in the console within 2–5 minutes after upload or OEM push.
Profile assigned: dynamic group membership evaluation adds another 5–15 minutes once the device appears.
Sync to the device: the Autopilot profile downloads during OOBE when the device reaches the network connectivity screen and calls the Autopilot service endpoint — no waiting at your end.
If a device powers on and hits OOBE before the profile is assigned, it flows through as a standard Entra join — not an Autopilot flow. The profile must be assigned before OOBE. Confirm in the console that the device shows a profile status of Assigned before shipping it.
Classic Autopilot vs. Autopilot Device Preparation
Autopilot Device Preparation is the newer model and solves the pre-registration problem entirely. Instead of seeding a hash, you configure a Device Preparation policy that applies to any Entra-joined device in a target group — no OEM registration, no CSV import. The trade-off is that Device Preparation uses a different, lighter OOBE flow and has different profile capabilities than classic user-driven Autopilot.
You buy from a registered OEM/reseller and want the full classic OOBE (skip EULA, branding, pre-provisioning)Classic Autopilot + OEM registrationFull OOBE control; requires hash registration at order time
You have an existing managed fleet and want to onboard it to Autopilot without touching each machineClassic Autopilot + auto-registration toggleIntune registers the hash at next check-in; brownfield-friendly
You want zero pre-registration overhead for new corporate Entra-joined devices going forwardAutopilot Device PreparationNo hash needed; lighter OOBE; best for greenfield modern deployments
You have random hardware from unknown channels and need Autopilot nowManual CSV importPowerShell collection + import; most flexible but most hands-on
Insights
Validate the hash before shipping the device. Confirm the device shows Profile status: Assigned in the Autopilot devices blade before it leaves your hands. A device with an unassigned profile will complete a plain Entra join, not an Autopilot flow — recoverable, but painful for the end user and the helpdesk.
The group tag is your deployment-mode selector. Every profile, every naming template, every pre-provisioning gate flows from the group tag. Treating it as an afterthought is the single most common Autopilot configuration mistake in mid-size deployments.
OEM registration lag is real. Resellers batch-register on their own schedule. Order-to-appearing-in-tenant can be 24–48 hours for some OEMs. Do not plan an Autopilot pilot for the day the hardware arrives.
Do not collect hashes in Audit mode or from freshly imaged OS installs without Sysprep. The hash from an un-Sysprepped image may not match what the device presents after a reset; always collect from Windows running in its shipped OOBE-ready state or after a full reset.
Device Preparation changes the architecture, not just the registration. If you adopt Device Preparation, read its policy model carefully — it does not use deployment profiles or ESP in the same way, and the assignment logic targets users, not devices.
Build the user-driven Autopilot profile and assign it to a dynamic device group.
The Autopilot deployment profile is the policy object that defines what OOBE looks like — how the device joins your directory, what the user sees and doesn't see, and whether the resulting account is a standard user or a local administrator. Get it wrong and every device that touches it enrolls wrong. Get it right and you never touch another OOBE screen again.
This page walks the full profile creation path for a standard user-driven Autopilot deployment, including the mode and join-type decisions you make once per tenant (or once per device population) and the per-profile OOBE knobs you tune for your workforce. Self-deploying mode is called out where it diverges, but the deep-dive lives on the pre-provisioning and self-deploying page.
Applies toWindows 10 21H2+, Windows 11 — Pro, Enterprise, Education
Console pathDevices > Enrollment > Windows Autopilot deployment profiles
RequiresIntune Plan 1 (M365 E3/E5 or EMS E3/E5); devices registered in Autopilot service
Gotcha"Convert all targeted devices to Autopilot" only runs once per assignment change — it does not re-run on profile edits
Mode and Join Type — the Two Decisions That Shape Everything
Before clicking Create, settle these two forks. They cannot be changed on an existing profile without deleting and recreating it.
Setting
User-Driven
Self-Deploying
Deployment mode
User signs in at OOBE; device gets user affinity
No user interaction; no user affinity — kiosk, shared, or pre-provisioning
Join type
Entra join (cloud-native) or Hybrid Entra join (on-prem AD write-back required)
Entra join only
TPM required
No (recommended, not enforced)
Yes — TPM 2.0 attestation is mandatory
Typical use
Corporate laptops assigned to named employees
Kiosk, shared PC, pre-provisioning staging
Hybrid join adds significant complexity
Requires the Intune Connector for Active Directory running on a domain-joined server with line-of-sight to a DC.
The device must reach a DC during OOBE. Off-network deployments require Always On VPN or a pre-provisioning step.
If you can go cloud-native (Entra join), do it. Hybrid is for orgs that still have hard AD dependencies.
Create the Profile — Step by Step
Step 1CreateNavigate to the profile wizard and pick the right template
Step 2Configure OOBESet join type, hide screens, lock the account type
Step 3Set naming templateOptional but strongly recommended before first deployment
Step 4Assign to a groupScope to a dynamic device group filtered by group tag or all Autopilot devices
Open the profile wizard. Go to Devices > Enrollment > Windows Autopilot deployment profiles > Create profile > Windows PC. The "HoloLens" option is for HoloLens 2 only — ignore it.
Name the profile intentionally. Use a name that encodes the mode and population, e.g. Autopilot-UserDriven-EntraJoin-Corporate. You will have multiple profiles eventually (executive, kiosk, pilot ring) and generic names cause assignment grief.
Set Deployment mode. Choose User-Driven for standard employee devices. Choose Self-Deploying only for kiosk or pre-provisioning scenarios — the TPM attestation requirement will fail any device without a compliant TPM 2.0 chip.
Set Join to Azure AD as. Choose Azure AD joined (Entra join, cloud-native) or Hybrid Azure AD joined. For Entra join — the right choice for most net-new deployments — nothing else is required at this step. Hybrid requires the Intune Connector already installed and a domain reachable at OOBE time.
Configure Out-of-box experience (OOBE) settings. These control what the user sees between power-on and reaching the desktop:
Microsoft Software License Terms — set to Hide. The user accepted terms at purchase/HR onboarding; showing this again just creates confusion.
Privacy settings — set to Hide. Pre-answer these with a Configuration profile; showing the privacy dialog mid-OOBE causes drop-offs and inconsistent state.
Hide change account options — set to Hide. You do not want users switching to a personal Microsoft account at enrollment.
User account type — Standard for most environments. Administrator only if you have a specific operational reason; standard user + LAPS for emergency local admin is the right pattern. This setting determines the local privilege of the enrolled Entra account on the device.
Language/Region — leave as OS default unless you are pre-answering region selection for a single-locale deployment. If set explicitly, users in other regions will silently get the wrong keyboard layout.
Automatically configure keyboard — set to Yes if you set a specific language above; irrelevant if left at OS default.
Apply device name template. This is optional but do it now — renaming enrolled devices later requires a wipe or reset. Use the token syntax: CORP-%SERIAL% or LT-%RAND:5%. Keep names under 15 characters to avoid NetBIOS truncation artifacts in hybrid environments. See the device naming and identity hygiene page for token reference and length limits.
Review + Create. No assignments yet — do that next.
Assign the Profile to a Dynamic Device Group
Autopilot profiles are assigned to Entra device groups, not user groups. The device must be in the target group before it reaches the Autopilot service during OOBE — profile resolution happens at device registration, not at user sign-in.
Create a dynamic device group in Entra. The most common rule targets your group tag:
(device.devicePhysicalIds -any _ -eq "[OrderID]:Corp-Standard") Or target all Autopilot-registered devices:
(device.devicePhysicalIds -any _ -eq "[ZTDID]") The [ZTDID] rule catches every device in the Autopilot service regardless of group tag — useful for a catch-all default profile.
Assign the profile. Open the profile, go to Assignments, add the dynamic device group as Included groups. Save.
Wait for dynamic group membership to resolve. Entra dynamic groups can take up to 15–30 minutes to populate after a device is imported. Do not attempt OOBE immediately after registration; the profile will not resolve and the device will get a generic Windows setup instead of your Autopilot experience.
Convert all targeted devices to Autopilot
The profile assignment page has a Convert all targeted devices to Autopilot toggle. When set to Yes, any Intune-managed device that lands in the assignment group will be registered into the Autopilot service automatically — no manual hash upload required. This is a one-time conversion per assignment state change, not a continuous sync, so do not rely on it as a substitute for proper registration at procurement.
Choosing the Right Profile per Device Population
Named employee, cloud-native tenant, no AD dependencyUser-Driven + Entra JoinFastest deployment path, no on-prem infrastructure at OOBE time
Named employee, hard AD dependencies (Group Policy, file shares, legacy apps)User-Driven + Hybrid Entra JoinAdds DC connectivity requirement and Intune Connector complexity
Kiosk, shared workstation, or IT-staged device with no assigned userSelf-Deploying + Entra JoinNo user OOBE interaction; requires TPM 2.0 and clean attestation
IT-staged device that will later be handed to a userUser-Driven + Pre-Provisioning (White Glove)IT runs device-phase ESP in the warehouse; user only completes account-phase on first use
Common Mistakes and Failure Modes
Profile assignment timing and registration sync
Profile not resolving at OOBE: Device not yet in the dynamic group. Wait for group membership to compute or use a static group with the device pre-added.
Wrong account type applied:Administrator selected in the profile and not caught until a security audit. Audit this setting on every profile — it is not visible on the device inventory view.
Device name template truncated: A template that produces names over 15 characters causes silent truncation on Hybrid join; the device registers with a different name than expected, breaking GPO targeting.
Self-Deploying mode failing at attestation: VM or older hardware without TPM 2.0. Error code 0x800705B4 at the TPM attestation screen means no TPM or TPM not ready — switch to user-driven or provision the TPM in BIOS.
Hybrid join timing out during OOBE: Device can't reach a DC. VPN or network connectivity issue, or the Intune Connector service is stopped. Check Connector health in Devices > Enrollment > Windows Autopilot > Intune Connector for Active Directory.
Insights
One profile per distinct device population, not per team. Profiles encode join type and OOBE behavior — not org chart. Teams get their apps and config via group-targeted policies, not separate Autopilot profiles.
Standard user is the right default. The instinct to give developers or power users admin via the Autopilot profile account type is almost always a mistake. Use elevation mechanisms (LAPS, Just-in-Time access) instead of baking admin into the enrollment profile.
Test with a physical device, not a VM, for self-deploying. VMs consistently fail TPM attestation. Validating self-deploying mode in a VM gives a false negative; borrow a real laptop for the test.
The "Convert all targeted devices" toggle is not a registration strategy. It converts existing managed devices — it will not catch newly purchased hardware arriving unregistered. OEM registration or hash upload at procurement is still required for new stock.
Profile priority matters when a device matches multiple assignments. If a device group is targeted by two profiles, the profile with the lower priority number wins. Number profiles explicitly and document the intent — the default ordering is creation order, which is fragile.
Make first-boot blocking ESP a help, not a hang — apps, timeouts, and the escape hatches.
The Enrollment Status Page (ESP) is the progress screen users see during the Windows Out-of-Box Experience after signing in. It blocks desktop access while Intune pushes device configuration and apps — which is exactly what you want during Autopilot provisioning. Get it right and users reach a fully configured desktop on first boot. Get it wrong and they stare at a frozen progress bar for 90 minutes until a technician intervenes, or the device reboots into a retry loop. The ESP configuration is where most Autopilot deployments either shine or fall apart.
The ESP has two phases: Device setup (runs in the system context, before user sign-in) and Account setup (runs in the user context, after sign-in). In user-driven Autopilot the user sees both. In pre-provisioning (White Glove), the technician sees the device phase; the end user only sees account setup. Understanding this split is prerequisite to choosing your blocking app set intelligently. The full ESP reference page covers the technical internals; this page focuses on building the policy that ships.
Applies toWindows 10 21H2+, Windows 11 — Autopilot user-driven, self-deploying, and pre-provisioning
Console pathDevices > Enrollment > Windows > Enrollment Status Page
RequiresIntune Plan 1 / M365 E3+; devices already registered for Autopilot
GotchaToo many blocking apps is the single biggest cause of ESP timeouts in production
How ESP blocking works
When you mark an app as a blocking app, the ESP will not allow the user to proceed past that phase until the app reports as successfully installed. The ESP polls Intune for status — if an app install fails, stalls, or the device cannot reach the CDN, the page waits until it either succeeds or hits your configured timeout. Every app you add to the blocking list is a potential failure point that holds the entire OOBE hostage. Win32 apps tracked via the Intune Management Extension are especially prone to this; the IME must start, the app must download, install, and report back — over whatever bandwidth the user has at home.
Create or edit the ESP profile
Step 1Open the ESP bladeDevices > Enrollment > Windows > Enrollment Status Page — a Default profile exists in every tenant.
Step 2Configure settingsShow app and profile configuration progress, set timeout, choose blocking behavior and escape hatches.
Step 3Select blocking appsUnder "Block device use until these required apps are installed" — add only your truly critical set.
Step 4Assign and scopeAssign to the same Entra group your Autopilot profile targets; higher-priority profiles win when multiple match.
Step-by-step configuration
Navigate to the ESP blade. Go to Devices > Enrollment > Windows > Enrollment Status Page. You'll see a Default profile that applies to all devices. Either edit it or create a new profile with higher priority for your Autopilot group.
Enable "Show app and profile configuration progress". Set this to Yes. Without this, the ESP shows a blank screen and the user has no idea what's happening. This is the only setting that makes the ESP visible.
Set the installation timeout. The default is 60 minutes. For most fleets 60 is too long — users sitting at an unresponsive OOBE screen for an hour is a bad experience and a support call. A timeout of 30 minutes is a reasonable start. If you have large Win32 apps in your blocking list you may need to increase it, but if you're hitting 60 minutes you have a deeper problem: too many blocking apps or a network issue. See Autopilot and ESP failures for the diagnostic approach.
Configure error handling. Three toggles govern what the user can do when something goes wrong:
Show error when installation takes longer than specified number of minutes — leave this Yes; it surfaces the failure rather than silently stalling.
Allow users to collect logs — set to Yes in pilot; users and helpdesk can grab MDMDiagnostics from the error screen without needing to exit OOBE.
Allow users to reset device if installation error occurs — set to Yes for self-service recovery in production. This lets a user trigger an Autopilot reset without calling IT.
Allow users to use device if installation error occurs — the "Use device anyway" escape hatch. Set to Yes for devices where a partial config is acceptable. Set to No for high-security scenarios or pre-provisioned devices where you want a hard gate.
Block device use until required apps are installed. Toggle this to Yes to enable blocking app selection. Then use Select apps to choose which apps must install before the user can proceed. This list should be ruthlessly short — see the blocking app recommendations below.
Turn off the page if setup is completed before timeout. Set to Yes. When all apps install quickly, the ESP will dismiss itself and the user reaches the desktop without an extra click. Small UX win that matters when you're deploying thousands of devices.
Assign the profile. Assign to your Autopilot device group or the dynamic group scoped to your group tag. The Default profile catches everything else — useful as a fallback with a permissive configuration.
The blocking app decision
This is the highest-stakes configuration decision on the entire page. The correct default answer for most tenants is: block on one to three apps maximum. The reasoning is simple — every blocked app is a potential hang point, and a hung ESP means an unproductive user and a support call.
App type
Block at Device phase?
Block at Account phase?
Notes
Company Portal
✅ Yes
—
Required for compliance; installs quickly from the Store
Microsoft 365 Apps (Office)
❌ No
Maybe
Large download; block only if users genuinely need it before first login; prefer streaming
Corporate VPN client
✅ Yes (if pre-prov)
❌ No (user-driven)
Block at device phase only if required for domain connectivity at provisioning
Endpoint security agent (e.g. Defender for Endpoint onboarding)
✅ Yes
—
Small, fast, critical; MDE onboarding package via Intune deploys quickly
LOB / Win32 apps
❌ No
❌ No
Move to Required/post-enrollment delivery via Win32 app targeting; do not gate OOBE on them
OneDrive (KFM)
❌ No
❌ No
Already present on Windows 11; KFM config applies post-desktop via Settings Catalog
The classic ESP failure pattern
Engineers add 8–12 apps to the blocking list "to make sure they're there on first boot".
One Win32 app has a slow CDN or a dependency that fails silently.
ESP hits the 60-minute timeout. User sees an error. Resets the device. Repeat.
The fix: remove all but 2–3 blocking apps. Deliver everything else as Required with no ESP gate. Users get to the desktop faster and apps continue installing in the background.
Test with diagnostics before you go broad
Enable Allow users to collect logs during your pilot ring. When an ESP stall occurs, the user or technician can pull the MDMDiagnosticsTool report directly from the error screen — no Shift+F10 or recovery console needed. That log tells you exactly which app or CSP is blocking.
Profile priority and the Default profile
If multiple ESP profiles apply to a device, the one with the lowest priority number wins (Priority 1 beats Priority 2). The Default profile always has the lowest priority — it's the fallback for devices that match no other profile. A clean pattern is: Default profile with ESP disabled (or permissive), and a higher-priority profile scoped to your Autopilot group with full ESP enabled. This prevents ESP from blocking dev or test machines that enroll outside the Autopilot flow.
Pre-provisioning considerations
In pre-provisioning (White Glove), the technician runs the device-setup phase in your facility before shipping the device to the end user. Blocking apps assigned to the device context install during the technician's session. When the end user powers on, they only face the account-setup phase — which is dramatically faster if you've kept device-phase apps lean. This is the strongest argument for keeping LOB app delivery out of the ESP blocking list and handling it as tracked background installation after the user reaches the desktop.
Insights
ESP timeout errors are almost always a blocking-app problem, not a network problem. When you see widespread ESP timeouts across different sites and connections, look at the blocking app list first — one misbehaving Win32 app is the culprit 80% of the time.
The Default profile's settings are what every device gets if you forget to assign a custom profile. Keep the Default profile permissive (short timeout, "Use device anyway" enabled) so a misconfigured assignment doesn't brick your entire provisioning pipeline.
"Block device use until required apps are installed" and an empty app list still blocks. If you toggle the setting to Yes but don't add any apps, the ESP may behave unexpectedly depending on how Intune evaluates the empty list — always populate the list or leave the toggle off.
Store apps (WinGet / Microsoft Store for Business successor) install faster than Win32. Company Portal, for example, installs in under two minutes from the Store. Win32 apps depend on your CDN, detection logic, and the IME startup sequence — much more failure surface.
The "Allow users to use device anyway" setting is not a security risk for most deployments. The user gets to the desktop, but Conditional Access will deny access to corporate resources until the compliance policy passes — which gives you a real enforcement backstop beyond the ESP. See the deep-dive ESP page for the interaction with compliance grace periods.
Log collection from the ESP screen saves hours of remote troubleshooting. A user can press the Collect logs link, save to a USB drive, and hand it to IT — or upload it — without ever needing shell access. Enable it in all environments.
Land your Settings Catalog config and security baseline on day one, conflict-free.
By the time a Windows PC finishes its Autopilot enrollment, two configuration layers need to be waiting for it: a Settings Catalog baseline profile covering your organization's hardening and operational settings, and the Microsoft security baseline for Windows that locks in CIS-aligned defaults. Deploying both on day one means every enrolled device is immediately in a known, consistent state — not a gray zone where policy arrives hours later and compliance flips back and forth.
The catch is that the Microsoft security baseline is itself a Settings Catalog profile under the hood, and Settings Catalog uses a "last-write-wins" merge for conflicting settings within the same CSP subtree. Stack your org baseline on top of the Microsoft baseline carelessly and you will have silent conflicts that are genuinely hard to trace. This page walks the right order of operations, where the conflict trap lives, and how per-setting reporting confirms everything landed.
Applies toWindows 10 21H2+ / Windows 11, Entra-joined or Hybrid-joined
Console pathDevices > Windows > Configuration
RequiresIntune P1 (included in M365 E3/E5, EMS E3/E5)
GotchaSettings Catalog and the legacy Security Baselines node both write to overlapping CSPs — pick one layer for each setting
The Two-Layer Model
Think of your day-one configuration as two explicit layers with defined ownership:
Layer
What goes here
Profile type
Who owns it
Microsoft Security Baseline
CIS/NIST-aligned OS hardening defaults — credential protection, audit policy, Windows Defender, network, UAC
Settings Catalog (via the Security Baselines node or direct import)
Microsoft, updated each Windows version
Org Settings Catalog Baseline
Everything specific to your fleet: update rings, OneDrive KFM, Edge policy, corporate branding, diagnostic settings, any setting the Microsoft baseline doesn't touch
Settings Catalog
Your team — versioned in source control
The discipline is strict: if the Microsoft baseline already configures a setting, your org profile must not re-configure the same setting unless you have a documented reason to override it. Duplicating a setting across profiles does not cause a hard error — but it causes "conflict" state in reporting and the actual effective value depends on profile priority, which is opaque and changes when you rename or re-order profiles. See Policy Conflicts and GPO Overlap for how to untangle those situations.
Step 1: Deploy the Microsoft Security Baseline
Step 1Navigate to Security BaselinesEndpoint security > Security baselines > Security Baseline for Windows 10 and later
Step 2Create a profileSelect the latest baseline version — do not pin to an old version without a reason
Step 3Review every non-default settingDocument any deviation and your rationale before saving
Step 4Assign to your pilot device groupValidate on pilot first; promote to broad device group after one week of clean reporting
Open the baseline node. Go to Endpoint security > Security baselines. You will see Security Baseline for Windows 10 and later, Microsoft Defender for Endpoint Baseline, and Microsoft Edge Baseline listed separately. Start with the Windows baseline only — do not stack all three on day one.
Create a new profile. Click the baseline, then Create profile. Name it clearly: WIN-SecBaseline-v24H2-Prod or similar so version and ring are obvious in the list.
Step through Configuration settings. Most organizations accept the defaults. The settings that most commonly need adjustment are: Block all incoming connections (breaks some LOB apps if left on), Require Admin approval mode for admin accounts (UAC behavior), and any Defender setting your endpoint security team already manages via a separate Defender policy. Flag each override and note which CSP node it touches — you will need this list to audit your org baseline for conflicts.
Assign to a pilot device group first. Create a static or dynamic Entra group (GRP-Intune-Pilot-Devices) scoped to your test fleet. Apply the baseline here. Only after the Device and user check-in status report shows Succeeded for all devices should you assign it to the full fleet group.
Baseline versions and updates
Microsoft releases new baseline versions alongside major Windows releases. When a new version appears, Intune prompts you to update existing profiles — review the diff of changed settings before accepting. Devices stay on the old version until you explicitly update the profile.
Step 2: Build and Deploy the Org Settings Catalog Profile
Your org baseline lives in Settings Catalog and covers the operational and experience layer the Microsoft baseline deliberately leaves alone. The IntuneNerds Windows Baseline gives you a pre-built, field-tested starting point you can import via JSON rather than building from scratch.
Start from the IntuneNerds baseline JSON. Import the baseline profile via Devices > Windows > Configuration > Import. This creates a Settings Catalog profile pre-populated with community-validated settings. Review every setting against your deviation list from Step 1 before saving.
Audit for overlap with the security baseline. Open the imported profile and scan for any setting that also appears in the Microsoft Security Baseline you configured in Step 1. Settings Catalog will not warn you — you have to check manually. Common overlaps: BitLocker settings, Windows Defender real-time protection, SmartScreen, Audit policy settings. Remove duplicates from your org profile and let the Microsoft baseline own them.
Configure org-specific settings. Add or confirm: OneDrive KFM silent configuration (./Device/Vendor/MSFT/Policy/Config/OneDrive), Edge browser policy (homepage, search engine, extension allowlist), update ring deferrals if not using a dedicated update ring profile, and any regulatory/compliance settings your auditors require.
Assign to device groups. Assign to the same pilot group first. Use Required intent — this is a device baseline, not optional. Exclude any kiosk or shared-PC device groups that have their own dedicated profiles.
Promote to production. Once the pilot shows clean, assign the org baseline profile to your broad All Managed Windows Devices group (or equivalent dynamic group filtering on deviceOSType -eq "Windows").
The conflict trap in practice
A Settings Catalog setting configured in two profiles assigned to the same device enters Conflict state. The device does not inherit from either — the setting is effectively unmanaged.
The Security Baselines node and Settings Catalog profiles are not conflict-aware with each other. A setting in a Security Baseline profile that is also in a Settings Catalog profile will show "Conflict" in per-setting status even though the Security Baseline technically wins for its own settings.
The symptom in reporting: the setting shows Conflict in the per-device status column even though both profiles say "Succeeded" at the profile level. Always check per-setting status, not just profile-level status.
Assignment and Order of Operations
Assign both profiles to device groups, not user groups. Policy assigned to user groups applies when a user signs in — device groups apply at enrollment time, before a user account exists on the machine. For Autopilot flows, device-group assignment means both profiles are processing during the Device ESP phase, not deferred until account setup.
What to assign to
Why
Device group (dynamic: all Autopilot devices, or by group tag)
Policy lands during Device ESP, before user sign-in ✅
User group
Policy delayed until user account setup phase — security baseline missed on first boot ❌
"All Devices" built-in group
Fine for broad deployment, but cannot be excluded from easily — use a custom group for pilot staging ✅
Validating with Per-Setting Reporting
Profile-level reporting ("Succeeded / Failed / Error") tells you almost nothing useful. The setting that matters is one level deeper.
Open the profile. Go to Devices > Windows > Configuration > click your profile name.
Select Device and user check-in status. This gives the per-device summary. Click a specific device to see per-setting status for that device.
Look for Conflict and Not applicable. Conflict means two profiles are writing the same setting. Not applicable means the CSP is not supported on that OS edition or version — flag if it shows up on expected hardware.
Use the Settings filter. In the profile overview, use Filter by setting to pull all devices where a specific CSP path is in Conflict. This is the fastest way to identify exactly which setting needs to be removed from one of the two profiles.
Check the Security Baseline report separately. Under Endpoint security > Security baselines > your profile > Device status, you get the same per-device drill-down. Cross-reference this with your Settings Catalog profile report when you see unexplained conflicts.
Graph for fleet-wide validation
For tenants with hundreds or thousands of devices, querying GET /deviceManagement/deviceConfigurations/{id}/deviceSettingStateSummaries via Graph gives you a rollup of success, conflict, and error counts per CSP setting across the entire assignment — faster than clicking through the portal per device.
Insights
Never configure the same setting in both a Security Baseline profile and a Settings Catalog profile. The portal will not stop you, the conflict shows up days later in reporting, and it is genuinely hard to explain to an auditor why your security baseline setting is in "Conflict" state.
The Microsoft Security Baseline is not a complete config — it is intentionally minimal. It does not configure OneDrive, Edge, update rings, or app deployment. Those belong in your org profile. See Security Baselines for the full breakdown of what each baseline version covers.
Import the IntuneNerds community baseline rather than building from scratch. The Windows Baseline import guide walks the JSON import path; the settings are pre-audited against the Microsoft baseline for conflicts so you do not start from zero.
Assign to device groups scoped by group tag, not "All Devices," for your initial rollout. This gives you a break-glass exclusion: if the baseline causes app breakage, remove a device from the group tag without touching the profile assignment for the rest of the fleet.
The baseline is a living document. When Microsoft releases a new Windows baseline version, the diff includes both new settings and settings where the recommended value changed. Review it as you would a software dependency update — not a rubber stamp.
M365 Apps, Edge, and your Win32 essentials — required vs available, and the ESP interplay.
Getting apps onto a device during enrollment is where Autopilot deployments succeed or stumble. The day-one app set needs to be disciplined: too many blocking apps and the Enrollment Status Page (ESP) times out; too few and users arrive at a half-configured desktop. The goal is a lean required set that installs silently during ESP, a broader available set delivered post-enrollment through Company Portal, and a clear dependency chain that doesn't create circular install failures.
This page covers the four pillars of a Windows day-one app deployment: Microsoft 365 Apps (the integrated app type), Microsoft Edge, OneDrive with Known Folder Move, and your Win32/Enterprise App Catalog essentials. Each has its own delivery mechanism and its own ESP behavior — understanding the differences saves you from the most common first-boot failures.
GotchaWin32 apps in ESP blocking list must have all dependencies also in the list
Microsoft 365 Apps — the Integrated App Type
Don't deploy M365 Apps as a Win32 package or an ODT script unless you have a specific reason. Intune ships a first-class Microsoft 365 Apps for Windows 10 and later app type that handles channel management, update rings, and architecture selection natively.
Create the app. Navigate to Apps > Windows > Add and select Microsoft 365 Apps for Windows 10 and later as the app type.
Choose your app suite. Select the apps to include (Word, Excel, PowerPoint, Outlook, Teams, etc.). Omit apps your org doesn't license — a smaller footprint installs faster and reduces ESP blocking time.
Configure via XML or the UI. The built-in configurator handles most tenants. For advanced scenarios — shared activation, 32-bit on 64-bit OS, specific language packs, or excluding Bing — paste a custom configuration.xml produced by the Office Customization Tool. Key attributes: Channel (Current, MonthlyEnterprise, or SemiAnnual), Architecture (64 for nearly everyone), and ExcludeApp for unwanted components.
Assign as Required to your device group. Target the same Entra dynamic device group your Autopilot profile targets. Set the assignment as Required so it installs silently. Do not mark M365 Apps as a blocking ESP app unless your org genuinely cannot function without it at first boot — it's large and install time is variable.
Channel discipline
MonthlyEnterprise Channel is the right default for managed fleets — it gives you a one-month deferral over Current Channel, consistent patch timing, and monthly-only updates. Current Channel is for early-adopter rings. SemiAnnual is for regulated/LOB-compatibility scenarios and carries a real supportability cost.
Edge is pre-installed on Windows 11 and ships with Windows 10 20H2+, so you usually don't need to deploy the browser binary itself. What you do need to deploy is Edge management policy (Settings Catalog under Devices > Windows > Configuration) to set the home page, disable sync to personal accounts, configure the enterprise new tab page, and pre-pin favorites. If your fleet includes older Windows 10 images that ship without the Chromium Edge, add the Microsoft Edge (Stable Channel) app from the Microsoft app catalog — it's a zero-packaging, auto-updating managed app type.
Don't block first boot on Edge
Edge policy applies after the device checks in — it doesn't need to be in the ESP blocking list.
Marking the Edge app itself as an ESP blocking app causes unnecessary delays on Windows 11 where Edge is already present.
OneDrive and Known Folder Move
OneDrive is pre-installed on Windows 10/11 and signs in automatically on Entra-joined devices when the user authenticates via SSO. The business value is in Known Folder Move (KFM): silently redirecting Desktop, Documents, and Pictures into OneDrive so they're backed up from day one. Configure KFM via Settings Catalog — OneDrive > Silently move Windows known folders to OneDrive — and set your tenant ID as the value. For full configuration options and the no-prompt vs prompt toggle, see the OneDrive and Known Folder Move page.
KFM policy lands as configuration, not an app — it doesn't belong in the ESP blocking list and doesn't require an app assignment. OneDrive syncs begin after the user reaches the desktop. Expect the first sync to take minutes to hours depending on existing data.
Win32 Apps and the Enterprise App Catalog
Win32 is the delivery mechanism for anything that isn't M365 Apps, a Store app, or a first-party Microsoft app with its own catalog entry. Wrap installers with the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe) to produce .intunewin packages, then deploy via Apps > Windows > Add > Windows app (Win32).
Before wrapping manually, check the Enterprise App Catalog (formerly Enterprise App Management). An expanding library of pre-packaged, Microsoft-maintained Win32 apps — including common tools like 7-Zip, Notepad++, and VLC — are available there with zero packaging effort and automatic update management. Use catalog apps where they exist; reserve custom packaging for your LOB tools.
For deep-dive packaging, detection rules, requirements, and update supersedence, see the Win32 Apps guide.
Required vs Available — and the ESP Gate
Assignment intent
When it installs
Blocks ESP?
User action needed?
Required
Automatically at enrollment / check-in
Only if added to blocking list
❌ None
Available
On demand via Company Portal
❌ Never
✅ User installs
Required (ESP blocking)
During device setup phase
✅ Yes — device can't proceed until installed
❌ None
Uninstall
On next check-in
❌ Never
❌ None
Building the ESP Blocking App List
The Enrollment Status Page blocking list determines which apps must install before the user can reach the desktop. Every app on the list adds risk: if any one app fails or times out, the whole ESP stalls. Keep the list to three to five apps maximum. The criteria for inclusion: the app must be required for the device to be usable at all — not just "nice to have on day one."
Step 1Identify blocking candidatesWhat can't the user work at all without? Usually VPN client + endpoint security agent, occasionally a core LOB app.
Step 2Add dependencies to the list tooIf a blocking Win32 app has a dependency app, that dependency must also be in the blocking list or ESP will time out waiting for it.
Step 3Set a sane timeoutDefault is 60 minutes. 60–90 minutes is reasonable for a blocking set of 2–4 apps on a standard connection. Raise it before you go wide, not after.
Step 4Test the full OOBE flow on a pilot deviceTime the blocking install phase end-to-end. If it exceeds 20 minutes, trim the list or move apps to post-enrollment required.
The dependency trap
A Win32 app with a dependency will silently wait for that dependency to resolve before it installs. If the dependency is not also flagged as blocking, ESP sees the blocking app as "pending" and eventually times out.
Supersedence chains can create the same stall — if app B supersedes app A, and app A isn't in the blocking list, B may not install until A resolves first.
M365 Apps is almost never worth blocking on — it's large, download-time is variable, and users can do meaningful work without it for the minutes it takes to install post-desktop.
Dependency and Supersedence Basics
Dependencies express "install this app first." A Win32 app can declare one or more dependency apps; Intune installs dependencies before the parent. Auto-install the dependency if it isn't already present by setting the dependency relationship to Automatically install. If the parent app is Required, Intune will attempt to auto-install the dependency regardless of its own assignment.
Supersedence handles version upgrades and app replacements. When app B supersedes app A with Uninstall previous version enabled, Intune removes A before installing B. Use this to migrate from an old VPN client to a new one, or from a 32-bit to a 64-bit binary, without leaving orphan installs. Both dependency and supersedence graphs are defined in the app's Dependencies and Supersedence tabs under Apps > Windows > [app] > Properties.
Insights
The ESP blocking list is a contract, not a wishlist. Every app on it must succeed for first boot to complete. Discipline here prevents the most common Autopilot failure — a 90-minute hang at "Installing your organization's apps."
M365 Apps install time is not deterministic. It depends on channel, architecture, and internet speed. On a congested deployment day with 50 devices provisioning simultaneously, what took 12 minutes in the pilot can take 45 minutes in production. Don't block ESP on it.
Use the integrated M365 Apps app type, not a wrapped ODT script. The native app type gets update ring management for free and surfaces real per-device install state in Intune reporting — wrapped scripts report only exit code success.
KFM is quiet day-one insurance. A device that enrolls, runs KFM, and syncs Desktop/Documents to OneDrive is recoverable from a wipe with zero user data loss. Deploy it in every profile without exception.
Catalog apps reduce your maintenance surface. Microsoft-maintained Enterprise App Catalog entries auto-update and don't require you to repackage on every vendor release. Check the catalog before you build a custom Win32 wrap.
Silent BitLocker with key escrow and a passwordless Windows Hello rollout at enrollment.
BitLocker and Windows Hello for Business are two of the highest-value controls you configure at enrollment. BitLocker protects data at rest so a stolen laptop doesn't become a breach; Hello eliminates the password from the sign-in flow so phishing credentials becomes a dead end. Both can be deployed silently — no user interaction, no IT desk visit — when the prerequisites line up. Getting both right at day one is the standard every modern Windows fleet should hit.
This page walks silent BitLocker encryption with key escrow to Entra, and a Hello for Business rollout scoped to your Autopilot cohort. The two features are independent policies but they reinforce each other: a compliant device report in the next step will require both. See BitLocker and Disk Encryption for the full CSP reference, and BitLocker Recovery and Key Escrow for the operational recovery flow.
Applies toWindows 10/11 Pro, Enterprise, Education — Entra joined
Console path (BitLocker)Endpoint security > Disk encryption > BitLocker
Console path (Hello)Devices > Enrollment > Windows Hello for Business or Endpoint security > Account protection
RequiresTPM 2.0 (preferred), Intune P1/P2 or M365 E3/E5, Entra ID P1 for Hello cloud trust
GotchaSilent BitLocker fails silently if a third-party encryption product is detected — check MDM reports before assuming success
Silent BitLocker Encryption
Silent encryption means the drive encrypts in the background during Autopilot provisioning with no user prompt. It requires TPM, an Entra-joined device, and no competing encryption software. If any of those are missing, Windows falls back to user-prompted encryption (or simply doesn't encrypt) and Intune reports the policy as "applied" — even though the disk isn't actually encrypted. That's the classic gap engineers discover during a compliance audit.
Prerequisites for Silent Encryption
TPM 2.0 present and ready (check via Get-Tpm — TpmPresent: True, TpmReady: True)
Device is Entra joined (pure or Entra primary — hybrid-joined devices can also use silent encryption with the correct policy)
No third-party disk encryption software active (Symantec Encryption, McAfee EEPC, etc. block silent mode)
UEFI Secure Boot enabled — some older hardware in BIOS compat mode won't support silent mode
The logged-on user must not be a standard user during encryption trigger — Autopilot device-phase handles this cleanly
Silent encryption and WinPE/pre-boot
If you have a legacy imaging step (WinPE/SCCM task sequence) before Autopilot, the drive state may already have a failed encryption attempt. Wipe and start clean.
Devices with a TPM that is not cleared after a wipe sometimes show TpmReady: False. Clear the TPM in UEFI or via Initialize-Tpm -AllowClear before re-enrolling.
Create the BitLocker Policy
Step 1Create the policyEndpoint security > Disk encryption > Create policy > Windows > BitLocker
Step 2Set encryption settingsEnable silent encryption; XTS-AES 256-bit; escrow to Entra ID
Step 3Assign to device groupTarget your Autopilot device group — not user groups
Step 4Verify escrowEntra ID > Devices > [device] > Recovery keys within 15 min of encryption
Navigate to the policy node. Go to Endpoint security > Disk encryption > Create policy. Platform: Windows, Profile: BitLocker.
Configure OS drive settings. Under BitLocker - OS drive settings, set:
Disable BitLocker on devices where TPM is incompatible: No (let it fail visibly)
Enable key escrow. Under Recovery, set Save BitLocker recovery information to Azure Active Directory: Yes. Set Store recovery information in Azure Active Directory before enabling BitLocker: Require — this is the critical setting. If Intune can't escrow the key, encryption won't start. That's intentional: a device that encrypts without escrow is a recovery-key nightmare.
Set the encryption method.BitLocker encryption method: XTS-AES 256 for OS and fixed drives. This exceeds most compliance baselines.
Fixed and removable drives. Enable encryption for fixed data drives under the same profile. Removable drive encryption is optional — many orgs leave it off to avoid blocking USB drives; enforce read-only instead if needed.
Assign to devices. Assign to your Autopilot device group (not a user group). BitLocker is a device-state policy — user assignment causes timing gaps at first sign-in.
Verify escrow before you call it done
After enrolling a pilot device, open Entra ID > Devices > select the device > Recovery keys. You should see a BitLocker recovery key with a key ID. If it's empty, the disk is either not encrypted or encrypted without escrow — both are problems. The recovery and escrow operational guide has the audit-across-fleet Graph query.
Windows Hello for Business
Windows Hello for Business replaces the password at sign-in with a cryptographic credential tied to the device (TPM-bound private key) and unlocked by PIN or biometric. For Entra-joined devices in a cloud-native tenant, cloud trust is the right model: it uses Entra Kerberos to issue on-premises tickets where needed, without deploying a PKI or certificate authority. It's the lowest-friction path to passwordless for most orgs.
Tenant-Wide vs Policy-Scoped Enrollment
Method
How it works
When to use
Tenant-wide setting (legacy)
Devices > Enrollment > Windows Hello for Business — a single on/off toggle applied to all users at first sign-in
❌ Avoid — no targeting, no per-setting control, conflicts with policy-based approach
Account protection policy (recommended)
Endpoint security > Account protection > Windows Hello for Business profile — targeted, CSP-backed, full setting control
✅ Use this — assign to device or user groups, staged rollout, all settings exposed
Settings Catalog
PassportForWork CSP settings in a custom catalog profile
✅ When you need settings not exposed in the endpoint security template (e.g. gesture overrides)
Disable the tenant-wide toggle if using policy-based Hello
The tenant-wide toggle at Devices > Enrollment > Windows Hello for Business defaults to Not configured in new tenants — leave it there.
If someone has flipped it to Enabled, it creates a second Hello provisioning prompt that conflicts with your account protection policy. Set it back to Not configured and manage entirely through endpoint security policy.
Configure Hello for Business (Cloud Trust)
Check the prerequisite. Cloud trust requires Entra ID P1 (included in M365 E3/E5). If you have on-premises AD, you also need the Microsoft Entra Kerberos server object deployed on each AD domain — this is a one-time task via Set-AzureADKerberosServer. Cloud-only tenants skip this step entirely.
Create the account protection policy. Go to Endpoint security > Account protection > Create policy. Platform: Windows, Profile: Windows Hello for Business.
Set the key settings.
Configure Windows Hello for Business: Enable
Use a Trusted Platform Module (TPM): Required — do not allow software keys; they're weaker and not what you're selling to security
Minimum PIN length: 6 (NIST recommends 6+; 4 is weak)
Maximum PIN length: 127
Lowercase letters in PIN: Allowed
Use biometrics: Allowed — let users with capable hardware use fingerprint/face; don't force PIN-only
Use enhanced anti-spoofing, when available: Enabled
Use certificate for on-premises authentication: Disabled (cloud trust does not use certificates)
Use security keys for sign-in: Enabled if you're issuing FIDO2 keys, otherwise leave not configured
Assign the policy. Assign to your Autopilot device group or the user group receiving new devices. Hello provisioning runs at first sign-in post-enrollment — the user walks through a short PIN-setup flow in the "Set up a PIN" screen that appears after the desktop loads.
Hello provisioning timing with Autopilot ESP
Hello provisioning happens during the Account setup phase of the ESP. If your ESP is configured to block sign-in until all policies apply, the Hello prompt appears before the user reaches the desktop. This is correct behavior — the user sets their PIN once and is done. If they dismiss it or it times out, they can trigger it again from Settings > Accounts > Sign-in options. For a deeper look at the Hello CSP and advanced biometric settings, see Windows Hello for Business.
Recovery Key Self-Service
The highest-volume helpdesk ticket on a BitLocker fleet is "my laptop asked for a recovery key." You can eliminate most of those calls by pointing users to the self-service portal at myaccount.microsoft.com > Devices > select device > View BitLocker Keys. The key is only visible there if it was escrowed — which is why the "require escrow before encrypting" setting matters so much. Communicate this portal in your new-hire onboarding so users know it exists before they need it at 7am in a hotel lobby.
Do / Don't
Do
Set Store recovery key before enabling BitLocker to Require — encryption without escrow is a liability
Use the Account protection endpoint security template for Hello, not the tenant-wide toggle
Require TPM for Hello — software-based credentials defeat the whole point
Verify at least one pilot device shows a recovery key in Entra before mass rollout
Allow biometrics — it dramatically improves user adoption of Hello
Block TPM startup PIN and key in the BitLocker policy — those break silent encryption
Don't
Assume the BitLocker policy "succeeded" means the disk is encrypted — check the encryption report
Mix the tenant-wide Hello toggle Enabled with account protection Hello policy — you'll get duplicate provisioning prompts
Enable removable drive encryption without user comms — USB drives will appear to "break"
Deploy Hello cloud trust to hybrid-joined devices without deploying the Entra Kerberos server object first
Forget that a wiped and re-enrolled device needs its old recovery key rotated after re-encryption
Insights
Silent encryption fails silently. The Intune policy state says "Success" the moment settings land — not when encryption finishes. Check Endpoint security > Disk encryption > Encryption report for actual encryption status per device. A "Not encrypted" device with a "Success" policy is the most common gap.
Third-party AV with disk protection breaks silent mode. Carbon Black, CrowdStrike Falcon Sensor in certain configurations, and legacy endpoint products sometimes register a filter driver that Windows treats as a competing encryption product. Silent mode aborts. The fix is to sequence policy deployment: BitLocker encrypts first, then AV installs via ESP apps.
Hello provisioning rate matters for your compliance baseline. If your compliance policy requires Hello (as it should), devices where Hello provisioning was dismissed or failed will be noncompliant. Track Hello provisioning status via the Account protection report and the PassportForWork node in the MDM diagnostic log.
Cloud trust is the right default for new tenants. Key trust (the older model requiring a PKI and DC certificates) adds significant infrastructure. Unless you have a specific Kerberos/PKI requirement, cloud trust gives you the same on-premises auth capability with far less setup. The Hello for Business deep-dive compares the two trust models in detail.
PIN complexity is a user-experience lever. A 6-digit PIN is meaningfully stronger than a 4-digit one and most users accept it without pushback. Requiring mixed-case letters in the PIN substantially reduces adoption — save complexity requirements for high-privilege accounts where you can make the case.
Key rotation after wipe is a step most runbooks miss. When a device is wiped and re-enrolled, BitLocker re-encrypts with a new key. The old key in Entra is stale. Intune auto-escrows the new key, but confirm this after every Autopilot reset. The recovery and escrow page has the rotation procedure.
Define what "healthy" means for a Windows PC and gate resources on it.
A compliance policy is the contract you draw between your tenant and your devices: it states what a healthy Windows PC looks like, and every device either meets the bar or gets labeled noncompliant. That label has no teeth on its own — the teeth come from Conditional Access, which reads the compliance state and decides whether a user gets into Exchange, SharePoint, or any other protected resource. Together, compliance and CA are the policy enforcement layer that makes MDM management matter in security terms.
This page builds the Windows compliance policy your fleet needs on day one, sets up the noncompliance grace period and escalating actions, and wires the Conditional Access grant that blocks noncompliant devices. Pay close attention to the chicken-and-egg problem at first enrollment and the report-only rollout sequence — skipping either step is how IT locks themselves out of their own tenant on go-live day.
Applies toWindows 10 21H2 and later, Windows 11 — Entra-joined and hybrid-joined
RequiresIntune Plan 1 (or EMS E3/M365 E3+); Entra ID P1 for Conditional Access
GotchaDevices are marked compliant on first check-in before policies evaluate — CA must account for this grace window
Build the Windows Compliance Policy
Navigate to Devices > Compliance > Policies > Create policy and select Windows 10 and later. The settings that actually matter for a corporate fleet fall into five categories.
Device Health
Require BitLocker. Set to Require. Intune checks this via the Device Health Attestation service — specifically the DHA report, not just MDM self-report — so the device must prove BitLocker is on at boot level, not just that the policy was delivered.
Require Secure Boot to be enabled. Set to Require. Again sourced from DHA. Devices that disabled Secure Boot for dual-boot or legacy option-ROM reasons will fail here; decide whether that is acceptable before enforcement.
Require code integrity. Set to Require. This verifies that kernel-mode drivers are signed. Most modern hardware passes; older signed-driver exceptions typically do not.
Device Properties (OS Version Floor)
Set a minimum OS version. Use the format 10.0.19044.0 for a minimum build. Hard-code the oldest build you will support — typically the oldest you have on Update rings. Devices below the floor are immediately noncompliant; this gives you a forcing function for end-of-life builds. See the Compliance Policies for Windows deep-dive for per-build values.
Maximum OS version is optional and rarely appropriate for corporate fleets; leave it blank unless you are managing a locked build environment.
System Security
Require a password. For standard knowledge-worker laptops: require password, set complexity to Alphanumeric, minimum length 8, maximum minutes of inactivity before screen lock 5. These settings complement Windows Hello for Business — users who have enrolled Hello satisfy the password requirement via the Hello PIN/biometric.
Require encryption of data storage on device. Set to Require. This is the policy-layer check; BitLocker under Device Health is the attestation-layer check. Run both.
Require a firewall. Set to Require. The Windows Defender Firewall must be enabled on at least the active network profile. Domain-joined devices with a GPO firewall policy in place will pass — the compliance check looks at firewall state, not who configured it.
Require antivirus. Set to Require. Reads from Windows Security Center. Defender or any registered third-party AV counts.
Require Microsoft Defender Antimalware. Set to Require if you are standardizing on Defender. This is the specific Defender check, distinct from the generic antivirus check above.
Microsoft Defender Antimalware security intelligence up-to-date. Set to Require. Devices with stale signatures fail — useful forcing function, but expect a grace period of at least 24 hours to avoid false positives from overnight flights.
Attestation vs self-report
BitLocker and Secure Boot compliance checks that go through the Device Health Attestation service are cryptographically signed by the TPM and verified by Microsoft's cloud service — a device cannot fake them. Firewall and AV checks are self-reported via the MDM channel, which a compromised device could theoretically spoof. Understand what you are actually measuring.
Noncompliance Actions and Grace Period
Under the Actions for noncompliance section, the default is "mark device noncompliant" immediately (Day 0). That is the correct eventual state, but a zero-day mark combined with a CA policy that blocks access means a freshly enrolled device with slightly stale signatures gets locked out before the user has opened a single email. Build a grace window instead.
Day 0Send email to end userNotify the user their device is noncompliant and what to fix — before anything blocks.
Day 1Mark device noncompliantThe compliance state flips; CA will now evaluate it as noncompliant.
Day 3Send push notificationEscalate via Company Portal notification if the device is still out of policy.
Day 14Retire device (optional)For high-security environments: retire unenrollment after two weeks of unresolved noncompliance.
Do not set Day 0 mark-as-noncompliant with CA enforcement active
A device that enrolls and immediately gets a stale AV signature flag will be noncompliant before the user logs in for the first time.
If CA is enforcing compliant-device at Day 0, that user cannot authenticate to anything to trigger a sync to fix the issue.
The minimum safe pattern: Day 1 mark-as-noncompliant, with CA in report-only until you have confirmed your fleet is broadly compliant.
The Chicken-and-Egg Problem at First Enrollment
This is the most common go-live trap. A device enrolls via Autopilot. During the Enrollment Status Page, it has not yet received and evaluated all policies — BitLocker may be mid-encrypting, Defender signatures may be downloading. If your CA policy requires a compliant device and the device has not yet been evaluated, the user's Entra sign-in during OOBE hits a "device not compliant" block and the enrollment stalls.
The solution has two parts. First, Intune grants a brief enrollment grace period (configurable at tenant level under Devices > Compliance > Compliance settings): devices are treated as compliant for a window after first enrollment (default 0 days — set this to at least 1 day). Second, structure your CA rollout using report-only mode so that CA is never enforcing during your first wave of Autopilot enrollments.
Build the Conditional Access Policy
Open Entra admin center and navigate to Protection > Conditional Access > Policies > New policy. Name it clearly: REQUIRE-Compliant-Device-Windows.
Assignments > Users. Start with a pilot group — not All Users. Add your IT pilot ring Entra group. Expand to All Users only after validating the policy does not block anything unexpected.
Assignments > Target resources. Set to All cloud apps for full enforcement, or scope to specific apps (Exchange Online, SharePoint Online) if you want a staged resource rollout.
Conditions > Device platforms. Filter to Windows to scope this policy — leave other platforms to their own CA policies.
Grant. Select Grant access, check Require device to be marked as compliant. Do not combine with Require Entra hybrid join unless you have hybrid-joined devices — they are alternatives, not requirements.
Session. Leave at defaults unless you need sign-in frequency controls.
Enable policy: Report-only. Never start at On. Report-only lets you see what would have been blocked in the Sign-in logs before any user is affected.
Report-Only to Enforce: The Safe Rollout Sequence
Phase
CA State
What to check
Proceed when
1 — Pilot enrollment
Report-only
Compliance state in Devices > Compliance; Sign-in logs > Conditional Access tab
Pilot devices all show Compliant; no unexpected report-only blocks
2 — Broader rollout
Report-only
Monitor CA Insights workbook for would-be blocked sign-ins
<1% failure rate; known failures are unmanaged personal devices (expected)
3 — Enforce on pilot group
On (scoped to pilot group)
Help desk ticket volume; user self-service portal hits
Zero unexpected blocks after 48 hours
4 — Full enforcement
On (All Users)
Sign-in logs daily for first week
Steady state; no spike in auth failures
Break-glass accounts
Always exclude your break-glass emergency accounts from every CA policy. These are the accounts you use if CA misconfiguration locks everyone out. They should be cloud-only, strong-passphrase accounts in a group explicitly excluded from all CA policies — not excluded by user, which can be lost on group membership changes.
Assigning the Compliance Policy
Compliance policies assign to user groups, not device groups. This matters: a device gets evaluated for compliance relative to the policies assigned to the user who is signed in. A device with no user (e.g. a self-deploying Autopilot kiosk with no user affinity) is evaluated against the tenant-wide default compliance policy — which defaults to compliant if no policy applies. For those devices, decide explicitly: either create a device-group-scoped compliance policy (now supported via filter-based assignment) or accept that no-affinity devices are not held to the same compliance bar.
Insights
Device Health Attestation is the right check for BitLocker and Secure Boot. MDM self-report is trivially fakeable on a compromised device. DHA-backed compliance checks go through a TPM-signed channel and cannot be spoofed — use them.
The OS version floor is a forcing function, not a punishment. When devices below your minimum build floor are blocked by CA, users call helpdesk, helpdesk escalates, and suddenly your update ring coverage gets managed. The compliance policy surfaces the stale-update problem in a way a report never does.
Compliance grace period and CA grace period are different knobs. The tenant-level enrollment grace period (Compliance settings) delays the noncompliant mark post-enrollment. CA report-only delays enforcement at the access layer. Both are needed; do not confuse them.
Noncompliant devices are still managed. A device marked noncompliant by Intune is not removed from management — it still receives policies, apps, and config. CA is what gates resource access. Never conflate the two concepts in a helpdesk runbook.
The compliance state shown in Devices is the last evaluated state. If a device has been offline for days, the compliance stamp is stale. CA consumes this stale stamp. The real-time check only happens when the device checks in. Size your mark-as-noncompliant grace period to account for devices that go offline over weekends.
Quality and feature update rings, then graduate to Autopatch when ready.
Getting Windows updates right is one of the highest-leverage things an endpoint engineer does. A missed quality update is a CVE waiting to be exploited; a forced reboot during a board meeting is a career moment. Intune gives you two mechanisms: Windows Update for Business (WUfB) update rings — deferral-and-deadline policies you fully control — and Windows Autopatch, Microsoft's managed ring service that takes over the orchestration when your team is ready to hand it off. Start with rings; graduate to Autopatch once your fleet is stable.
This page covers the full stack: quality and feature update rings, the deadline/active-hours model that actually gets devices patched, feature update targeting to hold a specific Windows version, Delivery Optimization to keep bandwidth sane, driver update policies, and the Autopatch registration prerequisites. For deep-dive reference on any of these, the dedicated Windows Update for Business and Windows Autopatch pages have the detail.
Applies toWindows 10/11, Intune-managed (MDM)
Console pathDevices > Windows > Update rings for Windows 10 and later
GotchaDeadline and active-hours settings override each other — set both intentionally or leave active hours unset
Update Rings: The Core Model
An update ring is a Windows Update for Business policy that controls when a device installs quality and feature updates relative to release day. The standard three-ring model — Pilot, Broad, Deferred — gives you a bake period before most of the fleet takes an update.
Pilot ring0-day deferralIT, power users; installs Patch Tuesday updates immediately to catch obvious breakage.
Early Adopter ring7-day deferralVolunteers and tech-savvy staff; catches issues before broad rollout.
Broad ring14–21-day deferralThe majority of the fleet; sufficient bake time for enterprise patch validation.
Deferred ring30-day deferralCritical infrastructure, specialized workstations, executives — maximum delay within policy.
Key ring settings explained
Setting
What it controls
Recommended starting point
Quality update deferral
Days after release before device is offered the update
0 / 7 / 14–21 / 30 days by ring
Feature update deferral
Days after feature release before device is offered it
0 / 30 / 90 / 180 days by ring (or use Feature Update policy instead)
Deadline (quality)
Days after deferral expires before the device must install, even if paused
5–7 days; prevents stale devices
Grace period
Days after deadline before forced restart
2 days; user-friendly but still enforces
Active hours
Window during which restarts are suppressed
8 AM–10 PM, or leave unset if deadlines handle it
Pause updates
Emergency brake — blocks updates for up to 35 days
Use only for known-bad patches; document and lift promptly
Active hours + deadline conflict
If you set active hours to 6 AM–11 PM and a deadline fires, Windows will still restart outside active hours — but a very wide active-hours window leaves only a small restart window and users notice at 11:01 PM.
Microsoft recommends relying on deadlines + grace periods rather than active hours for most fleets. Active hours is useful for shift workers with unusual schedules; configure it per group, not globally.
Building a ring in the console
Navigate to the Update rings blade. Go to Devices > Windows > Update rings for Windows 10 and later > Create profile.
Name it with the ring tier. Use a consistent naming convention: WIN-QU-Pilot, WIN-QU-Early, WIN-QU-Broad. Quality and feature update rings are separate policies — name them distinctly.
Configure update settings. Set Quality update deferral period, Feature update deferral period (if not using a Feature Update policy), Deadline for quality updates, and Grace period for the ring tier.
Set automatic update behavior. Leave at Auto install and restart at scheduled time — user-choice options undermine the deadline model.
Assign to a device group. Each ring targets a distinct Entra device group. Ensure devices are in exactly one ring to avoid conflicting deferrals.
Use Feature Update policies, not ring deferrals, to pin a Windows version
Feature update deferrals in rings let updates eventually flow through. If you need to hold devices on Windows 11 22H2 while testing 23H2, use a Feature update policy (Devices > Windows > Feature updates for Windows 10 and later) with an explicit target version. This is the correct tool for version pinning; deferrals are for timing, not version control.
Driver Update Policy
Driver updates ship separately from quality updates and are controlled by the Driver updates for Windows 10 and later policy (Devices > Windows > Driver updates for Windows 10 and later). The two approval modes are Automatic (Microsoft-approved drivers deploy on the same schedule as your quality update ring) and Manual (you review and approve each driver before it deploys). For most corporate fleets, manual approval on the Pilot ring with automatic for Broad is a pragmatic balance — you catch bad driver drops on Pilot before they touch thousands of machines. The Update Failures page covers the common failure modes when drivers conflict with Defender or kernel-mode components.
Delivery Optimization
Delivery Optimization reduces WAN bandwidth by letting devices share update content peer-to-peer on the same subnet or across the organization. For any fleet larger than ~50 devices, configure it. The key settings in a Settings Catalog profile:
Download mode:HTTP blended with peering behind same NAT (1) for branch offices; HTTP blended with internet peering (3) for remote/home workers.
Group ID: Set a consistent GUID per site if you want intra-site peering across subnets.
Bandwidth limits: Cap background download percentage during business hours to protect business traffic.
Microsoft Connected Cache: For organizations with always-on on-premises infrastructure, an MCC node on a Windows Server or Azure Stack HCI eliminates most WAN update traffic entirely.
Graduating to Windows Autopatch
Autopatch replaces your manually managed rings with Microsoft-managed rings (Test, First, Fast, Broad) and handles the deferral logic, pause decisions, and rollback orchestration for quality updates, feature updates, Microsoft 365 Apps updates, Edge, and Teams. It is not a set-and-forget magic button — you still own ring membership, driver approvals, and policy exclusions — but it dramatically reduces the operational overhead of patch management at scale.
Prerequisites before registering
Requirement
Detail
Licensing
Microsoft 365 E3, E5, F3, or Business Premium + the Windows Autopatch add-on; or M365 E5 (includes it)
Entra join
Entra joined or Entra hybrid joined; Autopatch does not support workgroup devices
Co-management
If co-managed with SCCM, the Windows Update workload must be set to Intune (Pilot or All)
Update rings
Autopatch creates its own rings; existing rings should not conflict — exclude registered devices from your manual rings
Diagnostic data
Required Diagnostic Data must be enabled (at minimum); Autopatch uses it for update health signals
Registration flow
Open Autopatch in the console. Navigate to Devices > Windows Autopatch > Devices. If the node is absent, your tenant lacks the required license or the feature hasn't been activated.
Run the Readiness assessment. The built-in readiness check flags co-management conflicts, diagnostic data gaps, and ring conflicts before you register a single device. Fix all blockers.
Register devices. Add devices to the Windows Autopatch Device Registration group (created by Autopatch at activation). Autopatch auto-assigns each device to one of its four rings based on a ring-balance algorithm.
Validate ring assignment. In the Devices view, confirm devices appear in the expected rings. You can manually move a device to Test or First for extra validation, but Autopatch will resist making Test ring too large.
Remove manual update rings. Once devices are Autopatch-managed, exclude them from your WUfB rings to prevent policy conflict. Keep manual rings for any devices you are not ready to hand off.
Fleet <200 devices, dedicated IT ops time, complex app compatibility requirementsManual WUfB ringsFull control; you set every deferral and deadline; no licensing add-on needed.
Fleet 200+ devices, want Microsoft to manage deferral logic and pause/resume decisionsWindows AutopatchReduced operational burden; Microsoft signals drive pause/resume; you own exclusions and app compat.
Mixed fleet: stable production + specialized/exempt devicesHybrid: Autopatch for mainstream, manual rings for exemptAutopatch for the majority; keep manual rings for VMs, lab machines, and high-stakes workstations.
Don't register devices in both Autopatch and your manual rings
Overlapping policies produce undefined behavior — the most permissive setting wins, which typically means the shortest deferral, defeating Autopatch ring logic entirely.
Use Entra groups to gate registration: if a device is in the Autopatch registration group, it must be excluded from your manual WUfB ring assignments.
Insights
Deadlines are non-negotiable; deferrals are not. Deferrals are advisory — a motivated user or a policy conflict can shorten them. Deadlines enforce patch compliance. Always set a deadline; do not rely on deferral alone to control your patch window.
The pause lever is a scalpel, not a hammer. Pausing update rings is a legitimate emergency brake for a known-bad patch, but each ring can only be paused for 35 days, after which updates resume automatically. Track every pause with a ticket and a lift date — orphaned pauses leave devices unpatched for months.
Feature update pinning catches engineers by surprise. A ring-based feature deferral will eventually let the new Windows version through. If you need to hold 22H2 while validating 23H2 on Pilot, you need a Feature Update policy with an explicit target version — deferrals alone will not protect you.
Autopatch does not fix a broken update posture; it manages a healthy one. If your fleet has widespread update failures, fix the underlying causes (disk space, Delivery Optimization, driver conflicts) before registering for Autopatch. The readiness assessment will flag many issues, but not all.
Delivery Optimization should be configured day one, not as an afterthought. On a 500-device fleet with no DO config, a Patch Tuesday quality update can saturate a 100 Mbps branch WAN link for hours. Peer-to-peer content sharing with subnet-level grouping is a 15-minute configuration that pays dividends indefinitely.
Driver update manual approval is worth the overhead on Pilot. One bad NIC driver update that drops 800 devices off the network at 9 AM is worth more engineering hours than a year of manual driver review on your 20-device Pilot ring.
What the new-hire actually sees from power-on to a configured, compliant desktop.
Every configuration decision you made in the previous steps — the Autopilot profile, the ESP, the baseline, the apps — converges in the thirty minutes a new hire spends between pressing the power button and sending their first email. Walking that journey yourself, on real hardware, before go-live is the single best QA act an Intune engineer can perform. This page narrates it beat by beat so you know what "good" looks like, what "bad" looks like, and where to look when something goes sideways.
This is the empathy page. It's written from the user's point of view, not the admin's — because when the helpdesk phone rings on day one, the user is describing what they see, not what the tenant is doing.
Applies toAutopilot User-Driven (Entra join), Windows 11 22H2+
Typical duration20–45 min depending on ESP blocking apps and network speed
GotchaSlow network + too many blocking apps = ESP timeout before the user gets to use the device
The Journey, Step by Step
Phase 1Power on & OOBEWindows detects Autopilot; EULA, region, and keyboard are skipped or pre-filled
Phase 2Entra sign-inUser enters their work email and authenticates — MFA prompt likely
Phase 3Enrollment Status PageDevice-prep and account-setup phases run; apps install, policies land
Phase 4Desktop & self-completionApps continue to install in the background; OneDrive, Edge, and Hello finish
Phase 1 — OOBE Arrives Pre-Configured
The device powers on into the Windows Out-of-Box Experience. Within seconds, Windows phones home, matches the hardware hash to the Autopilot service, and downloads the deployment profile. The experience changes immediately: the EULA screen is gone (if you hid it in the profile), the region/keyboard screens are either skipped or pre-filled from the profile's language settings, and the "Set up for personal use / Set up for an organization" fork never appears. The user lands directly at a plain Microsoft sign-in prompt with your company branding if you have Entra ID company branding configured.
Brand the sign-in screen
Configuring a logo, background, and sign-in text in Entra ID > Company branding costs nothing and immediately tells the user they are in the right place — especially important on day one.
Phase 2 — Entra Sign-In and MFA
The user types their UPN (work email address) and password. If your tenant enforces MFA — and it should — they will be prompted by the Authenticator app, a TOTP code, or a phone call. This is the moment where pre-boarding matters: if the new hire has not already set up their MFA method in MySignIns, they are stuck here. Most organizations solve this by forcing MFA registration at account creation through a Conditional Access policy scoped to the registration endpoint, or by walking the user through it during IT onboarding before they touch the device.
After authentication, Entra join occurs silently. The device joins your Entra tenant and the MDM enrollment kicks off automatically through the automatic MDM enrollment wiring you set up earlier. The user never sees the word "Intune" at this point.
Phase 3 — The Enrollment Status Page
This is the phase users describe as "it's just sitting there with a spinning wheel." The Enrollment Status Page is doing real work — it is applying device configuration, installing required Win32 apps, and confirming compliance — but from the user's perspective it is an opaque progress bar and a list of items that may or may not update visibly.
The ESP has two phases:
Device preparation. Runs before the user signs in (in pre-provisioned scenarios) or immediately after sign-in. Device-targeted policies and apps land here. Security baselines, certificate profiles, and device-scoped app deployments apply in this phase.
Account setup. User-targeted policies arrive after Entra join resolves the user's group memberships. User-scoped apps, OneDrive KFM policy, and user certificate profiles land here.
The critical variable is which apps are marked as blocking. Every app in your blocking list must install successfully before the ESP clears. For guidance on what to put in that list and what to leave out, see the ESP configuration page.
The most common first-boot failure
Too many large Win32 apps in the blocking list on a slow guest Wi-Fi → ESP hits the timeout (default 60 minutes, configurable) and surfaces an error.
A required app dependency is missing or the content hasn't replicated to the nearest Intune CDN edge yet.
User-targeted apps don't land until group membership syncs — which can lag 5–15 minutes after Entra join on a fresh account.
The "Use Device Anyway" Moment
If you have enabled the "Allow users to use device if installation error occurs" option in your ESP profile, the user will see a Continue anyway button when an error occurs or when the timeout is reached. This is an escape hatch, not a green flag. The device reaches the desktop before all required configurations have applied. In practice this is acceptable for a correctly-designed deployment (lean blocking list, baseline in report-only at first) but dangerous if you have Conditional Access enforcement waiting on compliance, because the user may immediately be blocked from resources.
If you have not enabled the escape hatch and the ESP errors, the user is stuck at the ESP screen. They need you to either reset the device or troubleshoot the blocking app remotely — neither is a great day-one experience.
What the Desktop Looks Like on Arrival
When the ESP clears and the user reaches the desktop for the first time, the experience depends heavily on how well-tuned your deployment is. Here's the difference between a well-tuned and a poorly-tuned build:
Component
Good (well-tuned)
Bad (needs work)
Microsoft 365 Apps
Already installed; first launch activates silently
Installing in the background; first click opens Company Portal, not the app
OneDrive
KFM redirect already configured; Documents/Desktop/Pictures point to cloud
OneDrive sign-in prompt appears; user is confused about where files go
Microsoft Edge
Profile signed in, SSO working, bookmarks and extensions present
Edge launches in consumer mode; user signs in again manually
Windows Hello for Business
PIN setup prompt appears immediately after first sign-in — guided, expected
No prompt; user does not know passwordless is available
Start menu & taskbar
Pinned apps match your Start layout policy
Default consumer layout; Teams, Xbox, and consumer apps cluttering the menu
Defender / security
No notifications; tamper protection and real-time scanning running silently
Defender prompts user to run a scan or update definitions — alarming on day one
OneDrive Known Folder Move
If your OneDrive KFM policy is correctly scoped, the first time the user opens File Explorer their Documents, Desktop, and Pictures folders are already redirected to OneDrive. They may see a brief OneDrive "sync is starting" notification. This is expected and good. What's not good: if the KFM policy lands late (after the user has already saved files to the local profile), the migration runs in the background and can appear slow on a weak connection.
Windows Hello for Business Enrollment
Depending on how you've deployed Hello for Business (tenant-wide policy or an Intune account protection profile), the user will see a "Set up Windows Hello" prompt either during the ESP account-setup phase or shortly after reaching the desktop. Walk-through: PIN creation (required), then optional biometric enrollment (fingerprint or face, if hardware supports it). Users who skip biometric can come back via Settings > Accounts > Sign-in options. Once Hello is enrolled, the next lock-screen sign-in uses PIN or biometric — the password is no longer the primary credential.
Autopilot Reset: A Different First-Boot Shape
If you are pre-provisioning devices using the Autopilot white-glove/pre-provisioning flow, the technician performs the device-prep phase in the warehouse before the device ships. The user's first-boot experience is significantly shorter: they authenticate, the account-setup phase runs (faster, because device apps are already installed), and they reach the desktop in under ten minutes on a good connection. For user-driven deployments without pre-provisioning, budget the full 20–45 minutes.
Timing Reality Check
Scenario
Realistic Time to Desktop
Notes
Pre-provisioned (white-glove), fast network
5–10 min (user phase only)
Device phase done at factory/IT desk
User-driven, fast corporate Wi-Fi, lean ESP
15–25 min
M365 Apps installing but not blocking
User-driven, guest Wi-Fi, heavy blocking app list
40–60+ min
High timeout risk; reduce blocking apps
Hybrid join (domain controller required)
Add 10–20 min
DC must be reachable; offline = stuck
Run it yourself before go-live
Reserve one spare licensed device, reset it to factory, and walk through the full Autopilot flow on the same network a new hire would use. Take notes at every phase. This single test will surface 80% of day-one issues before your users experience them.
What to Tell the Helpdesk
Train your support team on the user-facing narrative: "The setup screen with the spinning wheel is normal — it's installing your apps. It takes about 20–30 minutes. Do not turn off the device or close the lid." Give them a threshold: if it has been over 45 minutes with no progress, escalate. The most actionable remote diagnostic is the Devices > [device name] > Device configuration and App install status views in the Intune admin center, which show exactly which policy or app is holding up the ESP.
Insights
The ESP is a mirror of your app strategy. If first boot is slow or failing, the root cause is almost always too many large apps in the blocking list. Keep blocking apps to the two or three that are genuinely required before the user can work — everything else should be required but non-blocking.
MFA registration must precede device setup. If a new hire hasn't registered their MFA method, they cannot complete Entra sign-in during OOBE. Make MFA registration part of HR onboarding, before the device ships.
Group membership lag is real. User-targeted apps and policies depend on Entra group membership resolving after join. On a fresh account, this can take 5–15 minutes — account for this in your ESP blocking logic and don't put user-targeted apps in the blocking set if you can avoid it.
"Continue anyway" is a policy decision, not a bug. Decide consciously whether users can escape a stuck ESP. If you have CA enforcement on compliance, an unconfigured device reaching the desktop may immediately lose resource access — warn users or disable the escape hatch for high-security fleets.
OneDrive KFM and Hello are the two moments users remember. When KFM works silently and Hello enrollment is prompted cleanly, users report a "it just worked" experience. When they see a generic Windows desktop and have to figure out cloud sync themselves, they distrust the whole build.
The pre-flight checklist before you hand Autopilot to the business.
Every piece of the stack is configured in isolation before this moment — Autopilot profile, ESP, apps, baseline, BitLocker, compliance, Conditional Access, update rings. The go-live checklist is where you verify that all of it works together, on a real device, before the first user touches it. Skipping this step is how deployment day becomes a war room.
This page is structured for the final sign-off meeting: a senior engineer and a helpdesk lead, one pilot device, and a shared screen. Work through every section top to bottom. Do not hand the deployment to the business until every box is checked.
Applies toWindows 10/11 Autopilot (user-driven and pre-provisioned)
Who runs itSenior endpoint engineer + helpdesk lead
WhenAfter full pilot; before broad business rollout
GotchaCompliance report-only looks healthy — enforced CA will block users the moment you flip it
Pre-Flight: Pilot Ring Validation
The pilot ring (typically 5–10 machines, a mix of hardware models, clean Autopilot reset) is your evidence base. Everything below is evaluated against pilot results — if the pilot never ran cleanly, you do not have evidence to go live.
Pilot device completed Autopilot end-to-end without manual intervention. Device powered on, user entered Entra credentials at OOBE, ESP ran to completion, and the desktop appeared with no error banners. Check Devices > Monitor > Enrollment failures — zero failures in the pilot group.
ESP completed within your defined timeout. If you set a 60-minute timeout, pilot machines finished in under 45 minutes. If they pushed the limit, trim blocking apps now, not later. See Autopilot and ESP failures for the remediation playbook if any machine timed out during piloting.
All required apps installed and functional. M365 Apps activated, Edge profile signed in, Win32 essentials present. Verify via Devices > [device] > App install status — every required app shows Installed, not Pending or Failed.
BitLocker encrypted and key escrowed. On the pilot device, open manage-bde -status — protection should read Protection On, method AES-256 or XTS-AES-256. In the portal: Devices > [device] > Recovery keys — the key must be present. A device that is encrypted but has no escrowed key is a compliance failure waiting to happen.
Device shows Compliant in the compliance portal.Devices > [device] > Device compliance. If any setting is Not Compliant, investigate before proceeding — do not launch with known compliance gaps.
BitLocker escrow is the hardest thing to fix retroactively
If encryption ran before the policy delivered, the key may never escrow automatically.
Remediation requires either a manual rotation (BackupToAAD-BitLockerKeyProtector) or a reset — neither is something you want to do at scale post-launch.
Confirm escrow for every pilot device before declaring success.
Compliance and Conditional Access Readiness
The compliance/CA pair is the deployment's biggest blast radius. Getting this wrong means users enroll successfully and then immediately can't access email. See the full treatment on the Compliance and Conditional Access page.
Confirm compliance policy is assigned and reporting correctly. Navigate to Devices > Compliance > Policies and verify the Windows compliance policy has active assignments. Check the per-setting report — every pilot device should show each setting as Compliant, not Not evaluated.
Verify CA policy is in Report-only, not Enforced, for your pilot scope. Open Entra admin center > Protection > Conditional Access > Policies. Your "Require compliant device" policy should be in Report only during the pilot phase. Review the Sign-in logs to confirm what would have been blocked.
Create and test the break-glass CA exclusion group before enabling enforcement. A dedicated Entra group (e.g., SG-CA-BreakGlass-Accounts) assigned to exclude your break-glass admin accounts from all CA policies. Verify these accounts can still authenticate even if you accidentally misconfigure the policy.
Stage the CA enforcement flip. Enable enforcement for the pilot group first, not all users. Watch Sign-in logs for 24–48 hours. Only then broaden scope. The compliance/CA chicken-and-egg (device must enroll to become compliant; CA blocks access during enrollment) is handled by the enrollment exclusion or MDM enrollment URLs being outside CA scope — verify this is still true in your tenant.
ESP Configuration Sign-Off
Check
Target value
Status
Blocking apps count
3 or fewer apps in the ESP blocking list
Timeout setting
60 minutes (never lower; 90 if you have large Win32 apps)
"Allow user to use device anyway" enabled
✅ Yes — users must have an escape hatch
"Allow user to reset device if error occurs" enabled
✅ Yes — essential for field self-recovery
Company Portal in blocking set
❌ No — it delays ESP for no gain; push it Required, not blocking
All blocking apps deliver via WinGet/Win32, not Store
✅ Store apps are unreliable in ESP — avoid them as blocking
Naming, RBAC, and Scope Tag Hygiene
Verify the device naming template is set and rendered correctly on pilot devices. Check the Autopilot profile (Devices > Enrollment > Windows Autopilot deployment profiles > profile > Out-of-box experience > Apply device name template). Confirm at least one pilot device shows the expected hostname — e.g., CORP-WIN-%SERIAL:5% — not a generic DESKTOP-XXXXXXX name.
Scope tags are applied to all enrollment-related objects. The Autopilot profile, ESP profile, compliance policy, and core configuration profiles should all carry the same scope tag if you operate a multi-team environment. A policy that isn't scope-tagged is visible and editable by any Intune admin.
RBAC roles are locked down. The helpdesk role should be able to perform device actions (sync, restart, remote lock) but not edit profiles or enrollment configurations. Validate with a helpdesk test account.
Support Runbook and Rollback Levers
A deployment without a rollback plan is a bet. Document the levers before you need them, not during an incident. If your team needs to initiate an Autopilot Reset or wipe a mis-enrolled device, see Remote Actions: Wipe, Reset, and Retire for the exact steps and what each action does to Entra, Intune, and local data.
Lever 1Pause update ringsImmediately halt quality/feature updates across the fleet without touching Autopilot
Lever 2Exclude group from Autopilot profileRemove a device group from the profile assignment — new enrollments fall through to vanilla OOBE
Lever 3Autopilot ResetRe-runs Autopilot on a managed device — re-applies all policies without wiping Entra identity
Lever 4Wipe or Retire from IntuneLast resort — full wipe re-enrolls from scratch; Retire removes management and leaves local data
Document the Autopilot Reset procedure in your helpdesk runbook. Include: who authorizes it, how to initiate from the console, what the user experiences, and how long it takes. Test it on a pilot device before go-live.
Document the "device stuck at ESP" resolution steps. This will be your most common day-one call. The steps: confirm blocking app status in the portal, use "Allow user to use device anyway" if safe, and if not, initiate an Autopilot Reset. Reference Autopilot and ESP failures in the runbook.
Confirm your Delivery Optimization settings and update ring pause rights. Identify who can press the pause button on update rings and confirm they know how. Test the pause/resume cycle before go-live.
Do
Run a full Autopilot Reset on at least one pilot device to validate the repeat-enrollment experience
Enforce CA only after 48 hours of report-only data showing zero false-positive blocks
Keep your break-glass account credentials in a physical safe, not in a password manager that requires cloud auth
Have a named person with update-ring pause rights on-call for the first two weeks post-launch
Document every policy assignment change made during pilot in a change log
Test the helpdesk escalation path end-to-end before day one
Don't
Flip CA enforcement the same morning as broad rollout — stage it by days, not hours
Add apps to the ESP blocking list as a substitute for proper app deployment testing
Rely on "users will figure it out" for the ESP progress screen — brief the helpdesk on what it looks like
Launch without confirming BitLocker escrow for every pilot device
Use All Users or All Devices for the initial CA enforcement target — use the pilot group first
Skip the break-glass exclusion — one misconfigured CA policy can lock out your entire admin team
Final Sign-Off Checklist
Item
Owner
Done
Pilot device(s) enrolled clean, end-to-end, no manual intervention
Endpoint engineer
ESP completed under timeout threshold; blocking app set is 3 or fewer
Endpoint engineer
BitLocker encrypted and key escrowed for all pilot devices
Endpoint engineer
All required apps installed and functional on pilot device
Endpoint engineer
Compliance policy assigned; all pilot devices show Compliant
Endpoint engineer
CA policy in Report-only; sign-in logs reviewed; no unexpected blocks
Security/IAM
Break-glass CA exclusion group created and tested
Security/IAM
Device naming template verified on pilot device
Endpoint engineer
Scope tags applied to all enrollment/config objects
Endpoint engineer
Helpdesk runbook written and distributed (ESP, reset, wipe procedures)
Helpdesk lead
Update ring pause rights documented; named person on-call
Endpoint engineer
Rollback levers tested (Autopilot Reset on one pilot device)
Endpoint engineer
Staged CA enforcement plan agreed (pilot group first, then broader scope)
Security/IAM + management
Change-freeze window for first two weeks documented with IT leadership
Project lead
Print this table for the sign-off meeting
Go-live sign-off is a shared moment of accountability — having a physical checklist with owner columns makes it harder for any single item to slip through with an "I assumed someone else checked that."
Bring the community Windows baseline into your tenant as Settings Catalog profiles.
The IntuneNerds Windows baseline is a set of pre-built, field-tested Settings Catalog profiles covering hardening, Defender posture, account protection, update cadence, and Edge policy. Instead of assembling a baseline setting by setting from scratch, you import the baseline JSON into your tenant, review every setting against your environment, scope it to a pilot ring, and promote once reporting is clean. That review step is non-negotiable — no community baseline ships knowing your LOB app stack, and a few settings will need tuning before broad deployment.
This page walks the mechanics of the import, describes what each profile covers, explains how to reconcile the community baseline against the Microsoft Security Baseline to avoid silent conflicts, and gives you the rollout sequence. If you are deploying for the first time and want the full operational context, read Deploy the Configuration Baseline alongside this page.
Applies toWindows 10 21H2+ / Windows 11, Entra-joined or Hybrid-joined
Console pathDevices > Windows > Configuration > Import
RequiresIntune P1 (M365 E3/E5 or EMS E3/E5); Graph API access for scripted import
GotchaReview before you assign — importing creates the profile immediately; an un-reviewed profile accidentally assigned to All Devices causes fleet-wide policy churn
What the Baseline Contains
The Windows baseline ships as multiple discrete Settings Catalog profiles, each owning a specific domain. Keeping them separate means you can update or tune one domain without touching the others, and per-profile reporting stays focused.
Profile
Key settings covered
Deep-dive page
Device Hardening
Credential Guard, VBS/HVCI, SmartScreen, audit policy, restricted local groups, LAPS account targeting
SmartScreen for Edge, extension allowlist/blocklist, homepage, search engine, safe browsing
See Edge management deep-dive
The baseline is opinionated, not exhaustive
The baseline configures a hardened-but-functional starting point. It deliberately does not configure OneDrive KFM, app deployment, or compliance policy — those belong in your org-specific profiles layered on top.
Import Methods
There are two practical import paths. The portal import is the right choice for a first-time setup or a small number of profiles. Graph-based import is better for scripted, repeatable deployment or CI/CD pipelines where you version-control your baseline JSON.
Portal Import (JSON)
Download the baseline JSON files from IntuneNerds. Each profile ships as a separate .json file following the Intune export format.
Navigate toDevices > Windows > Configuration. Click Import (the button next to Create).
Select the JSON file for the first profile (start with Device Hardening). Intune pre-populates the profile name and all settings from the file. Do not assign yet — click Next through to Review, verify the setting count matches what you expect, then Create.
Repeat for each profile in the baseline set. Import them all before assigning any. This keeps your assignment step deliberate and separate from the import step.
Rename each profile to include your environment tag and a version indicator: WIN-Baseline-Hardening-v1-Pilot. The default imported name carries over from the JSON — make it meaningful in your tenant's profile list.
The import does not validate against existing profiles
Intune accepts the import silently even if a setting in the imported profile duplicates a setting already in your Microsoft Security Baseline profile. Conflicts only surface in reporting after assignment.
Do not use Import as an update mechanism. If you want to refresh an existing profile, edit the settings in-place — importing creates a new profile, it does not update the existing one.
Graph API Import (Scripted)
The Microsoft Graph API endpoint POST /deviceManagement/deviceConfigurations (for legacy profile types) or POST /deviceManagement/configurationPolicies (for Settings Catalog profiles) accepts the same JSON structure as the portal export. For Settings Catalog profiles — which is what the baseline uses — the correct endpoint is configurationPolicies.
Authenticate with an app registration or interactive token scoped to DeviceManagementConfiguration.ReadWrite.All.
POST the JSON payload for each profile to https://graph.microsoft.com/beta/deviceManagement/configurationPolicies. The beta endpoint is required; Settings Catalog profiles are not fully available on the v1.0 endpoint at time of writing.
Capture the returned id for each created policy. You will need it to create assignments in the next step (POST /deviceManagement/configurationPolicies/{id}/assign).
Do not script the assignment in the same run as the import — keep them as separate, manually triggered steps until you have reviewed the imported profiles in the portal.
Every setting in the baseline was chosen to work on a standard corporate Windows fleet. But your environment has variables no community baseline can anticipate: legacy LOB apps with unusual privilege requirements, custom VPN clients that conflict with specific Defender ASR rules, hardware that does not support HVCI. The review step is how you catch these before they affect 5,000 machines.
Step 1Open each imported profileDevices > Windows > Configuration — review every setting group, not just the ones you expect to change
Step 2Cross-reference against your Microsoft Security BaselineFlag any setting present in both — pick one profile to own it and remove it from the other
Step 3Check your LOB app listASR rules (especially "Block credential stealing from LSASS" and "Block Win32 API calls from Office macros") break specific apps — start in audit mode
Step 4Document every deviationRecord the setting name, CSP path, original value, your value, and the reason — this becomes your audit evidence
Reconciling Against the Microsoft Security Baseline
If you are using the Microsoft Security Baseline profile (deployed from Endpoint security > Security baselines), you must audit the IntuneNerds baseline profiles for overlap. Settings Catalog profiles and Security Baseline profiles both write to the same underlying CSP nodes, and a setting configured in both enters Conflict state — the device ignores both values for that setting.
CSP area
Microsoft Security Baseline covers it?
Action
Windows Defender real-time protection, cloud protection, PUA
✅ Yes
Remove from IntuneNerds Defender profile, or accept the conflict and own the override intentionally
BitLocker (basic encryption requirement)
✅ Yes
Do not duplicate in the hardening profile; manage BitLocker details via the dedicated Endpoint Security > Disk encryption policy
Audit policy (SACL/DACL audit events)
✅ Yes
Let the Microsoft baseline own audit settings; remove from IntuneNerds hardening profile
LAPS, local users and groups
❌ No
IntuneNerds account protection profile owns these — no conflict risk
Update deferrals, deadlines
❌ No
IntuneNerds update profile owns these — no conflict risk
Edge, SmartScreen for browser
Partial (SmartScreen at OS level only)
IntuneNerds Edge profile is safe; confirm SmartScreen CSP path differs from the OS-level setting
Scoping to a Pilot Ring First
Assign every imported profile to a pilot device group and let it soak for at least one week before promoting to production. The pilot scope should include a representative sample of your hardware models, OS versions, and user types — not just IT laptops.
Create a pilot device group in Entra ID — a static group works fine for the pilot phase: GRP-Intune-Baseline-Pilot. Add 10–20 representative devices.
Assign all baseline profiles to this group with Required intent. Do not assign to user groups — device-group assignment ensures policy lands during the Device ESP phase at enrollment, not deferred to first sign-in.
Check per-setting reporting after 24 hours. Go to each profile > Device and user check-in status > click a pilot device > review per-setting status. You are looking for: Succeeded (good), Conflict (fix the overlap), Error (bad setting value or unsupported CSP on that OS build), Not applicable (device does not meet CSP prerequisites).
Tune and re-deploy within the pilot group until all settings show Succeeded or documented Not applicable on pre-approved hardware exceptions.
Promote to production by adding your full managed-device group to the profile assignment. Keep the pilot group assigned — do not swap it out.
ASR rules: start in audit, not block
The baseline ships ASR rules in audit mode by design. Run audit mode for two weeks and review the Windows Defender event logs (Event ID 1121/1122 in Microsoft-Windows-Windows Defender/Operational) before flipping any rule to block. One rule blocking an ERP client at 8 AM Monday will be a bad day.
Insights
Import creates the profile; it does not assign it. This is by design — use the gap between import and assignment to review. Engineers who import and assign in the same sitting skip the review that makes the baseline safe.
The JSON format is the source of truth. Store the baseline JSON files in source control alongside your deviation log. When Microsoft releases a new security baseline version, you have a diff-able record of what you changed and why.
Conflicts are silent at the profile level. A profile that says "Succeeded" at the top level can still have individual settings in Conflict state. Always drill to per-setting status — profile-level green is not a clean bill of health.
ASR audit-mode telemetry goes to Defender for Endpoint, not just event logs. If your tenant has MDE onboarded, use the Advanced Hunting table DeviceEvents with ActionType == "AsrXxxAudited" to get fleet-wide ASR hits before flipping rules to block.
The Defender profile and the Microsoft Defender for Endpoint Security Baseline are not the same thing. The MDE baseline is a separate profile from the Windows security baseline. Do not import the IntuneNerds Defender profile if you already have an MDE security baseline applied — you will conflict on nearly every Defender CSP.
Pilot ring duration matters more than pilot ring size. Ten devices for two weeks beats one hundred devices for two days. You need update cycles, login events, and real user workflows to surface ASR false positives and Defender edge cases.
How to propose changes to the Windows baseline and keep it field-tested.
The Windows baseline is a living document. It starts opinionated and minimal — just the settings that harden every managed PC without breaking the apps and workflows that keep the business running. Every setting that ships was argued over, tested across multiple editions and hardware classes, and earned its place. If you've found a gap, tuned something in production, or discovered a CSP that solves a real problem more cleanly, the community wants to hear it. This page explains how to propose a change that will actually get merged.
Before diving into the mechanics, see the Feedback page for how to send a proposed change. The Windows-specific notes below cover what to document in your proposal and how the baseline maintainers evaluate Windows settings submissions.
Min test matrixWin 11 Pro & Enterprise, TPM 2.0 hardware
GotchaSecurity Baseline conflicts silently win; test side-by-side
The Baseline's Guiding Principle
The Windows baseline is deliberately opinionated but minimal. A setting earns inclusion only when it meets all three tests:
Real security or management value. The setting measurably reduces attack surface or prevents a known misconfiguration, not just "it's in CIS Level 2."
Broad compatibility. It must not break standard LOB apps — Microsoft 365, line-of-business Win32 apps on .NET, VPN clients, printing, and USB peripherals. If it breaks a common class of app, it belongs in an optional add-on profile, not the baseline.
Settings Catalog source. The baseline is Settings Catalog profiles only, not custom OMA-URI or ADMX ingestion, unless the setting is genuinely only available via custom CSP and is flagged as such in the documentation.
Additive first
If a setting is high-value but too aggressive for a universal baseline, propose it as an optional "hardening add-on" profile rather than pushing it into the core. The baseline settings overview shows the existing add-on pattern.
Preparing Your Contribution
Step 1Export the profileSettings Catalog profile > Export button produces a JSON you can diff.
Step 2Document the whyWrite a short rationale: what threat or gap does this address, what is the CSP path, and what did you test.
Step 3Record the test matrixNote which editions and hardware you validated on — minimum is Win 11 Pro and Enterprise.
Step 4Open a pull requestSubmit the JSON diff and the documentation against the baseline repo; link any relevant Microsoft Learn CSP reference.
What to Include in the Pull Request
The JSON export
Export from Devices > Configuration, select your profile, and use the Export button. The JSON will contain the profile's OMA-URI paths and values in the Settings Catalog format. Strip any tenant-specific fields (assignment group GUIDs, scope tag IDs) before committing — the baseline repo's maintainers will remove these anyway, but clean submissions move faster.
The CSP reference
For every setting you add or change, include the full CSP path and the Microsoft Learn policy reference. Examples: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly. If the setting is surfaced in Settings Catalog under a friendly name, include both the friendly name and the CSP path so reviewers can cross-check. Settings that have known WMI bridge behavior or that interact with the Microsoft Security Baseline deserve a note explaining the relationship — see the baseline import page for how the catalog baseline and the Microsoft Security Baseline are meant to coexist.
The rationale document
One paragraph minimum, covering:
What the setting does. Plain English, not a copy-paste from MSFT docs.
Why it belongs in the baseline. Cite the threat model or the operational problem it solves — not just "CIS recommends it."
What you tested it against. List the apps, editions, and hardware you validated. Specifically note whether you tested against Microsoft 365 Apps, a Win32 LOB app, and a VPN client, because these are the most common breakage points.
Known caveats. Does it require TPM 2.0? Does it conflict with a specific Defender for Endpoint policy? Does it behave differently on Pro vs Enterprise?
The Test Matrix
Test scenario
Required
Notes
Windows 11 Pro (22H2+)
✅
The most common edition in mixed fleets
Windows 11 Enterprise (22H2+)
✅
Required for any VBS/Credential Guard-adjacent settings
Microsoft 365 Apps (Word, Excel, Outlook, Teams)
✅
The most commonly broken app class
A Win32 LOB app on .NET Framework
✅
Many hardening settings break legacy runtime behavior
Windows 10 21H2+
❌
Nice to have; Windows 10 is approaching EOL
TPM 1.2 hardware
❌
Note incompatibility if relevant; not a blocker
Arm64 (Surface Pro X, Copilot+ PCs)
❌
Flag if you tested; increasingly important
Settings That Will Not Be Merged
Propose these
Settings with a clear CSP path that are off by default and have measurable security value
Settings that fix a known misconfiguration pattern seen in production tenants
Corrections where a current baseline value is overly aggressive and breaks a common app
Settings that fill a gap the Microsoft Security Baseline doesn't cover
New profiles for add-on hardening that are clearly scoped and labeled as optional
Don't propose these
Settings only available via OMA-URI when a Settings Catalog equivalent exists
Anything that disables Windows Update mechanisms — the update baseline covers this correctly
Settings that replicate what the Microsoft Security Baseline for Windows already enforces — duplication causes merge conflicts that silently win or lose
Telemetry or diagnostic settings below the "Required" (0) level — these require specific licensing and cause support problems
Settings that are fine in theory but break printing, USB HID devices, or common VPN clients without a mitigation path
Security Baseline overlap
The Microsoft Security Baseline for Windows 11 and the IntuneNerds catalog baseline assign some of the same CSPs.
When both assign the same CSP, the Security Baseline typically wins (it processes as a separate policy type with higher effective priority in conflict scenarios).
Document any overlap explicitly in your PR — reviewers will test the combined assignment to confirm behavior is as expected and not silently broken.
Insights
The most common rejection reason is missing LOB app testing. "Tested on a clean VM" doesn't tell the maintainers whether it will break the dental practice management software or the manufacturing ERP on .NET 4.8 that half the fleet still runs.
Settings Catalog friendly names are not the same as CSP paths. Always include both — Settings Catalog names change across Windows releases; the CSP path does not.
Removals are harder than additions. If you're proposing to drop a setting because it breaks something, provide a concrete example: app name, version, error message, and Event Log source. Vague "compatibility concerns" don't move.
The baseline is not a CIS Benchmark port. CIS L1/L2 includes settings that are technically correct but operationally painful for corporate fleets. Cite the actual threat, not the benchmark number.
Check the full settings overview first. The gap you want to fill may already exist in an add-on profile, or may have been explicitly excluded with a documented reason.
The full Windows baseline at a glance — every profile and what it does.
The IntuneNerds Windows baseline ships as a set of Settings Catalog profiles, each scoped to a specific risk area. This page is the index: every profile, the settings it touches, why it exists, and where to find the deep-dive. Import the baseline once, assign to a pilot ring first, and use this table as your source of truth for what changed and why — essential when you need to explain a setting to a stakeholder or audit team.
The baseline is deliberately opinionated and minimal. It does not try to satisfy every CIS benchmark checkbox; it covers the controls that stop the most common attack paths without breaking the typical commercial app estate. Settings that carry meaningful compatibility risk are noted explicitly. Before deploying to production, review each row below and decide whether your environment needs a tighter or looser value — then document your deviation and contribute it back.
Applies toWindows 10 21H2+ and Windows 11, Entra-joined, MDM-enrolled
Profile typeSettings Catalog (JSON-importable)
RequiresIntune P1 (M365 E3/E5, EMS E3/E5, or standalone)
GotchaMicrosoft security baselines and Settings Catalog profiles can conflict on the same setting — one will win silently. Audit conflicts in per-setting reporting before going broad.
Profile Groups at a Glance
The baseline is shipped as six logical profiles. One profile per risk area means you can enable or roll back an area without touching unrelated controls.
The hardening profile addresses credential theft and local privilege escalation — the two most common post-compromise steps in a Windows environment. These settings have the highest compatibility impact of any profile in the baseline; test on hardware that represents your oldest deployed generation.
Setting
Value
Why
Compat Risk
Enable Virtualization Based Security
Enabled with Secure Boot + DMA Protection
Foundation for Credential Guard
Medium — requires TPM 2.0 and UEFI Secure Boot
Credential Guard Configuration
Enabled with UEFI lock
Isolates LSASS secrets from kernel-mode attacks
Low on modern hardware; blocks some legacy NTLMv1 flows
LM Hash Storage
Disabled
Eliminates trivially crackable hashes
❌ None — LM has been obsolete since XP
NTLMv1 Authentication
Disabled (Send NTLMv2 only, refuse LM & NTLMv1)
Forces NTLMv2 minimum; Kerberos preferred
Low — only old NAS/printers break
Anonymous SID/Name Translation
Disabled
Prevents unauthenticated enumeration of local accounts
❌ None
SmartScreen (OS-level)
Warn and prevent bypass
Blocks known-malicious executables at launch
Low — LOB apps with unsigned binaries will warn
UAC behavior (admin on admin token)
Prompt for consent on secure desktop
Prevents silent elevation by malware
Low — users see more UAC prompts
VBS and Credential Guard on older hardware
Credential Guard with UEFI lock cannot be disabled without a BIOS reset — test on a non-production device before fleet-wide assignment.
Devices that fail VBS pre-checks will show a remediation error in per-setting reporting; they are still protected by other controls, but Credential Guard will not activate.
Account Protection — LAPS and Local Groups
The account protection profile handles two things together: rotating the local administrator password so no two machines share credentials, and locking the local Administrators group to a known, policy-controlled membership. Both are enforced via Settings Catalog.
Setting
Value
Why
BackupDirectory (LAPS)
Entra ID
Keys land in the Entra device record, retrievable by helpdesk with scope-tag-controlled RBAC
PasswordAgeDays (LAPS)
12 hours post-use, 30-day maximum
Limits lateral movement window after an incident
PasswordLength / Complexity
24 chars, all character sets
Brute-force infeasible
LocalUsersAndGroups — Administrators
Restricted to Domain Admins SID + local Administrator account only
Removes ad-hoc elevation that helpdesk granted and never revoked
PostAuthenticationActions
Reset password and logoff interactive sessions
Invalidates any session established with the rotated credential
For the full decision tree on local admin strategy — when to grant, how to break-glass, and how to audit — see the LAPS and Local Admin Strategy deep-dive.
Defender and ASR — Starter Posture
The Defender profile locks in a minimum viable protection posture. ASR rules ship in Audit mode — do not flip to Block until you have reviewed the Audit event logs for false positives against your app estate. Flipping to Block cold is the single fastest way to break a business-critical app and lose trust in the baseline program. See the Defender and Attack Surface Baseline page for the full rule-by-rule breakdown and the audit-to-block workflow.
Setting
Value
Notes
AllowRealtimeMonitoring
1 (enabled)
Non-negotiable floor
CloudBlockLevel
High
Sends unknown binaries to MAPS for immediate verdict
PUAProtection
1 (block)
Catches adware bundled with installers
TamperProtection
Enabled
Prevents local disabling of Defender — requires Defender for Endpoint or standalone Intune management
Controlled Folder Access
Audit mode only (baseline default)
Block mode breaks many legitimate apps; promote after testing
ASR rule set (8 core rules)
Audit
Promote each rule to Block individually after 2-week audit window shows zero false positives
BitLocker — Silent Encryption Defaults
The BitLocker profile targets silent encryption: the user sees nothing, and the recovery key appears automatically in the Entra device record. Prerequisites for silent encryption are a TPM 2.0 chip, no third-party disk encryption, and UEFI Secure Boot. Devices that fail silent-encryption prerequisites will surface an error in the encryption report — they are not silently left unencrypted; they require manual action.
Setting
Baseline Value
Adjust If
RequireDeviceEncryption
1 (required)
Never lower this
EncryptionMethodByDriveType — OS drive
XTS-AES 128
Regulated industries may require XTS-AES 256
ConfigureRecoveryPasswordRotation
2 (rotate on use)
Leave as-is; rotation invalidates retrieved keys
AllowStandardUserEncryption
1
Required for silent encryption when the user lacks admin rights
Pre-boot PIN
Not required (baseline)
Enable if physical tamper risk is high (executives, field workers)
Update Cadence — Defaults That Ship with the Baseline
The update profile is intentionally conservative — defer quality updates a week, enforce them by a hard deadline, and keep feature updates on a named target version. Modify the deferral and target version to match your ring strategy; see the Update and App Baseline page for the full ring model and the path to Windows Autopatch when you're ready to delegate ring management to Microsoft.
Setting
Baseline Value
Intent
DeferQualityUpdatesPeriodInDays
7
Catch Patch Tuesday regressions before fleet-wide
QualityUpdateDeadline
5 days
Devices install by day 12 at the latest
GracePeriodinDays
2
User gets two days of "restart on my terms"
DeferFeatureUpdatesPeriodInDays
180
Stay on current version; promote only when tested
TargetReleaseVersion
Set to current-minus-one GA
Change to latest GA once your pilot ring validates
ActiveHoursStart / End
8 / 22 (8 AM – 10 PM)
Restarts outside working hours
Delivery Optimization matters at scale
The update profile does not configure Delivery Optimization — add a separate DO profile to enable peer-to-peer cache sharing. Without it, every device downloads directly from Windows Update, which is noticeable at sites with constrained WAN links. Set DODownloadMode to 2 (LAN peering) at minimum.
Edge and SmartScreen
The Edge profile uses ADMX-backed Settings Catalog settings (Microsoft Edge channel) rather than the legacy Browser CSP. The settings target security posture, not user experience — bookmark sync, extensions, and browser UI are intentionally left to a separate Edge management profile so you can tune user-facing settings without touching security controls.
Setting
Value
Rationale
SmartScreenEnabled
Enabled, user cannot disable
Phishing and known-malicious site blocking
SmartScreenPuaEnabled
Enabled
Unwanted software blocking in browser downloads
PreventSmartScreenPromptOverride
Enabled
Prevents "proceed anyway" on SmartScreen warnings
PasswordManagerEnabled
Disabled
Direct to a managed credential vault; Edge's built-in PM is not enterprise-monitored
TrackingPrevention
2 (Balanced)
Balanced preserves most LOB SaaS app compatibility
UpdatePolicyOverride
Always allow updates (Stable channel)
Security patches should not be blocked
Insights
Per-setting reporting is your compliance proof. In the Intune console under Devices > Configuration > select a profile > Per-setting status, you can see every setting, its value, and how many devices are in conflict, error, or success. Run this view weekly during a baseline rollout — it surfaces conflicts with the Microsoft security baseline before they become a support call.
The baseline and the Microsoft security baseline will conflict on specific settings. Both touch Defender, BitLocker, and SmartScreen. Decide which wins per setting and document it — the last policy writer wins when both target the same CSP path, but "last" is non-deterministic. Prefer using one source of truth per setting area.
Audit mode ASR rules produce noise in Defender for Endpoint. A large fleet generates thousands of ASR audit events per day in MDE Advanced Hunting. Add a custom detection rule or Kusto query to suppress known-good process/path combinations before you start the audit window.
LAPS PasswordAgeDays and your break-glass process must be aligned. If LAPS rotates every 12 hours and your break-glass runbook emails the password to an on-call engineer, that password is stale in under half a day. Use on-demand retrieval from the Entra device blade — not a cached copy — during incidents.
BitLocker silent encryption fails silently on pre-2018 hardware lacking TPM 2.0. The encryption report shows "Not encrypted" with no error unless you specifically check the device hardware report. Audit TPM version in Endpoint Analytics or Graph before deploying to legacy hardware pools.
Edge ADMX settings require the Edge ADMX ingestion to be complete. New Intune tenants sometimes see "Not applicable" on Edge Settings Catalog settings for 24–48 hours after first use. This is a back-end ingestion delay, not a licensing or assignment problem — wait it out, then re-check.
The OS-hardening core: attack surface, credential protection, and local admin discipline.
The hardening profile is the most consequential piece of the Windows baseline — it is the layer that raises the bar against the attacks that actually compromise enterprise endpoints: credential theft, lateral movement, local privilege abuse, and malicious code execution. The settings here are not theoretical. They map directly to techniques in the MITRE ATT&CK framework that ransomware operators and nation-state actors use against Microsoft-joined fleets every day.
This page covers each hardening control in the IntuneNerds baseline profile, the CSPs that back it, what it mitigates, and where it will cause friction. The goal is not a CIS dump — it is a field engineer's justification for each setting so you can defend your choices, tune what needs tuning, and know what to expect when something breaks.
Applies toWindows 10 21H2+ / Windows 11; most controls require Enterprise or Pro with VBS-capable hardware
Console pathDevices > Windows > Configuration (Settings Catalog)
GotchaEnabling VBS/Credential Guard on hardware that was previously running without it forces a reboot and can break legacy drivers — test on pilot hardware first
Credential Guard and Virtualization-Based Security
Credential Guard is the highest-impact single hardening control you can enable. It moves NTLM hashes and Kerberos tickets out of the normal OS memory space and into a VBS-protected hypervisor enclave, making pass-the-hash and pass-the-ticket attacks significantly harder to execute — even from an admin-level process on the endpoint.
Breaks legacy drivers that are not WHQL-signed — test before broad rollout ⚠️
HVCI and legacy drivers
Memory Integrity (HVCI) blocks any kernel driver that is not properly signed. Printers with legacy print drivers, older VPN kernel-mode components, and some security software agents fail silently or BSoD after enabling it.
Run the Core isolation readiness report (Settings app > Windows Security > Device Security > Core isolation details) on representative hardware before deploying to production. The incompatible driver list appears there.
If a driver fails, the vendor fix is to ship a WHQL-signed driver — not to disable HVCI. Push back on the vendor, not on the baseline.
LAPS and Local Admin Strategy
Shared local admin passwords are one of the most reliable lateral-movement paths in a Windows fleet. Windows LAPS (built into Windows 11 22H2 and backported to Windows 10 with the April 2023 update) rotates the local administrator password automatically and escrows it to Entra ID or Active Directory. See Windows LAPS and Local Admin Strategy for the full deployment guide; this section covers the baseline settings.
Invalidates the session that used the LAPS password — closes the window after support use
Local Users and Groups
By default, Autopilot creates the first user as a local administrator. That is the correct default for the enrollment flow, but you should audit the local Administrators group on every device to ensure accounts do not accumulate there over time. The Local Users and Groups Policy CSP lets you manage group membership declaratively.
Set the Administrators group membership explicitly. In Settings Catalog, navigate to Local Users and Groups and configure the Administrators group to contain only Builtin\Administrator (the LAPS-managed account) and any break-glass user or service account your org requires. Use Restrict action — not Add Members — so the policy controls the full membership, not just appends to it.
Do not add Entra security groups directly to the local Administrators group via this policy as an alternative to giving users standard accounts. That pattern defeats the purpose of local admin discipline and produces audit findings.
Ensure standard user enrollment. In your Autopilot profile, set User account type to Standard. This is the Autopilot setting, not the Local Users and Groups CSP — they are complementary. The Autopilot profile sets the type at enrollment; the CSP prevents it from being escalated later.
Verify local admin group state at scale
Use Graph query GET /deviceManagement/managedDevices?$select=deviceName,localAdminEnabled or pull via Endpoint Analytics to spot devices where local admin membership has drifted from the policy-managed baseline.
SmartScreen and App Control Posture
The baseline sets a defensive posture for SmartScreen and App Control that blocks the most common initial access vectors without requiring a full WDAC policy (which is a separate, more complex deployment). These controls are the realistic starting point for most organizations.
1SmartScreen for apps and filesBlock (not Warn) — Warn prompts users to click through; Block does not
2SmartScreen for EdgeEnable phishing and malware protection at the browser layer
3Potentially Unwanted App blockingEnable in Defender — stops bundled adware and dual-use tools at download time
4Script execution policyAllSigned or Restricted via PowerShell CSP — prevents uncontrolled script execution
1 (Enable) — logs without blocking; pair with SIEM ingestion
MachineScripts or Software\Policies\Microsoft\Windows\PowerShell
Execution policy
AllSigned for high-security environments; RemoteSigned for standard
PowerShell execution policy is not a security boundary
Execution policy can be bypassed with -ExecutionPolicy Bypass by any user. It is a friction control, not a hard block.
For a hard block, App Control for Business (formerly WDAC) is the correct control. The baseline does not enable WDAC by default because it requires a full policy authoring and testing cycle. Consider it the next maturity step after this baseline is stable.
Device Control Posture
Removable storage is a persistent data-exfiltration and malware-delivery vector. The baseline sets a minimal device control stance: removable storage is allowed (blocked by default is too disruptive in most environments) but audited, and AutoPlay is disabled unconditionally. For organizations that need to block USB storage entirely, the dedicated device control policy on the Defender Endpoint Security node gives per-device-class and per-vendor control.
CSP
Value
Rationale
Autoplay/DisallowAutoplayForNonVolumeDevices
1 (Enabled)
Prevents autorun attacks from HID-spoofing USB devices ✅
Autoplay/SetDefaultAutoRunBehavior
1 (Do not execute any autorun commands)
Belt-and-suspenders against AutoPlay for all media ✅
Autoplay/TurnOffAutoPlay
255 (All drives)
Covers AutoPlay on both removable and fixed drives ✅
Defender DeviceControl / AuditRemovableStorage
Enable audit
Generates Event 4663 for removable storage access — feeds SIEM without blocking ✅
Compatibility Cost Summary
Every hardening control in this profile has been chosen to maximize security impact against realistic threats while avoiding the configurations that break common enterprise workloads. The table below summarizes the known compatibility friction so you can test before you deploy broadly.
Control
Known friction
Mitigation
Credential Guard / HVCI
Legacy unsigned drivers (printers, VPN, security agents); some bare-metal hypervisors
Pilot on representative hardware; engage vendors for signed driver updates
LAPS post-auth actions (reset + logoff)
Support engineers forget to note the LAPS password before their session is terminated
Documented support runbook; use the Intune recovery key UX in the portal
Local admin restriction
Apps that silently require local admin (legacy LOB, some dev tools)
Inventory admin-required apps before enforcing; use Endpoint Privilege Management for targeted elevation
SmartScreen Block (not Warn)
Legitimate internal tools downloaded from SharePoint may be flagged on first run
Sign internal tools with a code signing cert; or publish via Intune/Company Portal to avoid the download path
PowerShell AllSigned
Unsigned IT scripts in use today
Audit existing scripts; sign with an internal cert before enforcing; or use RemoteSigned as interim
Insights
Enable Credential Guard before you need it, not after an incident. Once a host is compromised and NTLM hashes are stolen, enabling Credential Guard on other machines does not help the device that was already hit. This is a fleet-wide preventive control — it only works if it is on before the attacker lands.
LAPS without post-auth actions is half the benefit. If you rotate the password but the support session that used it is still running, the credential is still valid. Set PostAuthenticationActions to reset + logoff so the LAPS window closes automatically.
SmartScreen set to Warn is not a control — it is a speed bump. Users click through Warn prompts. Set PreventOverrideForFilesInShell to enforce or accept that SmartScreen is decorative.
Memory Integrity (HVCI) is the hardening setting most likely to surface old hardware problems. If a device fails to boot cleanly after enabling HVCI, check Event Viewer under Microsoft-Windows-CodeIntegrity/Operational — blocked drivers are logged there by name and hash.
Local admin discipline starts in the Autopilot profile, not just the Local Users and Groups CSP. Setting user account type to Standard in the Autopilot profile is the correct first gate. The CSP is the enforcement backstop. Both are required — see LAPS and Local Admin Strategy for the full account model.
The baseline does not include App Control for Business (WDAC) by default — that is a feature, not an oversight. WDAC requires a policy authoring cycle, managed-installer configuration, and application inventory work before it can be safely deployed. The baseline's SmartScreen and HVCI controls cover the initial maturity level; treat WDAC as the next milestone once the fleet is stable.
Microsoft Defender posture and the ASR rules every fleet should start with.
Microsoft Defender Antivirus is already on every Windows 10/11 device — the baseline job is to lock its configuration so it stays on, stays current, and can't be quietly disabled by a user or a piece of malware. Alongside antivirus posture, Attack Surface Reduction rules let you cut off the delivery vectors ransomware and commodity malware actually use: Office macros spawning shells, credential theft from LSASS, script-based execution, and more. Getting both right at enrollment is the single highest-ROI security action you can take on a Windows fleet.
The baseline splits this into two Settings Catalog profiles: one for Defender AV posture (always-on, tamper-protected, cloud-connected), and one for ASR rules deployed in Audit mode first. Audit mode is not optional hygiene — it is how you find which ASR rules break your LOB apps before you're doing emergency rollbacks at 2 a.m. For the full rule-by-rule reference, the ASR Rules Cookbook covers every GUID, its effect, and the most common breakage patterns.
Applies toWindows 10 21H2+ / Windows 11, Intune-managed
RequiresMicrosoft Defender Antivirus (not co-managed with third-party AV); Intune or EMS E3/E5
GotchaTamper Protection must be enabled in Intune — without it, local admins and malware can disable real-time protection regardless of policy
Defender AV Posture Profile
The antivirus profile lives under Endpoint security > Antivirus > Create policy (Platform: Windows 10, 11, and later; Profile: Microsoft Defender Antivirus). Alternatively you can push the same settings via a Settings Catalog profile — the Endpoint Security node is cleaner for AV-specific reporting. The Defender and Endpoint Security Node deep-dive explains which node to use when.
Settings the baseline enables
Setting
Baseline value
Why
Allow Real-time Monitoring
✅ Allowed
Core on-access scanning; disabling it is the first thing malware tries
Allow Cloud Protection
✅ Allowed
Enables MAPS telemetry; required for cloud-delivered protection
Cloud-delivered Protection Level
High
Faster block decisions on zero-day samples; minimal false-positive risk on managed fleets
Allow Scanning of Downloaded Files and Attachments
✅ Allowed
Intercepts browser and email downloads before execution
Potentially Unwanted App Action
Block
Stops adware, bundled junk installers, and crypto-miners at the AV layer
Tamper Protection
✅ Enabled
Prevents registry/service modification; must be managed via Intune — Group Policy cannot enable it
Submit Samples Consent
Send safe samples automatically
Feeds the cloud engine without requiring user prompts on unknown files
Signature Update Interval (hours)
4
Reduces the window between definition release and device update; default 8 h is too wide
Tamper Protection and co-management
If any device is co-managed with Configuration Manager, Intune must own the Endpoint Protection workload for Tamper Protection to apply. Check your co-management workload split before assuming tamper protection is active fleet-wide.
ASR Rules Profile
Attack Surface Reduction rules live in a Settings Catalog profile: Devices > Windows > Configuration > Create > Settings Catalog. Search for Attack Surface Reduction to surface the rule category. Each rule is configured independently with three states: 0 (Off), 1 (Block), or 2 (Audit).
Starter rule set — deploy in Audit first
The baseline starts every rule at Audit (2). After two to four weeks of reviewing events in Endpoint security > Attack surface reduction > Reports (or via Defender for Endpoint's Advanced Hunting), flip confirmed-clean rules to Block (1) one at a time.
Phase 1Deploy all rules in AuditCollect real-world hits for 2–4 weeks with no user impact
Phase 2Review ASR eventsAdvanced Hunting or Intune ASR report; identify which rules fire on legitimate apps
Phase 3Add per-app exclusionsExclude specific executable paths, not whole folders; document every exclusion
Phase 4Flip to BlockRule-by-rule; start with high-confidence rules (credential theft, LSASS) before office-macro rules
Rule (friendly name)
GUID prefix
Baseline state
Common breakage
Block credential stealing from LSASS
9e6c4e1f…
Audit → Block early
Some legacy AV and pentest tools; very low legitimate hit rate
Block Office apps from creating child processes
d4f940ab…
Audit → Block
Macros that shell out; AutoHotKey launchers triggered from Word/Excel
Block Office apps from injecting into other processes
Block abuse of exploited vulnerable signed drivers
56a863a9…
Audit → Block
Uncommon; mainly BYOVD attack paths
Rules that break IT tooling
The Block PSExec/WMI rule fires on ConfigMgr client activity, remote management agents (ConnectWise, N-able), and most IT automation scripts. Leave it in Audit for co-managed or heavily tooled environments, or add targeted path exclusions.
The obfuscated scripts rule fires on some base64-encoded PowerShell used by legitimate packaging tools. Audit for at least four weeks before blocking.
Exclusions apply to the rule globally on the device — prefer executable-path exclusions over folder exclusions, and never exclude C:\Windows\System32 or C:\Program Files.
Controlled Folder Access
Controlled Folder Access (CFA) protects designated folders (Documents, Desktop, Pictures, and custom additions) from unauthorized writes — its primary target is ransomware. It is not included in the default baseline because its false-positive rate on business software is high enough to require per-environment tuning before enabling even in Audit mode.
Fleet with a small, well-known app set and documented write pathsEnable CFA in AuditLow noise; add allowed apps for known writers (backup agents, PDF tools)
Fleet with broad LOB app variation across departmentsSkip CFA for nowASR rules + tamper protection give strong coverage; add CFA in a later baseline iteration
High-value targets (executives, finance, legal)Enable CFA in Block with per-app allowlistWorth the tuning effort; pair with Defender for Endpoint P2 alerting
When you do enable CFA, add allowed apps via the Controlled Folder Access Allowed Applications setting using the full executable path. The backup agent, PDF writer, and accounting package are the usual suspects. See the ASR Rules Cookbook for the full CFA tuning pattern.
Deploying the Profiles
Create the AV posture profile. Navigate to Endpoint security > Antivirus > Create policy. Set platform to Windows 10, 11, and later, profile to Microsoft Defender Antivirus. Apply the settings from the table above. Assign to your pilot device group.
Create the ASR rules profile. Navigate to Devices > Windows > Configuration > Create > Settings Catalog. Add the Attack Surface Reduction category and set each rule to 2 (Audit). Assign to the same pilot group.
Run the pilot for 2–4 weeks. Review ASR events in Endpoint security > Reports > Attack surface reduction rules. Filter by Audit and investigate every hit against a known-good process before dismissing it.
Flip to Block, rule by rule. Edit the ASR profile. Change LSASS and credential-theft rules first; leave PSExec/WMI in Audit if your environment uses remote management tools. Broaden to all devices once Block is validated in pilot.
Reporting latency
ASR Audit events can take up to 24 hours to appear in the Intune ASR report. For faster feedback during pilot, use Defender for Endpoint's Advanced Hunting table DeviceEvents filtered on ActionType == "AsrAuditEvent" — near-real-time and queryable.
Do / Don't
Do
Enable Tamper Protection in the AV profile — it is the enforcement mechanism, not just a setting
Start every ASR rule in Audit and collect events before blocking anything
Use rule-specific exclusions tied to executable paths, not folder wildcards
Pair this profile with the Endpoint Security node for per-device Defender health reporting
Document every exclusion with a ticket number and a justification — exclusions rot over time
Don't
Skip Audit mode and go straight to Block — one poorly understood rule can break a critical LOB app fleet-wide
Exclude entire directories (C:\Users, C:\Program Files) from ASR — it defeats the point
Assume Tamper Protection is active just because it's in the profile — verify the compliance signal or run a Defender health report
Layer a third-party AV alongside Defender without switching Defender to passive mode — both active simultaneously causes scan conflicts and performance problems
Enable Controlled Folder Access without an allowlist — it will break backup agents and PDF writers on day one
Insights
Tamper Protection is the single most important setting in this profile. Without it, every other Defender control can be disabled by a sufficiently privileged process — including malware that acquires local admin. It can only be enforced via Intune, not Group Policy.
The PSExec/WMI rule is a trap for IT-heavy environments. It fires on ConfigMgr, remote management agents, and most automation platforms. Audit it indefinitely or use a device group exclusion rather than disabling it globally.
ASR events in Audit are data, not noise. Every Audit hit is a process that would have been blocked. Dismiss them carelessly and you'll be surprised when you flip to Block.
PUA blocking catches more than you expect. Crypto-miners, adware bundled with freeware, and potentially unwanted browser extensions are blocked at the AV layer before any endpoint detection needs to fire.
Cloud Protection Level "High" is safe for managed fleets. It increases the aggressiveness of cloud-based block decisions on unknown samples. The false-positive risk is real for unmanaged consumer environments; a controlled fleet with known app sets sees very few.
Signature update interval matters at scale. A four-hour interval means the average device is at most two hours behind the latest definitions when measured at the midpoint. The default eight-hour interval leaves a meaningful window on zero-day release days.
The default update cadence and the managed-app posture that ships with the baseline.
The Windows baseline ships not just hardening and Defender posture — it also prescribes the update cadence and managed-app posture that every Intune-managed fleet should start from. These defaults are deliberately conservative: enough deferral to catch a bad Patch Tuesday, enough deadline pressure to prevent stale devices, and a managed-Edge and OneDrive KFM posture that works out of the box for most organizations. Think of this page as the "sensible defaults" companion to the deep-dive Windows Update for Business and Managing Microsoft Edge pages — the baseline ships the starter config; those pages explain every knob.
Each setting in this section ships as a discrete Settings Catalog profile, so you can adopt the update baseline without the Edge baseline, or vice versa. Scope each profile to your Pilot device group first, validate for two Patch Tuesday cycles, then expand. When your fleet is stable and large enough, the update baseline is also the on-ramp to Windows Autopatch — the graduation path is covered below.
Applies toWindows 10 21H2+ / Windows 11, Intune MDM-managed
Profiles in this sectionUpdate ring (WUfB), Edge management, OneDrive KFM, SmartScreen for apps
RequiresIntune Plan 1; OneDrive KFM requires OneDrive sync client (included in M365 Apps)
GotchaDeadline + active-hours interaction; set one or the other deliberately — don't set both blindly
Update Ring Defaults
The baseline ships a single quality-update ring profile named WIN-Baseline-UpdateRing targeting all Intune-enrolled Windows devices (after pilot validation). The profile is intentionally minimal — it sets the values that experience shows most organizations get wrong on their first deployment, and leaves advanced tuning to you.
Setting (CSP)
Baseline value
Why
Quality update deferral period
7 days
One week of bake time catches the most obvious Patch Tuesday breakage without leaving the fleet exposed beyond the typical enterprise SLA
Feature update deferral period
0 days (ring); pin via Feature Update policy instead
Deferral in the ring eventually lets the update through — use a Feature Update policy with an explicit target version to actually control what Windows version is installed
Deadline for quality updates
5 days after deferral expires
Guarantees the device installs the update within 12 days of release; prevents stale devices that never catch up
Grace period (deadline restart)
2 days
Gives users 48 hours to self-schedule a restart rather than being force-rebooted mid-meeting
Active hours
Not configured
Deadline + grace period handles the restart window; active hours adds complexity without benefit for most fleets and can interact badly with the deadline logic
Auto-restart notifications
Enabled (default)
Users see a countdown and can schedule restart — reduces surprise reboots
Pause updates
Not configured (unpaused)
The pause lever is an incident-response tool, not a baseline setting; it is documented in the deep-dive page
Don't mix baseline ring with Autopatch-managed devices
If you register a device with Windows Autopatch, remove it from the baseline update ring. Overlapping WUfB policies produce undefined deferral behavior — shortest setting wins, which usually defeats Autopatch ring logic.
Use an Entra dynamic group with a -not filter on the Autopatch registration group as your baseline ring target, or maintain explicit exclusion groups.
Edge Management Baseline
Microsoft Edge is the browser you manage; the baseline ships an Edge management profile that locks the settings organizations most commonly leave open by default. The profile uses the Administrative Templates or Settings Catalog Edge CSP paths rather than the legacy Edge ADMX import, so it works without any ADMX uplift. For the full Edge configuration deep-dive, see Managing Microsoft Edge.
Setting
Baseline value
Rationale
Configure Microsoft Edge update channel (stable/beta/dev)
Stable
Production devices stay on Stable; you opt-in test devices to Beta separately
Hide the First-run experience and splash screen
Enabled
Removes the consumer sign-in prompt at first launch; users sign in with their Entra account via SSO automatically
Force sign-in and sync to work account
Enabled (IntranetZoneSignInAllowed)
Ensures the Edge profile is the managed work profile, not a personal Microsoft Account profile
Configure Edge SmartScreen
Enabled (block, not warn)
Pairs with the SmartScreen app baseline below; browser-level SmartScreen blocks phishing pages before content loads
Prevent users from overriding SmartScreen warnings
Enabled
Warning overrides are the most common social-engineering bypass; remove the override option
Disable InPrivate mode
Not configured by default
Left to organizational policy; the baseline does not disable InPrivate but comments the setting for easy activation
Edge and the Microsoft Security Baseline
The Microsoft Security Baseline for Edge (available separately in Endpoint Security > Security baselines) is more exhaustive but also more aggressive — it can break internal sites that rely on legacy TLS or mixed-content. The community baseline ships a subset of those settings that are broadly safe. If you import the Microsoft Edge Security Baseline alongside this profile, audit for conflicts before deploying to Broad.
OneDrive Known Folder Move
Known Folder Move (KFM) silently redirects Desktop, Documents, and Pictures into the user's OneDrive, giving you cloud backup and cross-device continuity without any user action. It is one of the highest-value, lowest-friction settings in the entire baseline. The profile ships as a Settings Catalog profile targeting the OneDrive CSP paths. For full configuration and the edge cases (network drives, large existing folders), see OneDrive and Known Folder Move.
Step 1Get your tenant IDSettings Catalog requires the AAD/Entra tenant ID GUID for the KFM policy; find it in Entra ID > Overview.
Step 2Set KFM to silently moveSet KFMSilentOptIn to your tenant GUID. This moves Desktop/Documents/Pictures without a user prompt.
Step 3Block opt-outSet KFMBlockOptOut to 1 so users cannot redirect folders back to local-only storage.
Step 4Validate on PilotConfirm sync status in OneDrive activity center; check for large folder or network-drive edge cases before Broad rollout.
KFM on Shared PC mode devices is a trap
Shared PC mode uses transient accounts that are deleted at storage thresholds. KFM on a shared device attempts to sync personal folders for each transient user, filling disk and generating spurious sync errors.
Exclude shared-PC device groups from the KFM profile. Target KFM only at named-user, personally assigned devices.
SmartScreen for Apps and Files
The baseline ships a SmartScreen profile that extends reputation checking beyond Edge to the Windows shell itself — so that a downloaded executable, a macro-laden Office file opened from Explorer, or an unsigned installer triggers SmartScreen before it runs. The settings live in the SmartScreen section of Settings Catalog (./Device/Vendor/MSFT/Policy/Config/SmartScreen/ CSP).
Setting
Baseline value
Notes
Enable SmartScreen for Microsoft Edge
Enabled ✅
Set here and in the Edge profile for belt-and-suspenders
Enable App Install Control (SmartScreen for apps)
Warn ✅
Block is available but breaks sideloading for some LOB installers; start with Warn and move to Block after audit
Prevent bypassing SmartScreen prompts for files
Enabled ✅
Removes the "Run anyway" button for unrecognized executables — the most common first-stage malware delivery path
Prevent bypassing SmartScreen prompts for sites
Enabled ✅
Paired with the Edge profile setting; belt-and-suspenders
Configure Windows Defender SmartScreen (shell)
Warn (not Block)
Block will prevent unsigned installers from running at all, which is the right long-term posture but requires LOB app signing validation first
Graduating to Autopatch
The baseline update ring is a starting point, not a permanent state. Once your fleet is stable — consistent compliance, no widespread update failures, covered by the Intune Plan 1 license — Windows Autopatch is the natural graduation. Autopatch replaces your manually managed rings with Microsoft-managed Test, First, Fast, and Broad rings and handles pause/resume decisions based on Windows health signals. The licensing requirement (M365 E3/F3 + Autopatch add-on, or M365 E5) and the registration prerequisites (Entra join, diagnostic data, co-management workload handoff) are covered on the Windows Autopatch page.
Fleet under 200 managed devices, full IT control preferred, no Autopatch licensing yetKeep the baseline update ringSeven-day deferral + five-day deadline handles most fleets well; tune per-ring as you grow.
Fleet 200+ devices, M365 E3+ with Autopatch add-on, healthy update postureGraduate to AutopatchRemove the baseline ring from Autopatch-registered devices; Autopatch manages cadence, pause decisions, and reporting.
Mixed fleet — mainstream users plus specialized/exempt devices (VMs, lab, high-stakes)Autopatch for mainstream, baseline ring for exemptRegister mainstream devices in Autopatch; keep the baseline ring targeting an explicit exclusion group for exempt hardware.
Insights
Seven days is the minimum viable deferral, not the default forever. A 7-day quality deferral catches the most egregious Patch Tuesday issues. Once your Pilot ring is running smoothly, consider moving Broad to 14–21 days for a proper bake period — 7 days is conservative for Pilot, not for your whole fleet.
The deadline is what makes patch compliance real. Deferrals are advisory and can be shortened by conflicting policies or user action. The 5-day deadline in the baseline is the enforcement backstop. Without it, "patched within 14 days" is a goal, not a guarantee.
KFM is the cheapest business-continuity win in the baseline. A single device lost to disk failure or theft costs more in data recovery than the storage cost of a year of OneDrive sync for the entire fleet. Deploy KFM to all named-user devices on day one.
SmartScreen "Warn" modes have limited value if users can click through. Set "Prevent bypassing SmartScreen prompts for files" to Enabled. The bypass option is where social-engineering attacks live; removing it is the highest-impact SmartScreen setting.
The Edge baseline and the Microsoft Security Baseline for Edge are not the same thing. The Microsoft Security Baseline for Edge is thorough but aggressive. Import it to a test group and audit for internal-site breakage before deploying broadly alongside this community baseline.
Autopatch does not rescue a broken update posture. If devices are routinely failing updates due to disk pressure, driver conflicts, or Delivery Optimization misconfig, fix those root causes first. Autopatch manages a healthy fleet; it does not fix an unhealthy one.
Windows shared PC mode for pooled, multi-user hardware — the parity story to Shared iPad.
Shared PC mode is a Windows feature built on the SharedPC CSP that turns a standard Intune-managed device into a pooled workstation where any authorized user can sign in, work, and leave — with the OS automatically cleaning up after them. It is the Windows answer to environments where hardware is shared across shifts, sessions, or students, and where per-user provisioning would be operationally unworkable. Think clinical workstations on a nursing floor, library cart laptops, classroom sets, and factory-floor shift PCs.
Shared PC mode is not a kiosk. A kiosk locks a device to one app or a curated shell for a defined role — no one signs in with their own identity. Shared PC mode lets real named users (Entra cloud accounts) sign in, access their cloud apps and data, then sign out. The OS handles account cleanup automatically so the next user starts clean. That distinction drives every architectural decision covered below.
RequiresEntra-joined; no user affinity at enrollment
GotchaAccounts are Entra cloud sign-ins — there is no local or AD-only fallback in pure cloud mode
What the SharedPC CSP Actually Does
When EnableSharedPCMode is set to true, Windows activates a set of account-management and OS behaviors that would otherwise require manual GPO configuration and custom scripts. The key behaviors are:
Automatic account deletion. Local user profiles are deleted when disk space falls below a configurable threshold (default: delete accounts when disk is below 25% free, keep accounts down to 50% used) or after a configurable number of days of inactivity. The deletion policy is controlled by DeletionPolicy and the threshold values DiskLevelDeletion and DiskLevelCaching.
Account model enforcement. The AccountModel setting controls who can sign in: 0 = guest and domain accounts only, 1 = domain accounts only, 2 = guest accounts only. In an Entra-cloud environment, "domain accounts" means Entra cloud identities — not on-premises AD accounts.
Fast first sign-in. Enabling EnableFastFirstSignIn pre-stages a local cache entry so subsequent sign-ins for cached users are faster. On a cold device with no cached profile, a user's first Entra sign-in still hits the network.
Sign-in restrictions. You can restrict who signs in to accounts that have been active recently, or to accounts in a defined group, preventing unauthorized use of the shared hardware.
Maintenance window.MaintenanceStartTime sets the hour (offset from midnight) at which Windows runs maintenance tasks — updates, disk cleanup — so they do not fire mid-shift.
Power policy. Shared PC mode sets an appropriate idle/sleep policy automatically, so devices in a clinical or educational setting stay available without staff manually configuring power settings.
Profiles go to the device, not the user
Target all Shared PC configuration and app assignments to device groups, never user groups. There is no persistent user affinity — the device is the management unit. Apps installed as required device-targeted deployments are present for any user who signs in.
Shared PC Mode vs Assigned Access vs Windows 365
These three options are frequently confused. The choice depends on whether users need their own identity, whether the device does one job or many, and how much you care about data residency on the physical machine.
Shift workers need to sign in with their own identity, run cloud apps, then hand the device to the next personShared PC ModeNamed Entra sign-in, automatic cleanup between users, full Windows desktop
The device does one job — check-in form, digital signage, warehouse scan — and identity does not matterAssigned Access KioskSingle-app or restricted shell, auto-logon, no sign-in required
Users need persistent desktops and settings that follow them across any device, or you are running frontline with central VDI infrastructureWindows 365 / AVDCloud-hosted desktop, full persistence, requires always-on connectivity
Classroom or library cart where students need internet access and Office, but you do not want profiles accumulating on the hardwareShared PC Mode + Education SKUAccount deletion keeps disk clean; Education SKU adds Take a Test and other classroom controls
The Entra Sign-In Reality
A common misconception: Shared PC mode supports "guest" accounts that do not require an Entra identity. That is partly true — you can enable a local guest account for users without Entra credentials — but in a corporate Intune deployment, every sign-in that matters is an Entra cloud sign-in. There is no support for on-premises AD-only (no Entra hybrid sync) accounts in a cloud-native Shared PC deployment. If you are hybrid-joined and syncing identities to Entra via Entra Connect, those synced accounts work fine. If you are purely on-premises, Shared PC mode in the cloud sense does not apply to you.
This differs from Shared iPad, where Apple IDs and Managed Apple Accounts are the mechanism and the comparison is more direct. Windows Shared PC mode is older infrastructure adapted for the Entra era — it works well, but you need to understand the identity plumbing before you deploy it. See Kiosk and Shared PC Enrollment Paths for the Autopilot self-deploying enrollment pattern that pairs with it, and the Shared PC Mode configuration deep-dive for every setting in detail.
Insights
Disk thresholds surprise teams every time. The default deletion policy triggers when free disk drops below 25% — on a 128 GB device with a full Office install, that threshold can be hit by the third or fourth user who signs in. Set your thresholds deliberately and test with realistic app footprints before rollout.
OneDrive KFM and transient accounts are a trap. If you push OneDrive Known Folder Move to shared devices, each user's Documents/Desktop/Pictures start syncing to their OneDrive — and when the profile is deleted at the threshold, the local copy is gone but OneDrive is fine. This is actually the correct behavior, but users who expect local files to persist between sessions will be surprised. Document it clearly in user communications.
Apps must be device-targeted to be present at sign-in. Required apps assigned to user groups will not be present for a user signing into a shared device for the first time unless that user is also in the target group. Deploy everything the shared device needs as device-required. Avoid user-assigned required apps on shared hardware.
First sign-in latency is real. A brand-new Entra user signing into a shared PC for the first time will wait while their profile is created and policies are applied. Fast First Sign-In (EnableFastFirstSignIn) helps for subsequent sign-ins, but that first session is always slower — set user expectations accordingly in shift-worker rollouts.
Build the SharedPC policy and the enrollment path for pooled Windows devices.
The SharedPC CSP turns a standard Windows device into a pool machine — accounts are created on first sign-in, cleaned up automatically when storage drops, and the next user gets a fast, fresh session without IT touching the hardware. Getting it right in Intune takes about a dozen settings across a Settings Catalog profile and an enrollment path that assigns no user affinity. Get either wrong and you end up with stale profiles consuming disk, or a device that enrolls into the wrong Autopilot flow and ties itself to one person forever.
This page walks the full configuration: the SharedPC settings profile, the self-deploying Autopilot enrollment path, device-group targeting, app assignment, and verification. If you haven't read the Shared PC Mode deep-dive covering what the CSP actually does under the hood, start there.
GotchaUser-affinity enrollment permanently binds the device to one user — use self-deploying mode only
Step 1: Create the SharedPC Settings Catalog Profile
Step 1Create the profileNew Settings Catalog profile, platform Windows 10 and later
Step 2Add SharedPC settingsSearch "Shared PC" in the settings picker and configure every key value
Step 3Assign to device groupTarget a dynamic Entra group scoped to shared-PC hardware, not users
Step 4VerifySign in twice, check account cleanup and report status in Intune
Navigate to the profile creation wizard. Go to Devices > Windows > Configuration, click Create > New policy, set Platform to Windows 10 and later, Profile type to Settings catalog.
Search for and add the SharedPC category. In the settings picker, search Shared PC. The category is Shared PC under the Authentication and Accounts namespaces — add the full group. The key settings and their recommended values for a standard shared fleet are below.
Set EnableSharedPCMode to Enabled. This is the master switch. Nothing else in the category has any effect unless this is on. The setting maps to ./Device/Vendor/MSFT/SharedPC/EnableSharedPCMode. Without it, every other SharedPC setting silently does nothing — this is the single most common misconfiguration.
Configure AccountManagement. Enable Account Management Enabled (EnableAccountManager). This activates automatic account deletion. Then set your thresholds:
Delete Threshold Percentage (DiskLevelDeletion): accounts are deleted when disk falls to this percentage free. A value of 25 works well for most carts.
Restore Threshold Percentage (DiskLevelCaching): accounts are retained until disk drops below this. Set to 50 to start deletion before you're in trouble.
Account Deletion Policy (AccountDeletionPolicy): choose Delete at disk space threshold and inactive threshold (value 2) for the most aggressive cleanup — recommended for high-turnover clinical or classroom devices.
Inactive Threshold: number of days since last sign-in before an account is a deletion candidate. 30 days is sensible for shift environments; drop to 7 for daily-turnaround carts.
Set the AccountModel (who can sign in). The AccountModel setting controls which sign-in types are allowed:
0 — Only domain/Entra accounts (no guest). Use for clinical PCs where every user must be authenticated.
1 — Only guest accounts (no Entra sign-in). Useful for kiosk-adjacent walk-up scenarios without a domain.
2 — Both Entra and guest. Flexible but means unauthenticated access is possible.
For most enterprise shared devices, set 0 (Entra accounts only) to ensure every session is tied to an auditable identity.
Configure sign-in restrictions. Enable Fast First Sign In (EnableWindowsInsiderPreviewFastSignIn is a legacy name — the current setting is Enable Fast First Sign In under the SharedPC node). This pre-creates a cached token so the first sign-in for a new Entra user is seconds not minutes. Enable it; the latency difference is significant in clinical handoffs. Optionally enable Sign In On Resume to require re-authentication when the device wakes from sleep.
Set Maintenance Window and Power Policy. Enable Maintenance Start Time and set it to an off-hours hour in 24H minutes-from-midnight (e.g., 120 for 2:00 AM). Set Power Policies to Sleep rather than Hibernate or Shutdown — shared PCs should stay network-connected for policy sync overnight. If the devices have TPM and are always plugged in, sleep is safe.
Name the profile clearly. Use a name like SharedPC - Clinical Carts - v1 so scope and version are obvious in the assignment view. Save the profile.
Key SharedPC Settings at a Glance
Setting (CSP name)
Recommended value
Notes
EnableSharedPCMode
Enabled
Master switch — must be on
EnableAccountManager
Enabled
Activates auto-deletion
DiskLevelDeletion
25
% free disk to trigger deletion
DiskLevelCaching
50
% free disk to cache new accounts
AccountDeletionPolicy
2 (disk + inactive)
Most aggressive; use 1 (disk only) if turnaround is daily
InactiveThreshold
30 (days)
Lower for high-churn deployments
AccountModel
0 (Entra only)
1 = guest only, 2 = both
EnableFastFirstSignIn
Enabled
Reduces new-user sign-in to ~10 seconds
MaintenanceStartTime
120 (2:00 AM)
Minutes from midnight
SetPowerPolicies
Enabled
Forces appropriate sleep/wake behavior
SignInOnResume
Enabled
Re-auth on wake — recommended
Step 2: Enrollment — Self-Deploying Autopilot (No User Affinity)
Shared PCs must enroll without user affinity. If you use user-driven Autopilot, the ESP locks the device to the first person who signs in during setup — subsequent users become secondary accounts. The correct path is Autopilot self-deploying mode, which requires no user interaction during enrollment and leaves the device unaffiliated.
Create a self-deploying Autopilot profile. Go to Devices > Enrollment > Windows Autopilot deployment profiles > Create profile > Windows PC. Set Deployment mode to Self-Deploying. Join type must be Microsoft Entra joined — Hybrid join is not supported in self-deploying mode.
Configure OOBE settings. Hide EULA, privacy settings, and change account options. These screens will never be seen by an end user anyway — the device enrolls autonomously — but setting them properly avoids the OOBE stalling in a corner case. Language and region should be pre-set to avoid keyboard input requirements during provisioning.
Assign the profile to a dynamic device group. Build a dynamic Entra group using the orderIdentifier (group tag) you set on shared-PC hardware at OEM registration — for example, device.devicePhysicalIds -any _ -contains "[OrderID]:SharedClinical". Assign the Autopilot profile to this group. Do NOT assign it to "All Autopilot devices" unless every device in your tenant is a shared PC.
Register devices. Hardware hashes for shared PCs are registered identically to personal devices — OEM/reseller direct upload, or manual via Get-WindowsAutopilotInfo. Set the group tag at registration time so the dynamic group picks them up. For the full enrollment mechanics see Kiosk and Shared PC Enrollment Paths.
Confirm TPM attestation. Self-deploying mode requires TPM 2.0 and TPM attestation during OOBE. If attestation fails, the device stalls at the first ESP screen with error 0x800705B4 or 0x80180018. Validate TPM health on your hardware before bulk deployment — this is the most common self-deploying failure in shared-device rollouts.
Self-Deploying Mode + Enrollment Status Page
The default ESP profile applies to self-deploying devices unless you create a targeted ESP profile for the shared-PC group. If you have blocking apps in your default ESP, they will stall headless enrollment.
Create a dedicated ESP profile for the shared-PC device group with a minimal or empty blocking-app list and a shorter timeout. Shared PCs do not need M365 Apps installed before first user sign-in.
Step 3: App Assignment — Device Groups, Not Users
Because shared PCs have no user affinity, user-targeted app assignments will not apply during enrollment and may never resolve correctly. All apps required at enrollment must be assigned to the device group, not a user group. Available (self-service) apps are irrelevant for shared PCs — Company Portal installed for self-service assumes a persistent personal context.
Do
Assign all required apps as Required to the shared-PC device group
Keep the installed-at-enrollment app set lean — browser, RDP client, departmental LOB app
Use Storage Sense policy alongside SharedPC to ensure OS-level disk cleanup runs alongside account cleanup
Target the SharedPC Settings Catalog profile at the same device group as the Autopilot profile
Don't
Assign apps to user groups and expect them to land during self-deploying enrollment
Install Microsoft 365 Apps as a blocking ESP app — it bloats disk fast on shared devices
Use Available intent for anything — there's no persistent user to see Company Portal
Assign the SharedPC profile to an "All devices" group that includes personal PCs
Verification
Check profile assignment status. In Intune, go to Devices > Windows and find a shared PC. Under Device configuration, confirm the SharedPC Settings Catalog profile shows Succeeded. A state of Not applicable usually means the device is running Windows Home — SharedPC CSP is not supported on Home edition.
Sign in as two different Entra users and confirm separate profiles. Each user should see their own desktop and OneDrive sign-in prompt (though you should NOT configure KFM on shared devices — transient profiles and KFM are a data-loss trap).
Artificially trigger account cleanup. The easiest field test: fill disk past the DiskLevelCaching threshold, sign out, and check HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedPC\NodeCacheList — accounts scheduled for deletion appear here. Alternatively, wait until after the maintenance window and inspect C:\Users for removed profiles.
Review Intune device reports. Confirm Primary User shows as empty — a device with a primary user set has user affinity and is not truly a shared device. If you see a primary user, the enrollment used the wrong Autopilot profile.
No Primary User = Correctly Configured
An empty "Primary User" field in Intune device details is the fastest confirmation that self-deploying enrollment worked as intended. Any name in that field means the device is tied to one person and SharedPC mode is fighting the enrollment model.
Insights
EnableSharedPCMode is the one setting that breaks everything silently if missed. Every other SharedPC setting is a no-op without it — engineers spend an hour tweaking thresholds before noticing the master switch is off.
Account cleanup is disk-triggered, not session-triggered. Accounts are not deleted on sign-out. If your deletion threshold is set too low (e.g., DiskLevelDeletion = 5), cleanup only fires when you're nearly out of disk — set it to 25% or higher so accounts are pruned proactively.
Fast First Sign-In requires network connectivity at the login screen. If the device is on a VLAN that blocks Entra token exchange before user authentication, first sign-in will be slow regardless of the setting. Confirm the device can reach Entra login endpoints before the user touches it.
Self-deploying Autopilot is the right path, but TPM attestation is the failure point. Older refurbished hardware in clinical or education environments often has TPM 1.2 or a misconfigured TPM — test the specific hardware model before committing to a large rollout.
The SharedPC profile must hit the device before first user sign-in. If the profile arrives after the first user has already signed in, the account manager won't retroactively manage that first account. Deploy the profile via the ESP device phase so it lands during provisioning.
What shared Windows fleets actually do in production — the gotchas.
Shared PC mode looks straightforward on paper — enable the CSP, auto-enroll, done. In production it punches back. The failure modes are predictable, but only if you've seen them before. These bullets are drawn from real fleets: clinical shift PCs, library carts, open-plan hot desks, and contact-center pools. Read them before you ship, not after your first 2 a.m. call about a ward workstation that won't accept sign-ins.
The disk-full surprise will happen sooner than the thresholds suggest. The SharedPC CSP account-deletion policy fires when free disk space drops below DiskLevelDeletion (default 25 GB) and stops when it rises above DiskLevelCaching (default 50 GB). On a 128 GB drive that sounds comfortable — until Windows Update, Defender definitions, and a handful of Win32 apps quietly consume 60 GB. Profile accumulation then fills the rest. Set DiskLevelDeletion to 35–40 GB and DiskLevelCaching to 60 GB on smaller drives, and monitor Devices > Monitor > Device storage across the fleet. Account cleanup only runs at sign-out or maintenance window, not on demand — a disk that fills mid-session locks the next user at the sign-in screen.
There is no profile roaming. Plan for it or users will discover it for you. Shared PC mode uses transient local profiles: each Entra sign-in gets a fresh local account, and when that account is deleted, its local data goes with it. Bookmarks, Desktop files, Downloads, local app settings — gone. Users coming from a traditional domain environment with folder redirection will assume roaming exists. It does not. Your only escape hatch is cloud-backed apps: SharePoint/OneDrive for files, browser sync for bookmarks, web apps for everything else. Brief IT support and include a one-liner on the sign-in screen.
OneDrive KFM is a trap on shared PCs — disable it explicitly. If your standard baseline enables OneDrive Known Folder Move, that policy will try to redirect Desktop, Documents, and Pictures to the cloud on every transient shared-PC sign-in. The first KFM prompt is confusing. The sync engine will start for every user session and either complete a partial sync or fail silently. When the account is deleted, OneDrive may leave orphaned sync state in the cloud or generate a flood of "sync stopped" alerts. Deploy a dedicated profile to shared PCs that sets KFMSilentOptIn to 0 and KFMBlockOptIn to 1 — or simply exclude the shared PC device group from any KFM policy.
Windows Hello for Business and shared hardware are a bad combination. Hello PIN and biometric credentials are tied to the device's TPM and the user's Entra token binding — they are per-user, per-device keys. On a shared PC that deletes accounts after each session, users must re-enroll Hello every single sign-in. If your tenant enforces Hello (tenant-wide policy or a compliance requirement), shared PCs will generate a stream of Hello setup prompts and compliance failures. The right answer is to scope Hello policies to personal/assigned device groups and explicitly exclude shared PC device groups. Users on shared hardware authenticate with Entra password or a FIDO2 key they carry.
First sign-in latency will generate helpdesk calls — set expectations. The first time an Entra user signs into a shared PC that has never seen their account, Windows must create the local profile, apply any per-user policies, and load the shell. On a healthy machine with a good network connection this takes 30–90 seconds after the password clears. On a congested ward network at 07:00 shift change, it can stretch to several minutes. This is normal; it is not a broken device. Put a message on the lock screen, train the shift leads, and confirm Fast First Sign-in (EnableFastFirstSignIn) is enabled in the SharedPC settings — it caches credentials in advance to shorten subsequent logins.
Name shared PCs for the floor, not the user. Shared devices should carry location-based or role-based hostnames: WARD3-PC-01, LIB-CART-07, CC-POOL-23. User-based naming conventions break the moment the device moves or a different shift picks it up. Set the naming template in the Autopilot self-deploying profile before enrollment — you cannot rename a device post-enrollment without a wipe. See the Configure Shared PC Mode page for the Autopilot self-deploying path. Keep names short enough to fit on a cable label.
Account model matters more than people expect — Guest vs Entra-only vs both. The AccountModel setting controls which sign-in types are permitted: 0 = only guest/local accounts, 1 = only Entra accounts, 2 = both. Most enterprise deployments want 1 (Entra only) so that every session is auditable and access is controlled by Conditional Access. But in a library or public lab, guest walk-up access (2 or 0) may be intentional. Validate this setting deliberately — the wrong model lets anonymous local accounts bypass your compliance controls entirely, or conversely locks out legitimate guest users who have no Entra license.
When Shared PC mode is the wrong answer, say so early. Shared PC mode is purpose-built for pooled, human-operated workstations where each session is a light cloud-app session. If the workstation runs a single dedicated LOB app (check-in kiosk, queue display, POS terminal), you want Assigned Access kiosk mode instead — not Shared PC. If the use case is ten named workers sharing three physical desks across two shifts, consider Windows 365 Frontline, which gives each user their own persistent cloud PC that follows them regardless of which physical seat they use. Shared PC mode with heavy per-user app states, GPO-redirected printers, and locally installed software is a recurring source of disk exhaustion and ghost-account buildup. Recognize the mismatch and escalate the conversation before deployment, not six months in.
Beyond Shared PC mode: frontline licensing, Windows 365 Frontline, and shift-worker designs.
Shared PC mode handles the pooled-hardware use case cleanly when every user is identical — clinical workstations, classroom carts, anonymous walk-up. But most frontline deployments are messier: shift workers who need their own identity, call-center agents hot-desking across physical seats, warehouse staff on ruggedized shared tablets, or a retailer who just can't afford a 1:1 device ratio. That's where Windows 365 Frontline, F-SKU licensing, and a handful of architectural patterns come in — and where the Intune-only answer runs out of road.
This page maps the full multi-user and frontline landscape, is honest about licensing costs, and gives you the framework to pick the right pattern before you build anything. If you're still deciding whether a physical shared PC even belongs in the picture, start with Shared PC mode first, then come back here.
Applies toWindows 10/11 Pro, Enterprise, and cloud-licensed editions; Windows 365 Frontline
F-SKU key pointMicrosoft 365 F3 includes Windows 365 Frontline licensing — but F1 does not include a Windows OS license
RequiresEntra ID P1 (at minimum) for shared-device conditional access; Intune Plan 1 for device management
GotchaWindows 365 Frontline CPCs are shared cloud PCs — only one user can be active per license at a time, not one per seat
The Frontline Licensing Reality
Before picking an architecture, understand what your licenses actually include. The licensing and editions page covers this in depth, but the frontline-specific summary matters here:
License
Windows OS included
Intune included
Windows 365 Frontline eligible
Microsoft 365 F1
❌ (web/Teams only)
❌ (Intune Plan 1 add-on needed)
❌
Microsoft 365 F3
✅ (via subscription activation)
✅
✅ (1 shared CPC per 3 licensed users)
Microsoft 365 E3/E5
✅
✅
✅ (add-on at full CPC cost)
Windows 365 Frontline (stand-alone add-on)
N/A — cloud PC only
Intune required separately
✅
F1 is not a Windows license
F1 users can run Teams, Outlook, and SharePoint in a browser — that's it. If your frontline workers need a managed Windows session, F1 forces you onto shared physical hardware with a separate Windows OS license or a Windows 365 Frontline add-on.
The "F3 includes 1 Frontline CPC per 3 users" ratio is concurrency, not seat count. If 3 licensed users could ever be active simultaneously, you need more than 1 Frontline CPC license.
The Three Frontline Patterns
Named shift workers, pooled physical hardware — each person signs in as themselves, uses their own OneDrive/Teams, then leavesShared PC Mode + Entra cloud sign-inLowest cost: re-use existing hardware, F3 licenses cover the Windows OS, account management handles cleanup
Truly anonymous walk-up — no personal identity needed, same app set for everyone, device stays in one roomAssigned Access kiosk or Shared PC in guest modeSingle-app or multi-app kiosk is simpler and more locked-down than full Shared PC when no identity is required
Named shift workers, no local hardware to share — users float between locations, work is in the cloud, or hardware refresh isn't possibleWindows 365 Frontline (shared cloud PC)Personal cloud desktop per user, one concurrent session per Frontline CPC license, managed via Intune like any other cloud PC
Windows 365 Frontline in Detail
Windows 365 Frontline is a pooled cloud-PC SKU where each license covers one active session — not one user per seat. You provision cloud PCs in Devices > Windows 365 > Provisioning policies, assign them to a security group, and each licensed user in that group gets a personal cloud-PC identity that persists between sessions. The cloud PC shuts down when the user signs off, freeing the license for another user.
The practical implication: if you have 60 shift workers split across two shifts of 30, you need 30 Frontline CPC licenses — not 60. That's the headline cost saving. What it costs you in complexity: you must accurately model peak concurrency; if 35 workers try to sign in during a shift overlap, 5 will be refused.
Frontline CPC vs dedicated CPC
A standard (dedicated) Windows 365 CPC is always on and assigned to one user. A Frontline CPC is provisioned per-group and allocated dynamically at sign-in. From an Intune perspective they're both cloud PCs — same enrollment, same policy assignment, same troubleshooting path via Windows 365 and AVD in Intune.
Hot-Desking on Physical Hardware
Hot-desking with physical PCs is Shared PC mode done right. The key engineering decisions:
Account model. Set AccountModel to Only guest or domain accounts or Only domain accounts (the "domain" here means Entra-backed cloud accounts). Guest mode is appropriate for truly anonymous users; named shift workers need Entra sign-in so their identity (Teams, SharePoint, OneDrive) follows them. Configure this in Devices > Windows > Configuration > Settings Catalog > SharedPC.
Account deletion thresholds. Set disk-full and inactive-account thresholds aggressively. Production frontline devices fill up faster than office PCs — browser caches, temp files, offline-sync artifacts. A DiskLevelDeletion threshold of 25% (delete accounts when disk drops to 25% free) and DiskLevelCaching at 50% is a reasonable starting point for shared rugged devices.
No OneDrive KFM. Known Folder Move onto a transient Entra account is a trap. Desktop and Documents will sync on first login, then be orphaned when the account is deleted. Disable KFM for shared device groups via a separate Settings Catalog profile targeting those device groups.
Apps to device, not user. Assign all apps as device-targeted Required, not user-targeted Available. User-targeted deployments require the user to be assigned the app license in Intune — this breaks on shift workers who are all in a generic pool. Device assignment ensures the app is present regardless of who signs in.
Compliance and Conditional Access. Shared devices authenticate as the device, not the user, for device compliance. Ensure your CA policies evaluate device compliance (Require compliant device) rather than user-only conditions. A shared device that passes compliance unlocks access for every user who signs into it — understand the security trade-off.
The Decision: Physical Shared vs Cloud PC
Factor
Physical Shared PC
Windows 365 Frontline
Hardware required
✅ You own/manage it
❌ Microsoft provides the compute; you need thin clients or any browser-capable device
User data persistence
Limited — cloud apps only; local profile deleted on threshold
Full personal cloud desktop — persistent between sessions
Performance predictability
Depends on physical hardware age and spec
Consistent SKU-based compute; no hardware variable
Licensing cost at scale
Lower at high concurrency (hardware amortized)
Scales with concurrent sessions — lower than 1:1 dedicated CPCs
Management surface
Intune policies, SharedPC CSP, apps to device
Intune + Windows 365 provisioning policies, same admin center
First sign-in latency
30–120 seconds (profile create on first Entra sign-in)
Cloud PC boots on demand — 60–90 seconds if powered off, near-instant if in saved state
Offline capability
✅ Works without internet (cached credentials)
❌ Requires connectivity; offline = no session
Do
Model peak concurrency honestly before buying Frontline CPC licenses — interview shift supervisors, not HR headcount.
Target apps and policies to device groups on shared physical hardware; user targeting is unreliable when accounts are transient.
Disable OneDrive KFM in the device group that receives SharedPC configuration.
Use Autopilot self-deploying mode (no user affinity) to enroll shared physical devices so no individual user is bound to the device record.
Set a device naming template that encodes location/floor so support staff can physically find the machine — shared devices generate more helpdesk tickets per device than personal laptops.
Don't
Don't assume F3 covers everything — F1 tenants need a Windows license source before any of these patterns work.
Don't buy 1 Frontline CPC license per user — that defeats the entire pooling model and costs more than dedicated CPCs.
Don't use Windows Hello for Business on fully anonymous shared devices; PIN/biometric enrollment won't transfer between accounts and Hello will prompt every new user to register.
Don't put shared devices and personal devices in the same device group — their app, policy, and update requirements diverge significantly.
Don't overlook the offline risk of Windows 365 Frontline in environments with unreliable Wi-Fi; a physical shared PC with cached credentials is more resilient in a warehouse or clinic with patchy connectivity.
Insights
The concurrency math is where most Windows 365 Frontline deployments go wrong. Customers buy one license per user to be safe and immediately erase the cost benefit. Model real shift overlaps — typically 15–20% buffer over peak shift size is enough.
Shared physical PCs surface compliance drift faster than personal devices. Twelve different users sign in over a week; if one leaves a session open or the machine is offline at patch time, you accumulate non-compliant time across all those users. Aggressive update deadlines and short compliance grace periods matter more here.
First-sign-in latency is the top complaint on shared physical hardware. The Entra-backed profile creation on a first sign-in can take 1–2 minutes on slow hardware. Windows Hello setup adds another prompt. Fast sign-in mode in SharedPC CSP (EnableFastFirstSignIn) helps; pre-provisioning the local account cache helps more on clinic/bedside carts where delays cost real time.
Windows 365 Frontline is simpler to manage than a shared physical fleet at scale. No hardware lifecycle, no reimaging, no physical access for reset. The trade-off is the hard online dependency — factor that in for any use case where connectivity isn't guaranteed.
The three faces of a locked-down Windows device — and which one you actually want.
Windows Assigned Access is the platform's answer to the locked-down, purpose-built device. It surfaces through a single CSP — AssignedAccess — but it creates two very different experiences depending on how you configure it: a single-app kiosk that runs one app and nothing else, or a multi-app kiosk that offers a stripped-down shell with a curated set of permitted apps. Neither of these is Shared PC mode, and confusing the three is the most common setup mistake engineers make when building frontline or dedicated-device fleets.
The right mental model: Assigned Access is for dedicated-function devices — a device that does one job and the user is secondary to that function. Shared PC mode is for devices where multiple people sign in and sign out and you want automatic account cleanup. They are complementary, not interchangeable, and Intune can configure both from the Settings Catalog without touching XML directly.
Applies toWindows 10/11 Pro, Enterprise, Education (Pro for single-app; Enterprise/Education for multi-app)
GotchaMulti-app kiosk requires Windows Enterprise or Education; Pro only supports single-app
The Three Modes at a Glance
Mode
Who signs in
App scope
Best for
Edition needed
Single-app kiosk
Auto-logon (local account)
One UWP or Edge browser instance
Digital signage, check-in terminals, POS
Pro, Enterprise, Education
Multi-app kiosk
Local or Entra account (mapped to profile)
Allowlisted apps + locked Start
Task workers, clinical workstations, call centres
Enterprise, Education only
Shared PC mode
Any Entra user (transient)
Full Windows (managed by policy)
Pooled shift PCs, classroom carts, lab stations
Pro, Enterprise, Education
Single-App Kiosk
In single-app mode, Windows boots directly into one application and the user has no access to the Start menu, taskbar, or any other shell surface. The device auto-logs in using a local kiosk account you create before deploying the profile. There are two app types to choose from:
UWP (Store) app — identified by its Application User Model ID (AUMID). The app must already be installed on the device. Common examples: a custom kiosk app, Microsoft Edge (the legacy UWP package), or a LOB UWP from the Store.
Microsoft Edge (kiosk mode) — the modern Chromium-based Edge supports two sub-modes: digital signage (full-screen, no navigation controls, loops a URL) and public browsing (an InPrivate browser with a limited toolbar). This is what most browser-based kiosk and self-service deployments use today.
Edge kiosk vs Edge in a UWP kiosk
The modern Chromium Edge kiosk is configured via the Kiosk profile type in Intune — not via an AUMID. If you try to use the Chromium Edge AUMID in the UWP path it will fail silently at runtime. Use the correct profile type from the start.
Multi-App Kiosk
Multi-app kiosk mode replaces the Windows shell with a locked-down experience: a curated Start menu showing only the apps you allow, a restricted taskbar, and no path to Settings, the desktop, or other shell surfaces. This is the right choice for task workers — call-centre agents, nurses at clinical workstations, warehouse pickers — who need more than one app but must not reach general Windows.
Under the hood, Intune generates an AssignedAccess XML configuration that lists permitted apps by AUMID (for UWP/Store apps) or full executable path (for Win32 desktop apps), maps those allowlists to user accounts or groups, and optionally supplies a custom Start layout XML. Multiple kiosk profiles can be defined in a single configuration and mapped to different accounts, so a shared device can present different app sets depending on who signs in.
Edition gate is enforced at runtime, not at policy assignment
If you push a multi-app kiosk profile to a Windows Pro device, Intune will report the policy as applied but the kiosk shell will not activate.
Check edition compliance before deploying to a mixed fleet. Use a compliance policy or filter on operatingSystemSKU to gate assignment.
The kiosk enrollment path matters too — devices without user affinity should use self-deploying or pre-provisioning, not user-driven Autopilot.
The Auto-Logon Account
Single-app kiosk requires a local account for automatic sign-in — Windows will not prompt for credentials. You create this account on the device (typically via a script or provisioning package during enrollment) and reference it by name in the kiosk profile. The account should have no password expiry and should not be in any admin group.
Multi-app kiosk can use local accounts (same pattern), domain accounts, or Entra accounts. Entra account sign-in in a multi-app kiosk is useful for task-worker scenarios where per-user identity matters for audit or app personalisation, but it introduces a dependency on network connectivity for first-sign-in token acquisition.
Digital Signage vs Task-Worker: Choosing Your Mode
Looping display, no user interaction neededSingle-app — Edge digital signageAuto-logon, full-screen URL, no browser chrome. Zero touch after deploy.
Public walk-up terminal (search, form, reference)Single-app — Edge public browsingInPrivate session resets between users; add an idle-restart policy.
Named employee needing 2-5 specific apps and nothing elseMulti-app kioskMap AUMID allowlist to their Entra account; curate the Start layout.
Multiple workers sharing one device, each needs the same limited app setMulti-app kiosk + local auto-logon or shared Entra accountCombine with Shared PC account-cleanup if you want profile wiping between shifts.
Multiple workers, each with their full managed Windows profileShared PC modeNot a kiosk — see Shared PC mode for the right config.
How Intune Surfaces the AssignedAccess CSP
You configure Assigned Access from Devices > Windows > Configuration > Create > New policy. Choose platform Windows 10 and later and profile type Templates > Kiosk. The wizard then forks into single-app or multi-app paths. Intune wraps the underlying AssignedAccess XML — you do not write raw XML in the wizard UI, though you can deliver custom XML via a Settings Catalog custom OMA-URI (./Device/Vendor/MSFT/AssignedAccess/Configuration) when you need capabilities the wizard doesn't expose yet.
The Kiosk Mode and Assigned Access deep-dive covers every setting in the wizard; this page is your decision guide. Once you know which mode fits, go there for the step-by-step.
What Assigned Access Is Not
It is not a security boundary. A motivated user with physical access and knowledge of keyboard shortcuts (Ctrl+Alt+Del, Shift+F10 during boot) can escape a poorly hardened kiosk. Pair Assigned Access with a solid enrollment and enrollment-lock strategy, disabled Ctrl+Alt+Del sequences, and maintenance-window-only restarts.
It is not a replacement for AppLocker or App Control. Assigned Access restricts the shell; AppLocker/App Control restricts execution. For high-security kiosks, run both.
It is not designed for roaming profiles or OneDrive KFM. Kiosk local accounts do not roam. Do not configure KFM against the kiosk auto-logon account.
Insights
AUMID typos are silent killers. An incorrect AUMID in single-app mode causes the kiosk to fail to launch — the device lands on a black screen or falls back to a standard desktop. Always validate AUMIDs with Get-StartApps on a reference device before putting them in policy.
Pro edition support for multi-app is gone. Windows 11 made multi-app kiosk Enterprise/Education only with no exceptions. If you have a Pro fleet and need multi-app, you need subscription activation to Enterprise or a new SKU decision.
Edge kiosk updates can break your display loop. Edge auto-updates by default. Pin or defer Edge updates on kiosk devices via the Edge management policy or a Windows Update ring, and test updates in a pilot ring before they hit signage displays.
The auto-logon account and BitLocker are compatible — but you must configure BitLocker in network-unlock or startup-PIN-suppressed mode. A kiosk that stops at a BitLocker PIN prompt defeats the auto-logon entirely.
Multi-app kiosk is not frontline MDM. It solves the shell problem, not the identity or app-lifecycle problem. For large frontline fleets, layer in Intune Shared PC account hygiene or Windows 365 Frontline for pooled cloud desktops.
Lock a Windows device to one app or a browser — signage, check-in, POS.
A single-app kiosk collapses the Windows shell to one thing: one app, one account, no escape. Assigned Access — delivered via the AssignedAccess CSP — is how Intune implements it. The device auto-logs into a local kiosk account, launches the designated app full-screen, and never shows a taskbar, Start menu, or desktop. When the app closes, Windows restarts it. That loop is the entire UX for a check-in terminal, a digital-signage display, or a point-of-sale device.
You have two application choices: a UWP (Store) app or Microsoft Edge running in one of its two kiosk modes. Desktop Win32 apps are not supported in single-app kiosk — if you need a Win32 app locked to full-screen, you want a multi-app kiosk with shell-launcher instead. Clarify this before you start; it saves the most common support call.
Applies toWindows 10/11 Pro, Enterprise, Education (Assigned Access requires Pro or higher)
RequiresIntune license; device enrolled via self-deploying Autopilot or other no-affinity path recommended
GotchaWin32/desktop apps are NOT supported in single-app kiosk; use multi-app kiosk with Shell Launcher instead
Choose Your Kiosk App Mode
Mode
App Type
Best For
Edge Mode Required
UWP kiosk
Microsoft Store / UWP app
Custom LOB kiosk apps, specialized Store apps
N/A
Edge — Digital Signage
Microsoft Edge
Displays, dashboards, read-only web content; no UI chrome
Digital Signage
Edge — Public Browsing
Microsoft Edge
Check-in, library, shared browse terminal; InPrivate, reset on idle
Public Browsing
Digital Signage vs Public Browsing
Digital Signage mode launches Edge full-screen with no address bar, no navigation controls, and no way for a user to navigate away. Public Browsing shows a minimal browser chrome and resets to the configured URL after a configurable idle period. Pick the wrong one and users will either be stuck on a sign (digital signage on a check-in desk) or browsing freely (public browsing on a digital display).
Step-by-Step: Create the Kiosk Profile
Step 1Create the local kiosk accountA local, password-less account that auto-logs in — never use a domain or Entra account here
Step 2Build the Settings Catalog profileAssigned Access + Lock Screen settings configure the shell restriction and auto-logon
Step 3Apply supporting restrictionsPower, Ctrl+Alt+Del, and update behavior policies complement the kiosk profile
Step 4Verify and document the exit pathConfirm the device enters kiosk mode and you know how to break out for maintenance
Step 1 — Provision the Kiosk Account
The auto-logon account must be a local account. Create it via a Settings Catalog profile or a PowerShell script deployed before the kiosk profile applies. The account needs no password and no privileges beyond local Users.
Create the local account. In a Settings Catalog profile (or via a PowerShell Intune script), create a local user named KioskUser (or your chosen name). Set a blank password and ensure it is not in the Administrators group.
Note the exact username. The Assigned Access configuration references this name verbatim. A mismatch silently fails — the device boots to normal desktop.
Step 2 — Build the Settings Catalog Profile
Navigate toDevices > Windows > Configuration > Create > New policy. Choose platform Windows 10 and later and profile type Settings Catalog.
Search for "Assigned Access" in the settings picker. Add the Assigned Access > Configuration (Device) setting. This is the CSP-backed XML blob that defines the kiosk.
For a UWP kiosk, set Kiosk Type to Kiosk, enter the App User Model ID (AUMID) of your UWP app, and set the Account Name to match the local account you created. The AUMID format is PackageFamilyName!AppId — get it from the Store listing or via PowerShell: Get-AppxPackage | Select Name, PackageFamilyName. An incorrect AUMID means the device loops to a black screen.
For an Edge kiosk, set Kiosk Type to Kiosk and select Microsoft Edge as the application. Configure:
Microsoft Edge Kiosk Mode Type: Digital Signage or Public Browsing
Kiosk URL: the URL Edge loads on launch and after idle reset
Idle Time to Reset (Public Browsing only): seconds before the session resets; 0 disables reset. See Edge management for further Edge-specific policy layering.
Add the Auto Logon settings. Search for Windows Logon > Enable Automatic Logon (or use the Assigned Access > Auto Logon settings). Set the username to your kiosk account. Auto-logon is what makes the device boot directly into kiosk mode without a user touching a keyboard.
Name and save the profile, then assign it to the device group containing your kiosk hardware. Assign to devices, not users.
AUMID typos are silent failures
A wrong AUMID does not produce an error in the Intune console — the device just boots to a black screen or restarts in a loop.
Validate the AUMID on a test device before fleet deployment: run Get-AppxPackage -Name "*yourapp*" | Select PackageFamilyName and cross-check against the app manifest.
For Edge, the AUMID is Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App for the stable channel — confirm the channel you have installed.
Step 3 — Apply Supporting Restrictions
A kiosk profile alone does not prevent a savvy user from pressing Ctrl+Alt+Del, accessing power options, or triggering update restarts during business hours. Layer these additional Settings Catalog settings in a separate profile or the same one:
Disable the Windows security dialog. Under Windows Logon Options, enable Disable or Enable Software Secure Attention Sequence to suppress the Ctrl+Alt+Del screen for local accounts.
Restrict power options. Set Power > Select the Power Button Action on Battery/Plugged in to Do Nothing or Sleep to prevent accidental shutdown.
Set an update maintenance window. Use Windows Update for Business active hours (or an Update Ring) to prevent restarts during operating hours. A kiosk that reboots at 2 PM for a quality update is a problem. Target a maintenance window like 02:00–04:00.
Disable Task Manager and context menus if needed via Windows Restrictions > Prevent Access to Task Manager and related settings.
Lock the screen saver to blank or kiosk-appropriate. Screensavers can break digital-signage flows; set timeout or disable entirely under Control Panel > Personalization settings.
Step 4 — Verify and Know the Exit Path
Sync the device from Devices > Windows > select device > Sync, then confirm the profile status shows Succeeded.
Reboot the device and confirm it auto-logs in and launches the kiosk app without presenting a desktop.
Test your exit path. The standard administrative exit: press Ctrl+Alt+Del (if not disabled), sign in as a local admin or use an on-screen keyboard shortcut specific to your configuration. Alternatively, use the Intune Remote Lock or boot to recovery to log in as a different account.
For Edge Public Browsing, confirm the idle-reset timer fires by waiting for the configured timeout period and verifying the session resets to the kiosk URL.
Enrollment path matters
Single-app kiosks should enroll with no user affinity — use self-deploying Autopilot mode. User-driven enrollment ties the device to a user object, complicates the auto-logon account, and creates stale compliance states when no named user is associated with a kiosk device.
Decision: UWP App vs Edge Kiosk
You have a custom or Store UWP app built for kiosk useUWP App KioskFull-screen, no browser chrome, tightest lockdown
You need a website or web app as the kiosk surfaceEdge — Digital Signage or Public BrowsingFastest path; no app packaging required
The app is a Win32/desktop .exeMulti-App Kiosk with Shell LauncherSingle-app kiosk cannot run Win32 — see Kiosk Mode and Assigned Access
Insights
The auto-logon account must exist before the kiosk profile applies. If the Assigned Access CSP writes its configuration referencing a user that doesn't exist yet, the device silently falls back to normal shell. Deploy account creation as a prerequisite script with a dependency on the kiosk profile.
BitLocker and kiosk auto-logon are compatible — but require care. BitLocker with TPM-only unlock works fine. Pre-boot authentication (PIN or USB) is incompatible with an unattended kiosk; TPM-only is the correct BitLocker mode here.
Updates can break the loop. Quality updates that require a restart will complete and then return the device to kiosk mode — but only if the restart completes cleanly. A failed update leaving the device in Windows Recovery Environment is a field incident. Set a maintenance window and monitor update compliance on kiosk groups separately from the general fleet.
Edge digital signage needs a stable network. If the device loses its connection, Edge shows its offline error page instead of your sign. Set a local fallback page in the kiosk URL policy or use a cached progressive web app where offline resilience matters.
Name kiosk devices for the floor, not the asset tag. A hostname like KIOSK-LOBBY-01 makes remote-action targeting, Intune filters, and incident response far faster than a random OEM serial-derived name.
A restricted shell with a curated app set for task workers.
Multi-app kiosk mode locks a Windows device to a curated set of applications and a controlled shell experience — no arbitrary app launches, no Settings access, no way for a task worker to wander into territory you haven't approved. It is the right answer for clinical workstations, warehouse line supervisors, retail floor associates, and any worker whose device should run exactly three apps and nothing else. Unlike the single-app kiosk, multi-app mode preserves a full (but stripped) Windows shell: a Start menu that shows only what you allow, a taskbar you control, and a desktop that behaves normally for the apps in the allowed list.
Multi-app kiosk is delivered via the AssignedAccess CSP, specifically the Configuration node that accepts an XML payload. Intune wraps this in a device configuration profile so you don't have to hand-craft a custom OMA-URI — mostly. The XML itself still matters, and getting it wrong silently breaks the profile with no meaningful error in the portal. This page covers the end-to-end build: the Intune profile wizard, the XML structure for allowed apps, Start layout, taskbar and file-explorer restrictions, multi-user profile mapping, and the combination patterns with Shared PC mode.
Console pathDevices > Windows > Configuration > Create > Kiosk
RequiresIntune license; Windows Enterprise or Education for multi-user multi-profile
GotchaA single AUMID typo silently leaves the profile in a broken state — no error surfaced in Intune reporting
How Multi-App Kiosk Works
When the AssignedAccess multi-app XML applies, Windows replaces the default shell with a locked-down variant. The allowed-apps list controls what appears on Start and what the user can launch. Everything outside that list is blocked at the shell level — not by AppLocker or WDAC, just by the shell not surfacing it. The account that runs the kiosk session can be a local account (auto-logon for single-user dedicated devices) or an Entra account (for named-user task workers). You can define multiple kiosk profiles in one XML payload and map each profile to a different user or group — useful when the same device serves a supervisor and a line associate.
Intune profile type vs custom OMA-URI
The built-in Kiosk profile type (under Templates in the configuration profile wizard) exposes the most common multi-app settings through a UI. For advanced XML — multiple user profiles, precise Start layout pinning, taskbar show/hide per app — you will need to export the generated XML, edit it, and push it via a custom OMA-URI at ./Device/Vendor/MSFT/AssignedAccess/Configuration. Both paths write the same CSP node.
Build the Profile in Intune
Step 1Create a Kiosk profileDevices > Windows > Configuration > Create > New Policy > Windows 10 and later > Templates > Kiosk
Step 2Choose Multi app kioskUnder Kiosk mode, select "Multi app kiosk" — this unlocks the app-list and Start layout fields
Step 3Add allowed apps and configure StartAdd each app by AUMID (Store/UWP) or full Win32 path; then import or configure a Start layout
Step 4Assign to a device groupTarget a device-based Entra group — multi-app kiosk config is device-scoped, not user-scoped
Allowed Apps: AUMIDs and Win32 Paths
Every application in the kiosk must be explicitly listed. The profile accepts two types:
App type
Identifier format
How to find it
Store / UWP app
AUMID — e.g. Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
Get-StartApps PowerShell on a reference device; or Get-AppxPackage | Select Name, PackageFamilyName
Win32 / desktop app
Full executable path — e.g. C:\Program Files\MyApp\myapp.exe
Process monitor or Get-Process | Select Path while app is running
Run Get-StartApps — the old EdgeHTML AUMID will not work on current Windows
AUMID pitfalls that silently break kiosk
Copy-pasting AUMIDs from old blog posts often gives you the legacy EdgeHTML or legacy Office AUMIDs — they no longer resolve on current Windows 11.
An AUMID with a single character wrong applies without error in Intune but the app simply never appears on Start. Validate on a test device before broad rollout.
Win32 paths are case-insensitive on NTFS but whitespace matters — trailing spaces in the XML will cause the entry to fail.
Apps not listed here are blocked at the shell level, but a user who finds a file association or a direct UNC path may still be able to invoke unlisted processes. Pair with AppLocker or WDAC if the threat model demands it.
Start Layout and Taskbar
Multi-app kiosk Start is controlled by an XML Start layout blob embedded in (or referenced from) the AssignedAccess XML. You build this with the Export-StartLayout PowerShell cmdlet on a reference machine configured the way you want, then paste the output into Intune's Start layout field or embed it in the custom XML.
Configure the reference machine. On a Windows 11 test device, pin exactly the apps you want to the Start menu. Remove everything else.
Export the layout. Run Export-StartLayout -Path C:\layout.xml. Open the file and verify every tile refers to an AUMID in your allowed-apps list — a Start layout that pins an app not in the allowed list renders the tile as a blank square or a crash.
Import into Intune. In the Kiosk profile under Start menu layout, paste the XML content. Intune accepts the raw XML; you do not upload a file.
Taskbar control. The multi-app kiosk profile has a Show taskbar toggle. For task-worker devices where you want the taskbar visible (clock, app switching), leave it on. For signage-style locked-app experiences, hide it. Further taskbar customization — pinned icons, system tray items — requires the Start Menu and Taskbar Settings Catalog settings layered on top of the kiosk profile.
File Explorer access
If you need to expose File Explorer (e.g., for workers who must open documents from a network share), add it explicitly: AUMID is not applicable — add the Win32 path C:\Windows\explorer.exe. Without it, the shell will suppress Explorer entirely, including any "Open file" dialog triggered by another app.
Multi-User Profile Mapping
A single AssignedAccess XML can define multiple <Profile> elements and map each to a different account. This is the mechanism for "supervisor sees four apps, associate sees two" on the same hardware:
Define each profile block with a unique Id GUID, its own <AllowedApps> list, and its own <StartLayout>.
Map accounts to profiles in the <KioskModeApp> or <Configs> section: reference the profile Id and the account (local account name, or Entra UPN, or an Entra group SID).
Entra group SID mapping requires Windows 11 22H2 or later. On Windows 10 or older 11 builds, you must map individual user accounts — group-based mapping is not supported.
Auto-logon accounts (for single-purpose, no-sign-in devices) must be local accounts. You cannot auto-logon with an Entra identity.
Pro edition limit
On Windows Pro, only a single kiosk profile is supported. Multi-profile (multi-user) XML requires Windows Enterprise or Education.
If a Pro device receives a multi-profile XML, it typically applies only the first profile and silently ignores the rest — no error in Intune.
Combining Multi-App Kiosk with Shared PC Mode
Multi-app kiosk and Shared PC mode can be deployed together: Shared PC handles account lifecycle (automatic deletion at disk thresholds, fast sign-in cache) while multi-app kiosk handles what those accounts can do once signed in. This is a common pattern for clinical shared workstations — any nurse signs in with their Entra account, gets a kiosk shell with exactly the clinical apps, and the account is cleaned up after the session.
Scenario
Use Shared PC
Use Multi-App Kiosk
Anonymous walk-up, one person at a time, no sign-in
❌
✅ (local auto-logon account)
Named users, pooled hardware, account cleanup needed
✅
✅ (layered together)
Named users, full Windows experience
✅
❌
Single dedicated task worker per device
❌
✅ (local or Entra account)
Validation and Troubleshooting
Check profile assignment status in Devices > Windows > Configuration > your policy > Device and user check-in status. A "Succeeded" state means the XML was delivered and parsed — it does not mean every AUMID resolved correctly.
Sign in on the device as the kiosk account. If Start shows blank tiles or missing apps, the most likely cause is AUMID mismatch. Re-run Get-StartApps on that device to confirm the installed AUMID matches what's in the XML.
Review the MDM diagnostic report. Run mdmdiagnosticstool.exe -area DeviceProvisioning -zip C:\mdm.zip, extract, and search MDMDiagReport.xml for AssignedAccess. Configuration errors that the portal silently ignores often surface here.
Event log. Check Event Viewer > Applications and Services Logs > Microsoft > Windows > AssignedAccess > Admin for shell-level errors when the kiosk session starts.
Exit the kiosk for admin work. Hold Ctrl+Alt+Del and sign out, then sign in with a local admin account not mapped to a kiosk profile. That account gets the full shell. Do not delete or rename the kiosk local account while the profile is assigned — the auto-logon reference breaks.
Insights
The profile applies at next check-in, not immediately. After assigning the kiosk policy, the device needs to check in (up to 8 hours, or trigger a sync via Company Portal / deviceenroller.exe /o). The kiosk shell won't appear until after the next user sign-in post-sync.
Windows Updates can break the kiosk shell on restart. A feature update that changes the Edge AUMID or moves a system app will silently remove those tiles. Schedule a validation pass after every feature update cycle and pin your allowed-apps XML to a change-control workflow.
BitLocker and the auto-logon account interact. If you enable BitLocker on a kiosk device with auto-logon, the drive unlocks at pre-boot (TPM-only), the auto-logon fires, and the kiosk shell starts — this works correctly and is the expected pattern. Do not require a PIN pre-boot on auto-logon kiosks; it defeats the purpose.
Intune's UI-built profile caps out at basic multi-app. For multi-user profile mapping, nested group SIDs, or a custom taskbar layout per profile, you will need to write the XML by hand and deliver it as a custom OMA-URI. The UI wizard generates valid XML but doesn't expose the full AssignedAccess schema.
Hard-won lessons running locked-down Windows fleets.
Kiosk deployments look simple from the Intune console: assign a profile, reboot, done. On the floor they behave differently. A single character wrong in an AUMID, a quality update that fires at noon, or a BitLocker policy that expects a PIN — any of these turns a check-in terminal into a black screen with no obvious recovery path. These bullets are drawn from kiosk fleets in healthcare lobbies, retail floors, manufacturing lines, and library self-service desks. Read them before you build, not while you're standing next to a wedged device in front of impatient users.
AUMID typos are the number-one silent failure mode — validate before you deploy. The Assigned Access CSP accepts any string in the app identifier field and reports Succeeded in the Intune console regardless of whether that string maps to a real installed app. A one-character typo sends the device into a boot-to-black-screen loop with no error surfaced remotely. Before assigning the single-app kiosk profile to a device group, validate the AUMID on a single test machine: run Get-AppxPackage | Where-Object {$_.Name -like "*yourapp*"} | Select PackageFamilyName and compare character-by-character against what you entered in the profile. For Edge, the stable-channel AUMID is Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App — confirm the channel installed on the device matches. A AUMID that worked last quarter can break after a channel change.
Edge in kiosk mode updates itself, and that update can restart the shell mid-shift. Microsoft Edge updates independently of Windows quality updates. In a single-app Edge kiosk, Edge may download and apply an update during operating hours, restart itself, and briefly drop to desktop or loop back to the kiosk URL with a flash of blank screen. The Assigned Access shell usually recovers within seconds, but on signage displays it is visually jarring; on interactive kiosks it can confuse or interrupt an active user session. Mitigate by setting the Edge update policy (Update/UpdateDefault or the Microsoft Edge Update ADMX settings in Settings Catalog) to defer auto-updates outside a maintenance window, or deploy Edge updates via the Enterprise App Catalog with a controlled rollout. See Configure a Single-App Kiosk for the full restriction stack.
The auto-logon account and BitLocker must be reconciled deliberately. BitLocker with TPM-only unlock is fully compatible with kiosk auto-logon — the drive unlocks at boot before Windows hands off to the auto-logon account, so no user interaction is needed. What breaks kiosks is BitLocker pre-boot authentication: a PIN or USB key requirement prevents unattended boot entirely. If your baseline policy enforces Require startup PIN with TPM or Require startup key with TPM, exclude kiosk device groups from that setting and keep them on TPM-only. Similarly, Windows Hello for Business should never be targeted at kiosk accounts — the auto-logon account is a local account with no Entra identity, so Hello enrollment will fail silently and may generate a stream of compliance alerts if your policy targets the device rather than the user.
When a kiosk wedges, your recovery path needs to be designed in advance, not improvised on-site. A device in Assigned Access that loses its kiosk app (app crash, failed update, AUMID mismatch after a Store update) often sits at a blank screen or restarts in a loop. Recovery options in priority order: (1) trigger a Sync or Restart from Devices > Windows > select device in the Intune console — if the device is online this often resolves a transient kiosk-shell restart failure; (2) use Remote Lock or Remote Wipe if policy correction is needed; (3) physical access — press Ctrl+Alt+Del (if you have not disabled it with the Disable Software Secure Attention Sequence setting), switch to a local admin account, and diagnose. If you have disabled Ctrl+Alt+Del, document the physical recovery procedure — a USB keyboard sequence or a local admin login method — and keep it in your runbook. A kiosk with no documented recovery path is a liability the first time it wedges at 8 AM.
Quality updates that require a restart will interrupt the kiosk session unless you set a maintenance window. Windows Update for Business defers and deadline settings control when restarts happen, but without a configured active-hours or maintenance-window policy, Windows is permitted to restart a kiosk device during business hours once a deadline passes. Set Active Hours to cover your operating window (e.g., 06:00–22:00) and target a restart deadline that forces the reboot at a known overnight window. In the multi-app kiosk context, verify that the update ring assigned to kiosk devices is scoped separately from the general fleet — kiosk machines often have different uptime requirements and tolerance for restarts. Monitor the Intune Windows Update compliance report for kiosk groups specifically; they are frequently omitted from update dashboards and fall behind unnoticed.
Name kiosk devices for the location and function, not the asset tag. Hostnames like KIOSK-LOBBY-01, SIGNAGE-CAFE-03, or POS-STORE42-02 let you build Intune filters, target remote actions, and respond to incidents without opening a CMDB lookup. Set the naming template in the Autopilot self-deploying profile — it cannot be changed post-enrollment without a wipe. Keep names under 15 characters to respect legacy NetBIOS limits and make them fit on cable labels. Kiosk devices have no regular user touching them, so asset-tag or serial-based names that work for personal devices provide no operational value here.
A kiosk that runs one web URL is not the same problem as a kiosk that runs a Win32 LOB app. Single-app kiosk via the Assigned Access CSP only supports UWP apps and Microsoft Edge. If the "one app" is a Win32 desktop executable, you need Shell Launcher (a different CSP) rather than Assigned Access — the configuration path in Intune is different, covered on the multi-app kiosk page. Clarify the app type before you start building: opening the wrong profile type and trying to force a Win32 path into an Assigned Access UWP slot is a common wasted afternoon.
Know when the right answer is Shared PC mode or a signage appliance, not Assigned Access. Assigned Access kiosk mode is the right tool for a device locked to one user experience with no interactive sign-in. If multiple shift workers need to sign in with their own Entra identities to a restricted app set, that is a multi-app kiosk or — if profile isolation between users matters — Shared PC mode. If the device is a passive display cycling through content on a loop with no user interaction at all, a commercial signage appliance running its own OS often has better remote management tooling, better display scheduling, and no Windows licensing overhead. Intune kiosk mode is excellent; it is not the right abstraction for every locked-down display in the building.
Locate and remotely lock a missing Windows PC — and the honest limits.
Windows has no equivalent of iOS Lost Mode. There is no GPS ping, no on-screen message to the finder, no remote activation of a lock screen PIN the owner sets. That is not a gap Intune fills — it is a fundamental platform difference you need to communicate to security teams before an incident happens. The real toolkit is narrower than most engineers expect: a Remote Lock action that works only on enrolled devices that are online, a consumer-grade Find My Device feature with significant restrictions in corporate contexts, and BitLocker — which is the actual data-protection control that matters when a laptop disappears.
This page walks each tool honestly, explains where each one applies, and frames the correct mental model: on Windows, your goal when a device goes missing is to protect data, not to track down the hardware. Encryption and remote wipe are the real answers; find and lock are secondary.
RequiresDevice online at time of action; Intune license assigned
GotchaRemote Lock does not set a PIN on Windows — it just locks the screen; only BitLocker protects data at rest
Remote Lock — What It Actually Does
The Remote lock action (Devices > Windows > select device > Remote lock) sends a lock command to the device the next time it checks in. On Windows, this is analogous to pressing Win+L: the screen locks and the user must sign in again. It does not set a recovery PIN, does not prevent BitLocker bypass if encryption is not in place, and does not isolate the device from the network.
Remote Lock is not data protection
If the drive is not BitLocker-encrypted, a locked screen is trivially bypassed by booting from external media.
The action queues if the device is offline — it runs when the device next connects, which may be never.
Hybrid-joined devices that have not synced recently may not receive the command before the battery dies or the device is reset.
Use Remote Lock as a fast first step while you assess the situation — it raises the friction to access without requiring a wipe. It pairs naturally with the steps in the stolen-device playbook.
Find My Device — The Consumer Feature and Its Corporate Limits
Windows has a built-in Find my device capability tied to the Microsoft Account or, on Entra-joined machines, to the signed-in Entra user. It uses the device's last-known location from Windows Location Services and surfaces it at account.microsoft.com/devices. For corporate Entra-joined devices, this means:
Location Services must be enabled on the device. In a locked-down fleet, many organizations disable location services via policy — a setting that kills Find My Device silently.
The feature is controlled by the Experience/AllowFindMyDevice CSP (also accessible in the Settings Catalog under Experience > Allow Find My Device). It defaults to 1 (enabled) but if your security baseline or a prior GPO set it to 0, the feature is inactive across your fleet.
Even when enabled, the location shown is the last location recorded while Location Services was active — it is not real-time GPS tracking. On a stolen device where the thief has not connected to Wi-Fi or left a known cell tower area, the coordinate may be hours or days stale.
Location data is only visible to the signed-in user at account.microsoft.com; IT admins cannot see it from the Intune portal. There is no centralized fleet location view equivalent to Apple's Business Manager or MDE device-map view.
Check your CSP before you need it
Audit whether Experience/AllowFindMyDevice is set to 1 in your fleet today, not when a device goes missing. If your security baseline disables it, decide whether to re-enable it for non-kiosk devices and document the decision.
Locating a Device via Intune and Endpoint Analytics
Intune does not show a device map, but you can establish the last-known network context from the console:
Check the last check-in time. Navigate to Devices > Windows > select the device. The Last check-in timestamp tells you how recently the device had MDM connectivity. A check-in within the last hour means the device was online recently and Remote Lock likely worked.
Review the device's IP address history. The device hardware detail shows the last-reported IP. A private RFC-1918 address is not useful for location, but a public IP can be passed to your network/security team for geolocation via ARIN or your SIEM.
Use Endpoint Analytics device timeline (if licensed). Under Reports > Endpoint Analytics, the device timeline shows recent activity events that can help confirm whether the device was actively used before it disappeared.
Check Microsoft Defender for Endpoint (if deployed). MDE's device page shows a more granular activity timeline and, if the device is MDE-onboarded, may include network connection events and the last-seen timestamp down to the minute.
The Real Data-Protection Stack
The honest answer to "what protects data on a stolen Windows PC" is BitLocker, not Find My Device and not Remote Lock. A BitLocker-encrypted drive with the recovery key escrowed to Entra means the data is mathematically inaccessible to the thief even if they remove the drive. Remote Lock and Find My Device are convenience and deterrence; BitLocker is the control that keeps you out of a breach notification.
Enable BitLocker silent encryption with key escrow to Entra before a device leaves the building — this is your primary data-protection control.
Verify Experience/AllowFindMyDevice is set to 1 for standard-user devices where location tracking is acceptable under your privacy policy.
Train the helpdesk to issue Remote Lock immediately when a device is reported missing, while the full incident response starts in parallel.
Use MDE device timeline for the most granular last-seen data if MDE is deployed.
Document the difference between Remote Lock and Remote Wipe in your incident runbook — both exist in the same action menu and a panicked admin should not confuse them.
Don't
Tell users or management that Intune can "track" a lost Windows PC in real time — it cannot.
Rely on Remote Lock as a data-protection control on unencrypted devices; it is screen friction only.
Assume the device received the Remote Lock command if it was offline — check the action status in the console before marking it complete.
Enable location services fleet-wide purely for Find My Device without a privacy impact assessment; many industries and regions require disclosure.
Insights
BitLocker is the only control that survives a powered-off stolen device. Remote Lock, Conditional Access token revocation, and every other network-dependent action assume the device will come online. BitLocker protects the drive whether or not it ever contacts the internet again.
Find My Device is frequently off without anyone knowing. A security baseline that disables Location Services, or a prior GPO migration that set AllowFindMyDevice=0, silently kills the feature. Audit it now.
Remote Lock confirmation is not instant. The Intune console shows "Pending" until the device checks in. If a device is offline for 24 hours, the lock command may sit in the queue for a day — escalate to a wipe if the check-in is not happening.
The last-known IP from Intune is often a VPN or private address. Do not waste time trying to geolocate a 10.x.x.x address. Focus on the BitLocker status and whether the key is escrowed.
MDE outperforms Intune for device location intelligence. If your organization has Defender for Endpoint deployed, the device page in the MDE portal offers a richer last-seen timeline, network events, and alert context that Intune alone cannot provide.
Find the recovery key, unblock a locked-out user, and prove escrow is healthy.
This is the page you open when a user calls the helpdesk because their laptop is sitting at a blue recovery key screen. The theory of BitLocker is covered elsewhere — this page is about the operational reality: where recovery keys live, how to get one in front of a locked-out user in under two minutes, how to rotate a key afterward, and how to prove across your entire fleet that every encrypted device actually has an escrowed key. Getting that last part wrong is how organizations discover their encryption program is fiction.
For the configuration side — enabling silent encryption, escrow prerequisites, and the policy settings that make all of this work — see BitLocker and Disk Encryption. For Graph queries to audit the fleet and rotate keys programmatically, the Useful Graph Calls snippet collection has ready-to-run examples.
Applies toWindows 10/11, Entra-joined and hybrid-joined, BitLocker managed via Intune
RequiresKey must have been escrowed before the device locked — retroactive retrieval is impossible
GotchaA device can be encrypted without an escrowed key if the "require escrow before encrypting" setting was not enforced — check the fleet now, not during an incident
Where Recovery Keys Live
For Intune-managed, Entra-joined devices, recovery keys escrow to the Entra ID device object — not to Intune directly. The path in the admin center is:
Open the Entra admin center. Go to Entra ID > Devices > All devices. Search by device name or serial.
Open Recovery keys. Select the device, then click Recovery keys in the left pane. You will see one or more BitLocker recovery key IDs paired with their 48-digit recovery keys and a timestamp for when they were escrowed.
Match the key ID. The recovery screen on the device shows a Key ID (the first 8 characters of the full key ID). Match that string to the correct row in the Entra recovery keys list. If a device has been wiped and re-enrolled multiple times, there may be several entries — always give the user the key matching the displayed Key ID, not the most recent one blindly.
You can also look up keys from the Intune portal
Navigate to Devices > Windows > select the device > Recovery keys. This is a pass-through to the same Entra key store — useful if you're already in the Intune portal during an incident.
User Self-Service — Point Users Here First
The most common helpdesk BitLocker ticket is one that the user can resolve without calling anyone. Before building a helpdesk runbook, make sure new-hire onboarding tells every employee: if your laptop asks for a recovery key, go to myaccount.microsoft.com on another device, sign in with your work account, navigate to Devices, select the locked device, and click View BitLocker Keys. The 48-digit key is displayed there and can be entered at the recovery screen.
This works only when the key was escrowed — which is exactly why the Intune BitLocker policy must set Store recovery information in Azure Active Directory before enabling BitLocker to Require, not Yes. The distinction matters: Require blocks encryption until escrow succeeds; Yes attempts escrow but lets encryption proceed even if escrow fails. Use Require.
Self-service has one prerequisite the user must meet
The user must be able to sign in to myaccount.microsoft.com from another device — which means their Entra credentials must be working. If the recovery event is also accompanied by a locked account, an IT admin must retrieve the key from the Entra admin center instead.
The self-service view shows only keys for devices where the signed-in user is the registered user. Shared devices (no affinity, kiosk) will not show keys in self-service — those must go through admin retrieval.
Recovery Key Rotation
Once a recovery key has been used — or any time you suspect it may have been seen by an unauthorized person — rotate it. Intune can trigger key rotation remotely:
Navigate to the device in Intune.Devices > Windows > select the device.
Issue the rotation action. Click ... (More) > BitLocker key rotation. The device must be online and policy-compliant for this action to succeed. If the device is offline, the rotation is queued and executes on next check-in.
Confirm the new key escrowed. Wait a few minutes, then return to Entra ID > Devices > [device] > Recovery keys. A new entry with a more recent timestamp should appear. The old key remains in the list (for audit purposes) but the device is now protected by the new key.
Rotate after every Autopilot reset and wipe
When a device is wiped and re-enrolled, BitLocker re-encrypts with a new key and Intune escrows it automatically. Verify the new key exists after every Autopilot reset — a device re-enrolled last week with an empty Recovery keys blade is not protected. Stolen-device runbooks should always include a key rotation as a final step; see the Stolen-Device Playbook for the full sequence.
Auditing Escrow Health Across the Fleet
Knowing that some devices have escrowed keys is not enough. You need to know that every encrypted device has an escrowed key. Intune does not surface this as a single built-in report, so you need to combine two data points: encryption status (from the Intune encryption report) and key presence (from Graph).
Step 1 — Intune Encryption Report
Go to Devices > Monitor > Encryption report. This shows per-device encryption status: Encrypted, Not Encrypted, Not applicable, and the reason code. Filter for Not Encrypted on Windows devices — every device in that list that is assigned a BitLocker policy needs investigation. Common reasons: TPM not ready, third-party encryption detected, silent encryption failed.
Step 2 — Graph Query for Key Presence
The encryption report does not show whether an escrowed key exists. Use the Microsoft Graph informationProtection/bitlocker/recoveryKeys endpoint. A device that appears encrypted in the Intune report but returns no results in this query is encrypted without escrow — a critical gap. The Useful Graph Calls page has the parameterized query that cross-references device IDs from the encryption report against key presence, ready to run in Graph Explorer or PowerShell.
Device State
Encrypted
Key in Entra
Risk
Action
Healthy
✅
✅
None
No action needed
Encrypted, no escrow
✅
❌
Critical — recovery impossible
Force key rotation or re-encrypt with Require escrow
Not encrypted
❌
❌
High — data unprotected
Investigate TPM/policy, re-push BitLocker policy
Not encrypted, old key in Entra
❌
✅ (stale)
High — stale key, disk is open
Investigate why encryption lapsed; re-encrypt
Why "Encrypted-with-Escrow" Is the Only Acceptable State
Encryption without an escrowed key means the drive is protected, but if the user forgets the PIN or the TPM unsealing fails, there is no recovery path. You are locked out permanently. This is not a hypothetical: devices with BIOS updates that reset Secure Boot state, hardware replacements that clear TPM, or failed OS upgrades that trigger BitLocker recovery can all hit this situation. The difference between "inconvenience" and "total data loss" is whether a key was escrowed before the incident. The Personal Data Encryption feature adds a second layer on top of BitLocker for specific folders — that context is useful when your compliance posture requires tiered data protection.
Do
Set Store recovery key before enabling BitLocker to Require in the disk encryption policy — block encryption until escrow succeeds
Point users to myaccount.microsoft.com in new-hire onboarding so they know the self-service path before they need it
Rotate the recovery key after any recovery event and after every Autopilot wipe
Run the Graph escrow-health audit quarterly and after any large enrollment wave
Match Key IDs carefully when multiple keys exist for a device — give the key that matches the displayed ID, not the newest one
Don't
Assume the Intune policy success state means the disk is encrypted and the key is escrowed — it means the policy landed, nothing more
Give users the wrong recovery key — entering an incorrect key three times triggers a full wipe on some hardware configurations
Delete old recovery key entries from Entra manually — they serve as an audit trail
Issue key rotation while the device is at the recovery screen and offline — wait until the user is back in Windows
Skip the escrow health audit after migrating from a third-party MDM or co-management — previous keys may not have migrated
Insights
The recovery-key call is the most common BitLocker helpdesk ticket — make it self-service or it will never scale. Every org that enforces BitLocker eventually sees a spike of recovery key calls when a feature update triggers TPM re-evaluation. A single myaccount.microsoft.com link in your helpdesk chatbot deflects the majority of them.
Encrypted-without-escrow is a silent compliance lie. The device shows Encrypted in the Intune report, the compliance policy marks it Compliant, and Conditional Access lets it through — but a lost device has no recovery path. Run the Graph audit; don't discover this during an incident.
Key ID matching matters more than it looks. If a device has been re-enrolled twice, Entra shows multiple recovery key entries. The recovery screen shows only the Key ID (first 8 chars). If a helpdesk agent gives the wrong key, the user is locked out again and there's a failed-attempt counter on some hardware. Train your team to match, not guess.
Hybrid-joined devices escrow to Entra too — but only when the Intune policy reaches them. A hybrid-joined device managed by both GPO and Intune may have a legacy key in Active Directory (backed up to AD) and a separate key in Entra. Confirm which one is current using the Key ID on the recovery screen. The Intune-managed key takes precedence if the device has MDM escrow configured.
BIOS/firmware updates can change TPM state and trigger unexpected recovery. Some UEFI updates reset Secure Boot variables or TPM PCRs, causing BitLocker to enter recovery at next boot. This is expected behavior — the key is still valid. Warn users before deploying firmware updates and have the self-service portal URL in the notification.
Key rotation is not instantaneous — it's queued. If a device is offline when you trigger key rotation from Intune, the action is queued. The existing key remains valid until the device checks in and completes rotation. This matters for the stolen-device scenario: rotation does not invalidate the old key immediately.
The minute-by-minute runbook when a corporate Windows laptop is reported stolen.
When a user reports their laptop stolen, you have a narrow window where the thief hasn't yet accessed data, attempted to break encryption, or used cached credentials to reach cloud resources. This runbook walks you through the exact sequence an endpoint engineer should execute — from the first phone call to the final audit entry. Windows has no iOS Lost Mode equivalent, so the defensive strategy relies on three things done in advance: BitLocker encryption with key escrow in Entra, token revocation speed, and a pre-queued wipe that executes the moment the device comes online.
Work through this in order. The steps are sequenced so the highest-impact, fastest-to-execute actions come first. Do not skip ahead to the wipe before you've revoked the user's sessions — an active token can access cloud data even while the physical device is offline.
Applies toEntra-joined & hybrid-joined Windows devices managed by Intune
Console pathsIntune admin center > Devices > Windows; Entra admin center > Users
RequiresBitLocker encryption + escrow confirmed before incident; Intune P1/P2 or EMS
GotchaWipe is queued — it only executes when the device next checks in. Never assume it ran immediately.
The Runbook — Execute in Order
Step 1Verify encryption & escrowConfirm BitLocker is on and the key is escrowed before taking any other action
Step 2Revoke user tokens & disable accountCut off cloud access immediately — this is faster than a wipe and works even when the device is offline
Step 3Remote Lock & queue the wipeLock the device if it's online, then issue Wipe so the next check-in wipes it
Step 4Document & close the loopRotate the BitLocker key, file the legal/insurance record, and retire the device object
Step 1 — Confirm Encryption and Key Escrow
Open the device record. In the Intune admin center, go to Devices > Windows, find the device, and click Encryption report or open the device blade and select Recovery keys. Confirm that Encryption status shows Encrypted and that at least one recovery key is listed.
If no key is escrowed, escalate immediately. An encrypted disk without an escrowed key is still protected, but you have no recovery option. If the device shows Not encrypted, treat this as a potential data breach and notify your security team now — the rest of this runbook still applies but you cannot guarantee data protection.
Screenshot the encryption state and key ID. Paste into your incident ticket. You'll need this for legal documentation and to prove due diligence.
Step 2 — Revoke Sessions and Disable the User
Do this before anything else
Active Entra tokens survive device loss. A thief with a cached access token can reach Exchange, SharePoint, and Teams until the token expires (up to 1 hour for access tokens, longer for refresh tokens).
Revocation is near-instant; a wipe may be hours away.
Revoke all user sessions. In the Entra admin center > Users > find the user > Revoke sessions. This invalidates all refresh tokens immediately. Access tokens already issued will continue to work until their short TTL (typically 60–75 minutes) expires — you cannot shorten that window without disabling the account.
Disable the user account. On the same blade, click Edit and set Account enabled to No. This blocks all new sign-ins, including token refresh. Coordinate with HR/legal before doing this if the user is still employed — but for a confirmed theft, disable first and sort the HR discussion afterward.
Review Conditional Access policies. If your CA policies include a "compliant device" requirement, a device that drops off-network and fails to check in will eventually be marked non-compliant, automatically blocking resource access. Confirm the grace period on your compliance policy so you know how long that backstop takes to kick in.
Remove any CA named-location exclusions that apply to this user. A stolen device in a coffee shop may appear to come from an "unknown" location, but revocation is more reliable than location-based blocking.
Step 3 — Remote Lock, Then Queue the Wipe
Issue Remote Lock. In the Intune device blade, click Remote lock. On Windows, this triggers a PIN lock (the device must have a PIN set). Remote Lock works only if the device is online at the moment of execution — it is not queued. If the device is offline, the lock will not apply until the next check-in, at which point the queued wipe will execute first anyway.
Decide: Wipe vs Retire. See the comparison table below. For a stolen device, Wipe is almost always correct — it returns the device to factory state and removes all corporate data. Retire only removes MDM enrollment and company data, leaving personal data intact. On a corporate-owned stolen device, there is no personal data argument for Retire.
Issue the Wipe. In the device blade, click Wipe. Uncheck Retain enrollment state and user account (you want a full factory reset). The wipe is queued and will execute on next MDM check-in. For details on what each action does at the OS level, see the Remote Actions page.
Note the pending action status. The device blade will show a pending action indicator. Check back in 24 hours to confirm the wipe executed. If the device never checks in (thief keeps it offline or re-images it), the wipe never runs — which is why BitLocker encryption is the real data-protection control.
Wipe vs Retire vs Fresh Start — Choose the Right Tool
Action
What it does
Corporate data removed
Personal data removed
Re-enrollable
Use for theft?
Wipe
Factory reset — OS reinstall
✅
✅
✅ (clean slate)
✅ Yes
Retire
Remove MDM + company data only
✅
❌
✅
❌ No
Fresh Start
Reinstalls clean Windows, keeps user data
✅
❌ (user files kept)
✅
❌ No
Autopilot Reset
Resets to OOBE, keeps Entra join
✅
✅
✅
❌ Only if device recovered
Step 4 — Document, Rotate, and Retire
Rotate the BitLocker recovery key. After confirming the wipe is pending or executed, go to the device blade > Recovery keys and confirm the key was escrowed. Then, from Devices > Windows > the device > BitLocker key rotation (if available) — or, if the device has wiped and re-enrolled, new keys will be generated automatically on the next encryption cycle. For devices that never come back online, the old escrowed key is effectively dead with the wipe, so rotation is moot.
File the legal and insurance record. Document: device serial number, Entra device ID, last check-in timestamp, encryption confirmation, session-revocation timestamp, wipe-issued timestamp, and the name of the engineer who executed each step. Most cyber insurance policies require evidence of prompt response and encryption-at-rest.
Retire the device object once the wipe confirms. After the wipe executes, the device will re-appear as a fresh Autopilot device or remain as a stale object. Delete the old device record from Entra and Intune to avoid stale object drift. If the device is being replaced, order a new serial through your OEM channel and register it in Autopilot.
Re-enable the user account once they have a replacement device in hand, and force a password reset. Re-issue device credentials through your standard Autopilot onboarding flow.
Do / Don't
Do
Revoke sessions in Entra before anything else — it's the fastest control that works offline
Confirm BitLocker + escrow are healthy on every device before an incident (run the encryption report proactively)
Issue Wipe, not Retire, for corporate-owned stolen devices
Document every action with timestamps for legal/insurance
Check back in 24 hours to verify the wipe executed
Rotate the BitLocker key ID in your records once the device wipes and re-enrolls
Don't
Assume the wipe ran immediately — it's queued until next check-in
Skip session revocation because the wipe is "coming" — tokens outlive devices
Use Retire on a stolen corporate device — it leaves the OS intact and accessible
Delete the device object from Intune before confirming the wipe executed (you'll lose the action queue)
Assume BitLocker means you don't need to act — revoke sessions anyway; data also lives in the cloud
Wait for HR approval before revoking sessions on a confirmed theft — revoke first, explain second
Insights
Encryption is your data-breach backstop, but tokens are the active threat. A BitLocker-encrypted disk protects offline data. An active Entra refresh token lets a thief (or malware running on the stolen device) reach cloud resources in real time. Revoke first, wipe second.
The wipe queue is invisible to the thief but visible in the console. You'll see "Wipe (pending)" in the device blade. The device will wipe on the next MDM check-in — which may never happen if the thief keeps it offline or re-images it externally. Encryption remains the guaranteed control.
Conditional Access is a slow backstop, not a fast response tool. Your CA "compliant device" grant condition will eventually block a device that stops checking in, but the default grace periods on compliance policies mean that could be hours or days after the theft. Use session revocation for immediate effect and treat CA as the belt-and-suspenders layer.
No escrowed key = potential breach notification. If a stolen device was not encrypted with escrow, you may have a reportable data breach depending on jurisdiction and data classification. Treat it that way until proven otherwise. This is the strongest argument for auditing BitLocker escrow health proactively, not reactively.
Device object hygiene matters post-incident. Leaving a stale "wiped" device object in Entra and Intune muddies compliance reports and can cause dynamic group membership issues. Delete the old object once the wipe confirms, before the replacement device enrolls.
What the lost-laptop tickets teach you over a few hundred incidents.
A few hundred lost-laptop tickets later, the patterns are unmistakable. The real security control is encryption, the real operational pain is BitLocker recovery calls, and the real gap in most tenants is the assumption that "the device is locked" means "the data is safe." This page distills what those incidents teach — the things that never make the architecture diagrams but always come up at 2 a.m.
Encryption is the control; the lock is theater. A lost laptop with BitLocker enforced and the key escrowed to Entra is a non-event — the drive is unreadable without the recovery key. A lost laptop that was supposed to be encrypted but the compliance policy hadn't yet evaluated, or silent encryption failed silently due to a missing TPM or a third-party FDE product blocking the stack, is a reportable breach. Audit escrow health proactively via Graph, not reactively after the call. See BitLocker Recovery and Key Escrow for the fleet-wide escrow audit query.
Tokens outlive devices — revoke sessions before you do anything else. The moment a theft is confirmed, go to Entra ID and revoke the user's refresh tokens (Entra admin center > Users > user > Revoke sessions). An active token in a browser session on that device — or cached on the attacker's infrastructure — can authenticate to Microsoft 365 and other cloud resources independently of whether the device is wiped or locked. Conditional Access token revocation propagation is near-real-time for Entra-aware apps, but some thick clients still have cached tokens with hours of lifetime. Disable the account if compromise is suspected.
Find My Device is off by default and often killed by policy. The Windows "Find my device" feature (Settings > Privacy & security > Find my device) requires a Microsoft account, location services on, and an administrator account — none of which are standard on a corporate Entra-joined device. More importantly, many security baselines disable location services or the consumer Microsoft account stack entirely, so the feature is silently non-functional. The practical corporate locating tool is Intune's last check-in timestamp and approximate location from Endpoint Analytics — useful for confirming a device is in a foreign city, not for real-time GPS recovery. See the stolen-device playbook for when to use each signal.
Wipe is queued, not instant — online status is everything. The Intune Wipe action is queued in the service and delivered on next MDM check-in. If the device is offline (stolen and powered off, or attacker has it in airplane mode), the command sits in the queue until it connects. This is fine — the drive is encrypted — but engineers sometimes treat a queued wipe as a completed wipe and close the ticket. Build your runbook so closure requires confirmed wipe completion in Intune, not just command issuance. Retire vs Wipe vs Fresh Start each have different data guarantees; know which you're sending.
The recovery-key call is the single most common helpdesk hit in this section — make it self-service. BitLocker recovery screens appear for reasons entirely unrelated to theft: a BIOS update, a TPM counter rollover, a failed Windows Update, Secure Boot changes. Every one of those events generates an inbound call. The fix is the MyAccount self-service recovery key portal (myaccount.microsoft.com > Devices > View BitLocker keys) — users can retrieve their own key on a phone without ever calling IT. Enable this proactively and include it in your device-onboarding user comms. It deflects the vast majority of recovery incidents before they reach the queue.
Recovery key rotation after an incident is mandatory, not optional. Once a recovery key is read — by IT, by the user, or retrieved from the portal — that key should be considered disclosed. Rotate it immediately: the Intune Rotate BitLocker keys remote action triggers a new key generation and re-escrowed to Entra. Failure to rotate means the disclosed key remains valid indefinitely. This is especially critical for devices returned after the incident (borrowed, recovered from lost-and-found) and re-issued to users.
Conditional Access is your access revocation lever, not just a compliance gate. Engineers think of Conditional Access as a policy that blocks non-compliant devices at sign-in. The less-obvious operational use is as an emergency revocation tool: adding the user to an exclusion group from your "compliant device required" policy, or enabling a named location block, can cut off access in seconds while you manage the incident. Keep a documented break-glass procedure for CA manipulation during theft response — and verify you have the RBAC rights before the incident, not during it.
Unmanaged gaps surface at the worst moment. The devices that show up as "lost" with no Intune record are the ones enrolled by accident, migrated from a different tenant, co-managed with a GPO hold, or enrolled but scope-tagged to the wrong group and invisible to the responding team. Build a monthly hygiene check: devices with no check-in in 30+ days, devices without BitLocker compliance, devices without a recovery key in Entra. The BitLocker escrow audit query catches the encryption gap; the compliance report catches the rest.
The same Apple foundation as iOS — ABM, Managed Apple Accounts, and what Macs need from it.
Apple Business Manager is the starting point for every managed Mac fleet. It is the portal where you enroll your organization, assign devices to Automated Device Enrollment (ADE), purchase and distribute apps through Apps & Books (VPP), and federate Managed Apple Accounts with Entra ID. The ABM foundation is the same across iOS and macOS — the same D-U-N-S number, the same portal, the same enrollment token fed into Intune — but the Mac deployment has its own angles that trip up engineers who set up iOS first and assume everything translates cleanly.
If you have already walked through the full ABM onboarding for iOS, the Apple Business Manager page covers D-U-N-S registration, initial administrator setup, and the MDM server link in detail. This page focuses on what is Mac-specific: ADE device assignment for Macs, VPP for the Mac App Store, and how Managed Apple Accounts behave on macOS. For a broader view of the Apple management architecture underpinning both platforms, see The Shared Apple Foundation.
Applies tomacOS 11 Big Sur and later (ADE); macOS 10.15+ (VPP)
Portalbusiness.apple.com — requires existing Apple ID or new account
RequiresD-U-N-S number, Apple MDM Push Certificate, ABM enrollment token in Intune
GotchaMac App Store VPP licenses must be purchased per-seat in ABM; most Mac apps are deployed as .pkg, not App Store
Getting Into ABM: D-U-N-S Onboarding
Apple requires a D-U-N-S number — a Dun & Bradstreet business identifier — to register any organization in ABM. The process is the same whether you are enrolling for Mac management, iOS, or both. Navigate to business.apple.com, click Get Started, and Apple will verify your business using the D-U-N-S number. If your organization does not yet have one, Dun & Bradstreet issues them free; Apple's enrollment page links you to the lookup. Verification typically takes one to three business days but can stretch to a week for newly registered businesses. Do not start this the day before a deployment.
Once the organization is verified, the initial ABM administrator account is tied to a Managed Apple Account — not a personal Apple ID. Keep the administrator credentials under your IT team's control, not an individual's personal email. Losing access to the admin account means a support engagement with Apple to recover the organization.
Assigning Macs for Automated Device Enrollment
ADE (formerly DEP) is what allows a Mac to enroll into Intune automatically during Setup Assistant, supervised and with locked management — the Mac counterpart of iOS's zero-touch enrollment. Devices appear in ABM through two routes:
Reseller/Apple direct purchase. Macs purchased from Apple or an authorized reseller with your ABM customer number are automatically linked to your organization. The serial numbers appear in ABM within 24 hours of shipment. This is the preferred path for new hardware — zero manual work.
Apple Configurator 2 (for existing Macs). Macs already in the field can be added to ABM using Apple Configurator 2 on another Mac. The existing Mac must be factory-reset or the process run from macOS Recovery. This path is acceptable for small numbers; it does not scale gracefully to hundreds of machines.
Once Macs are visible in ABM under Devices, assign them to your MDM server (the Intune enrollment program token you linked) under Device Assignments. In Intune, those serials then appear under Devices > Enrollment > Apple > Enrollment program tokens > your token > Devices. You assign them to an ADE enrollment profile from there.
Sync delay is real
After purchasing Macs from Apple, allow up to 24 hours for the serials to appear in ABM, and up to another 15 minutes after ABM assignment for them to sync into Intune. Do not build a same-day activation dependency on the ABM sync.
Apps & Books: VPP for Mac
Apps & Books (formerly the Volume Purchase Program) lets you purchase and distribute Mac App Store apps to managed devices without requiring a personal Apple ID on the device. Licenses are assigned per-device or per-user, and Intune handles the silent install once the VPP token is connected.
VPP assignment type
How it works
Best for
Device-based
License assigned to device serial; no Apple ID required on device
Shared Macs, devices without a logged-in user, apps that need to pre-install before sign-in
User-based
License assigned to Managed Apple Account; user gets app on any enrolled device
Named-user Macs where Managed Apple Accounts are in use
Device-based VPP is the safer default on managed Macs — it removes the dependency on a Managed Apple Account being present and authenticated. For device-based assignment to work, the Mac must be enrolled in MDM and supervised. ADE satisfies this automatically.
Most Mac apps are not in the App Store
Enterprise staples like Chrome, Zoom, Slack (the full-featured version), and hundreds of others are distributed as .pkg or .dmg installers — they are not available as VPP App Store apps.
Expect VPP to cover a minority of your Mac app catalog. The majority of Mac software is deployed via .pkg using shell scripts, line-of-business app types, or a tool like Installomator.
Do not design your deployment assuming VPP replaces package management — it does not. Plan for both tracks from the start.
Connecting the VPP Token to Intune
Download the VPP token from ABM. In ABM, go to Settings > Apps and Books > select the location token > Download. Save the .vpptoken file.
Upload to Intune. In Intune, go to Tenant administration > Connectors and tokens > Apple VPP tokens > Create. Upload the token and set the country/region to match your ABM location.
Sync. After upload, Intune syncs the purchased apps. Apps appear under Apps > macOS with type iOS/iPadOS or macOS app (App Store).
Assign apps. Assign the VPP app to a device or user group, choosing device or user licensing. Required assignments push the install silently; available assignments appear in the Company Portal.
One VPP token per ABM location
ABM supports multiple locations (e.g., separate purchasing buckets for different regions or cost centers). Each location generates its own VPP token. Upload each token separately into Intune if you use multiple locations — licenses are not shared across them.
Managed Apple Accounts on Mac
Managed Apple Accounts (MAAs) are organizationally owned Apple accounts created and controlled through ABM, as distinct from personal Apple IDs. On iOS they enable iCloud features under MDM control. On Mac their role is narrower but still relevant.
You are running Platform SSO with Entra and want iCloud Drive, Keychain, or App Store sign-in under corporate controlUse Managed Apple AccountsMAAs give you iCloud storage and App Store access without personal Apple IDs; federation with Entra makes provisioning automatic
Your Mac deployment is pkg-based apps only, no iCloud, no App Store sign-in needed from the userSkip MAAs for nowADE enrollment and device-based VPP do not require users to sign in with any Apple ID; MAAs add complexity without benefit if the user never needs an App Store account
You are deploying to education or a regulated environment that already uses Apple services heavilyFederate MAAs with EntraFederation creates MAAs automatically from Entra users and keeps account lifecycle in sync with your identity provider
Federating Managed Apple Accounts with Entra ID
Federation links your Entra ID domain to ABM so that Managed Apple Accounts are created and deprovisioned automatically as users are added or removed from your directory. The setup lives in ABM under Settings > Identity Provider.
Verify your domain in ABM. Add and verify the domain you use for Microsoft Entra (e.g., contoso.com) in ABM under Settings > Accounts > Managed Apple Account domains.
Connect Entra as the identity provider. In ABM, select Settings > Identity Provider > Connect > choose Microsoft Entra ID. ABM walks you through an OAuth consent flow in your Entra tenant.
Set the MAA username format. ABM generates MAA usernames in the format user@appleid.contoso.com — note the extra subdomain. Entra users log in with user@contoso.com; the MAA is a parallel account, not the same credential. Make sure users and helpdesk understand this distinction.
Test with a pilot user. Verify that a test Entra user has a Managed Apple Account created in ABM and that they can sign into the Mac's App Store with that account — not their personal Apple ID.
MAA federation does not replace Platform SSO
Managed Apple Account federation controls Apple service access (App Store, iCloud). It is not the same as Platform SSO, which controls the macOS login window and Entra token issuance to apps.
You need both if you want full single-sign-on to Microsoft and Apple services. Deploy Platform SSO first; add MAA federation when you need App Store or iCloud features under corporate control.
On Mac, the two systems coexist but are configured and managed separately. See the macOS Management Overview for how these layers stack.
What ABM Does and Doesn't Give You on Mac
Capability
ABM provides it?
Note
ADE (supervised, locked enrollment)
✅
Requires Mac assigned in ABM and ADE profile in Intune
Mac App Store app distribution (VPP)
✅
Device-based VPP is the practical default
.pkg / script-based app deployment
❌
Managed by Intune directly; ABM is not involved
Managed Apple Account lifecycle
✅
With Entra federation, creation/deletion is automatic
iCloud storage for corporate data
✅ with MAA
Organizationally owned iCloud storage linked to MAA
Apple Business Essentials MDM
❌
ABM and Intune are separate; ABM is the identity/device portal, Intune is the MDM
Insights
Plan for pkg-first, VPP-as-exception. Walk any Mac app catalog through the App Store check before building your deployment plan. You will typically find 10-20% of your apps available as VPP; the rest need .pkg delivery via Intune shell scripts or the LOB app type.
The ABM enrollment token expires annually and breaks ADE when it does. Calendar the renewal before it lapses — a lapsed token means new Macs do not get their ADE profile at Setup Assistant and enroll as user-approved instead, losing supervision.
Device-based VPP licenses do not require a user to be signed in. This is the killer feature for Macs that sit in a lab, conference room, or shared workspace: software installs silently during provisioning before anyone logs in, with no Apple ID prompt.
Federation is a one-time domain claim — get it right. Federating a domain in ABM claims it; you cannot partially federate. If you have subdomains in use across different ABM organizations (e.g., a subsidiary), sort out domain ownership before starting federation or you will block the other organization's users.
The MAA subdomain trips up end users. Users logging into the App Store with a Managed Apple Account use firstname.lastname@appleid.contoso.com. This surprises people expecting their Entra address. Brief your helpdesk and include it in the Mac onboarding guide.
ABM device assignment does not survive an erase if the Mac was never released. If you wipe and reprovision a Mac that was originally assigned in ABM, the ADE assignment persists. If a user factory-resets a Mac that was released from ABM, it is no longer supervised — re-add the serial and re-assign before reprovisioning.
The APNs push certificate and the ABM enrollment token that bind Macs to your tenant.
Before a single Mac can receive a policy, two connectors must be in place in your Intune tenant: the Apple MDM Push (APNs) certificate and the ABM Automated Device Enrollment (ADE) token. Miss or expire either one and management stops — APNs silently drops push notifications and devices fall dark, or newly shipped Macs miss their enrollment profile and boot straight to the Setup Assistant without supervision. Getting both right, and keeping them renewed on schedule, is the unglamorous backbone of every Apple deployment.
Both connectors are shared infrastructure across iOS and macOS. If you have already configured them for iPhone and iPad management, your Macs ride the same certificate and token — you do not create separate ones. This page focuses on the Mac-specific angles and the renewal discipline that bites teams every year. For the full step-by-step handshake on the initial setup, see the iOS guides linked at the end of each section.
Applies tomacOS (all versions managed by Intune), iOS/iPadOS (shared cert)
Console path (APNs)Tenant administration > Apple MDM Push certificate
Console path (ADE token)Devices > Enrollment > Apple > Enrollment program tokens
RequiresIntune Service Administrator or Global Administrator; Apple ID dedicated to IT
GotchaBoth expire annually; the Apple ID used to create the APNs cert must be used to renew it — never the same cert with a different Apple ID
The APNs Push Certificate
The Apple MDM Push certificate lets Intune send wake-up nudges to Macs (and iPhones) over Apple's push network. Without it, Intune cannot instruct a device to check in, install apps, or apply policy. The certificate is tenant-wide — one cert covers all Apple platforms.
Step 1Download the CSRIn Intune: Tenant administration > Apple MDM Push certificate > Download your CSR — saves an .csr file.
Step 2Sign at AppleLog in to identity.apple.com/pushcert with your IT Apple ID, upload the CSR, download the resulting .pem file.
Step 3Upload the PEMBack in Intune, upload the .pem and enter the Apple ID used to sign it — Intune stores this for renewal reminders.
Step 4Confirm and calendarThe console shows the expiry date (365 days out). Add a calendar event at 330 days to begin renewal before any grace-period risk.
Same Apple ID, every renewal — no exceptions
Apple ties the push certificate to the Apple ID that signed it. Renewing with a different Apple ID creates a new certificate with a new topic UID.
Any device enrolled under the old cert loses MDM communication permanently — no silent fallback, no re-push. Devices must be re-enrolled.
Use a shared IT mailbox (e.g. mdm-appleid@contoso.com), not an individual's personal or work account.
For the full certificate handshake walkthrough and a diagram of how APNs fits into the MDM protocol, see the Apple MDM Push Certificate (APNs) page in the iOS guide — the mechanics are identical for Mac.
The ABM Enrollment Program Token
The ADE enrollment token is a .p7m file that creates a trust relationship between your ABM organization and your Intune tenant. Without it, Intune cannot pull the list of ABM-assigned Macs, and those devices will not receive an ADE enrollment profile at Setup Assistant. One Intune tenant can hold multiple tokens (for multiple ABM organizations or DEP resellers), but each ABM org maps to exactly one token.
Navigate to the token console. Go to Devices > Enrollment > Apple > Enrollment program tokens > Add.
Download the Intune public key. Click Download your public key — this produces a .pem file you will upload to ABM.
Create the server in ABM. In ABM (business.apple.com), go to Settings > Device Management Settings > Add MDM Server. Upload the Intune .pem. Name it something durable like Intune-Production.
Download the server token. In ABM, click Download Token for the server you just created. This is the .p7m file.
Upload to Intune. Back in the Intune wizard, upload the .p7m, enter the Apple ID of the ABM administrator account used, and complete the wizard.
Sync devices. After the token uploads, click Sync to pull ABM-assigned serials into Intune. Large orgs can take several minutes; Apple rate-limits sync to once every 15 minutes.
Assign Macs to your MDM server in ABM before they ship
A Mac that has already completed Setup Assistant cannot receive a new ADE assignment without an Erase & Reinstall or MDM-triggered wipe. Tell procurement to set your ABM MDM server as the default assignment for Mac orders so new hardware arrives ABM-assigned from day one.
For the detailed integration walkthrough including the ABM-side navigation and reseller device assignment, see Integrate Apple Business Manager with Intune — the steps map 1:1 for Mac.
Mac-Specific Gotchas
Scenario
What happens
Fix
APNs cert expires
Devices stop checking in; policies and apps stall silently
Renew the cert — devices recover without re-enrollment once renewed with the same Apple ID
APNs cert renewed with a new Apple ID
All enrolled devices lose MDM permanently
Re-enroll all devices; no recovery path without touching each machine
ADE token expires (also annual)
Intune cannot pull new serial assignments; existing enrolled devices are unaffected
Renew token in ABM and re-upload .p7m to Intune
Mac not appearing after ABM sync
Serial not assigned to your MDM server in ABM, or sync hasn't run yet
Check ABM device assignment; manually trigger sync; wait up to 15 min
Mac boots to Setup Assistant without ADE
No enrollment profile assigned, or device completed Setup Assistant before ADE assignment
Erase & Reinstall (Recoverymode or Intune remote wipe if enrolled)
Renewal Discipline
Annual renewal is the single biggest operational failure mode across Apple fleets. Both the APNs certificate and the ADE token expire on the same 365-day cadence. Teams that manage iOS already know this pain; Macs are covered by the same certificate but often overlooked when it comes to the ABM token.
Do
Use a shared IT service account Apple ID, not a personal or departing-employee Apple ID
Calendar both renewal windows at 330 days — before the 30-day warning in the Intune console
Renew the APNs cert using the same Apple ID that created it; the Intune console shows which account was used
Renew the ADE token by downloading a fresh .p7m from ABM for the same MDM server entry
Test a device check-in immediately after renewal to confirm APNs is healthy
Document the Apple ID, its MFA recovery, and token renewal steps in your runbook
Don't
Let individuals sign up for the Apple ID — account recovery becomes an IT emergency when someone leaves
Create a new MDM server entry in ABM at renewal time — that invalidates device assignments
Ignore the Intune banner warning at 30 days; treat it as a P1 task
Assume iOS renewal covers the Mac ADE token — they are separate .p7m files
Delay past expiry hoping devices stay managed — APNs-dependent features break immediately on cert expiry
Verifying Both Connectors Are Healthy
Check certificate status.Tenant administration > Apple MDM Push certificate — confirm status is Active and the expiry date is >30 days out.
Check token status.Devices > Enrollment > Apple > Enrollment program tokens — each token shows Active or the expiry date.
Trigger a sync and count serials. Click Sync on the token and compare the device count in Intune against your ABM assignment list.
Test push delivery. Select a managed Mac in Devices > macOS, click Sync on that device, and confirm Last check-in refreshes within a few minutes.
If APNs push is failing at the network level — firewalls blocking Apple's courier.push.apple.com range or port 443/5223 — see Network and APNs Issues on Mac for the full troubleshooting flow.
Insights
The Apple ID is a single point of failure. Loss of access to the Apple ID used for the APNs cert means you cannot renew it — only creation of a new cert, which invalidates all enrolled devices. Treat that account like a root credential.
ADE token expiry is quieter than APNs expiry. Enrolled Macs keep working after the token expires; only new enrollments break. That makes it easy to miss until the next batch of hardware ships and nothing enrolls.
The 15-minute ABM sync rate limit surprises people. After assigning a serial in ABM, engineers often hit Sync three times and wonder why the device isn't appearing. One sync, then wait.
Multiple ABM orgs are fully supported. Organizations that have acquired companies or run separate ABM accounts for different business units can add multiple tokens to one Intune tenant — each token maps to its own set of serials and enrollment profiles.
Pre-assignment is everything. A Mac that completes Setup Assistant before ABM assignment cannot be retrospectively supervised without a wipe. The procurement workflow matters as much as the Intune config.
Build the automated device enrollment profile that supervises and locks Macs to management.
The ADE enrollment profile is the object that tells every Mac assigned in Apple Business Manager how to present Setup Assistant, whether to bind the device to a specific user, and whether the management profile can ever be removed. It is the single configuration that determines whether your Mac fleet is genuinely supervised and locked to management — or merely enrolled in a mode a determined user can delete. Get it right once; every Mac that comes out of ABM will follow it automatically.
Unlike iOS, macOS ADE profiles carry a few extra decisions — specifically around the local primary account that gets created during Setup Assistant and whether your organization relies on Platform SSO or directory binding to handle identity afterward. This page walks the full profile creation path. For the conceptual background on why ADE is always the right enrollment path for corporate Macs, see Automated Device Enrollment for Mac.
Applies tomacOS 11 Big Sur and later (macOS 12+ strongly recommended)
Console pathDevices > Enrollment > Apple > Enrollment program tokens > [your token] > Profiles
RequiresIntune Plan 1; ABM token synced; APNs certificate valid; devices assigned to Intune in ABM
GotchaA Mac must be erased and re-enrolled for a new profile to take effect — profile changes do not apply to already-enrolled devices mid-lifecycle
User Affinity vs. No Affinity
This is the first decision in the wizard and it shapes how the Mac is tracked and how policies are delivered. Pick wrong and you will rebuild the profile.
Option
Use it when
What Intune does
Enroll with user affinity
Corporate Mac assigned to a named employee
Setup Assistant authenticates the user via Company Portal; device associates with that Entra user; user-targeted policies and apps apply
Enroll without user affinity
Shared Mac, lab device, or device managed at the device level only
No user association at enrollment; only device-targeted policies apply; Company Portal is optional for app installs
Enroll with user affinity — no Setup Assistant auth
Platform SSO deployments where the user registers after first login
Affinity is set via Company Portal after enrollment; avoids a second login prompt in Setup Assistant when PSSO handles identity
Platform SSO changes the affinity calculus
If you are deploying Platform SSO (the recommended modern Mac identity approach), choose Enroll with user affinity and configure authentication via the Company Portal app, not via Setup Assistant. This avoids a double-authentication UX where the user signs in once during Setup Assistant and again when PSSO registers. See the next page in this guide for the full Platform SSO deployment walkthrough.
Create the Profile — Step by Step
Step 1Open the tokenNavigate to your ABM enrollment token and launch the macOS profile wizard
Step 2Set affinity and supervisionChoose user affinity model; supervision is always on for ADE
Step 3Configure Setup AssistantSkip panes, set account type, and tune the enrollment UX
Step 4Assign serialsAssign devices in the token view; sync to pick up new ABM assignments
Navigate to the token. Go to Devices > Enrollment > Apple > Enrollment program tokens and click your ABM token. Select Profiles > Create profile > macOS. The iOS and macOS profile types are separate; always confirm you are in the macOS path.
Name the profile meaningfully. Use a name that encodes the population, e.g. ADE-macOS-UserAffinity-Corporate or ADE-macOS-NoAffinity-Lab. You will accumulate multiple profiles and generic names cause incorrect device assignments.
Set User Affinity. Choose the appropriate option from the table above. For most corporate deployments this is Enroll with user affinity. If you are uncertain, choose affinity — it is easier to move to no-affinity than to add affinity later, and user-targeted apps will not work without it.
Supervised is always Yes for ADE. macOS ADE devices are always supervised. There is no toggle — it is automatic. Supervision enables MDM restrictions, prevents profile removal, and is required for many configuration profile payloads. This is one of the primary reasons ADE is mandatory for corporate Macs.
Set Locked enrollment to Yes. This makes the MDM management profile non-removable by the user. The setting is called Locked enrollment in the profile wizard. Without this, a standard user can unenroll the Mac from System Settings > Privacy & Security > Profiles. Always enable it for corporate devices.
Configure the local primary account. Under Account settings, choose how Setup Assistant creates the initial local macOS account:
Setup automatically with user data — Setup Assistant prompts the user to create a local account. The local username and full name come from what the user types, not from Entra. This is the standard path when Platform SSO will later link the local account to Entra identity.
Create as administrator / standard user — Sets the privilege level of the account created during Setup Assistant. Choose Standard for most users; admin is a significant security concession. See local account strategies for the full discussion of admin-vs-standard and Platform SSO interactions.
No account (no-affinity profiles only) — skips local account creation entirely. Used for shared or lab Macs where you control the local account through a separate configuration profile or directory binding.
Configure Setup Assistant pane skipping. Each toggle in the Setup Assistant section hides one screen from the user during first boot. The right answer depends on your deployment, but the common set to hide:
Privacy — Hide. Pre-answer with MDM policy; showing the dialog creates inconsistent state and user confusion.
Location Services — Hide and set to Off via configuration profile if your policy disables location.
FileVault — Hide. Manage FileVault silently via Intune's disk-encryption policy; do not hand the user a recovery key they will lose.
Siri — Hide if your policy disables Siri; otherwise leave visible.
iCloud / Apple ID — Hide if using Managed Apple Accounts from ABM; the user should not sign in with a personal Apple ID on a corporate Mac.
Registration — Hide. Always.
Appearance (Dark/Light mode) — Optional; harmless to leave visible but adds a step.
Review and create the profile. Click through to Review + Create. The profile now exists but has no devices assigned to it.
Assign devices. Back in the token view, go to Devices, select the serial numbers you want to target, and click Assign profile — then choose the profile you just created. For new Mac purchases: in ABM, assign the serial to your MDM server (Intune); the device will appear in the token's device list after the next sync (sync manually with the Sync button or wait up to 15 minutes).
ADE vs. User-Approved Enrollment
macOS allows a second enrollment path: the user downloads Company Portal and enrolls manually. This is called User-Approved MDM (or user-initiated enrollment). It is emphatically not the same as ADE.
Capability
ADE (Automated)
User-Approved (Manual)
Supervised
✅ Always
❌ Never on macOS
Locked enrollment (non-removable MDM)
✅ When configured
❌ User can remove at any time
Setup Assistant customization
✅ Full pane control
❌ None — device already set up
Zero-touch deployment
✅
❌ Requires user action
Requires ABM device assignment
✅
❌ Any Mac can enroll
Suitable for corporate fleet
✅
❌ BYOD or dev-opt-in only
User-Approved enrollment is not a corporate management story
Without supervision, dozens of MDM configuration payloads are unavailable or user-revocable on macOS.
A user can remove a non-locked MDM profile at will — your compliance, FileVault key escrow, and security controls disappear instantly.
Reserve user-approved enrollment for BYOD scenarios where you manage data with App Protection Policies, not the device itself. If you are issuing the hardware, it must go through ABM and ADE.
Common Failure Modes
Profile not applying at Setup Assistant
Device shows generic macOS Setup Assistant instead of enrollment flow: The serial is not assigned to Intune in ABM, or the ABM-to-Intune sync has not completed. In ABM confirm the device is assigned to your MDM server; in Intune click Sync on the token, then wait 5–10 minutes and erase the Mac again.
Profile assigned but enrollment fails mid-Setup: APNs certificate has expired, or the Mac cannot reach Apple's ADE activation servers (identity.apple.com, deviceenrollment.apple.com). Confirm APNs validity and network access before reprovisioning.
Locked enrollment not working — user can still remove the profile: The Locked enrollment toggle was not set, or the Mac was enrolled via user-approved MDM rather than ADE. ADE re-enrollment is required; there is no retrofit path.
Wrong profile applied (iOS profile attached to Mac): Verify you created the profile under the macOS type in the token wizard. An iOS profile cannot apply to a Mac and the device gets an error at activation.
Insights
Locked enrollment is not optional for corporate Macs. Every year, some org discovers that a power user unenrolled their MacBook and has been running unmanaged for months. The toggle is right there in the profile — turn it on.
The local account created in Setup Assistant and the Entra identity are different things. Without Platform SSO, the user ends up with a local account and a separate browser session for Microsoft apps. Platform SSO closes this gap — deploy it immediately after the ADE profile is solid.
Hide FileVault in Setup Assistant and manage it silently. If the user sees the FileVault pane they may set a personal recovery key that never escrows to Intune. Suppress the pane and deliver a disk-encryption policy that silently enables FileVault and escrows the key to Entra.
Do not skip the Apple ID / iCloud pane if Managed Apple Accounts are not in place. Hiding the pane stops the prompt but does not prevent the user from signing in later via System Settings. A full Managed Apple Account deployment through ABM federation with Entra is the correct solution; suppressing the pane without that is a half-measure.
Serial assignment in ABM, not just in Intune. The device must be assigned to your MDM server in ABM. Assigning a profile in Intune alone does nothing if ABM still shows the serial assigned to Apple School Manager or a prior MDM. This is the single most common cause of ADE activation failures on Macs.
Profile changes do not retroactively affect enrolled Macs. If you tighten a Setup Assistant pane or change the account type, it only applies to Macs that erase and re-enroll. Track your profile version and the build of devices enrolled under each version — otherwise you will have a mixed fleet with inconsistent enrollment posture.
Make the Mac login itself an Entra sign-in with Platform SSO — the centerpiece of a modern Mac build.
Platform SSO is not a nice-to-have — it is the feature that finally makes a corporate Mac feel like a corporate device. Without it, users maintain a local macOS password that has nothing to do with Entra ID: they drift out of sync, trigger helpdesk calls, and SSO to Microsoft apps relies solely on a background broker extension that can fail silently. With Platform SSO configured, the macOS login window is an Entra authentication. The local account is cryptographically bound to an Entra identity, and every app that speaks the Apple Enterprise SSO protocol picks up tokens from that single bind.
This page walks you through deploying the Platform SSO extension profile in Intune from scratch — authentication method choice, prerequisites, the registration moment users see, and the verification steps. For the full architectural deep-dive, see Platform SSO with Entra ID. For what breaks in production and how to fix it, see Platform SSO Issues.
Applies tomacOS 13 Ventura and later (Secure Enclave requires 13+; password sync works on 13+)
RequiresCompany Portal 5.2310 or later installed on the device before registration; Entra ID P1 minimum
GotchaADE + supervised is effectively required in practice — user-approved enrolled Macs can receive the profile but MDM channel for FileVault escrow and full restriction enforcement is weaker
Authentication Methods — Pick One
Platform SSO supports three authentication methods. Choose before you build the profile; migrating between methods requires re-registration.
Method
How login works
Phishing-resistant
Best for
Password sync
User types their Entra password at the macOS login window; Intune SSE syncs it to the local account
❌
Most orgs — lowest user friction, no new hardware
Secure Enclave
A device-bound key pair is registered in Entra; login uses Touch ID or local PIN backed by the T2/Apple Silicon Secure Enclave
PIV smart card presented at login; Entra validates the certificate
✅
Government/regulated; card infrastructure already in place
Start with password sync
Secure Enclave is the long-term target for most orgs, but password sync gets you the SSO benefits immediately with zero user retraining. You can migrate to Secure Enclave in a later phase — see Passkeys and Secure Enclave SSO for the migration path.
Prerequisites Before You Deploy
Company Portal installed and signed in. The SSO extension is hosted by Company Portal. Deploy it as a required app targeting the same device group before the SSO profile, or include it in a Setup Assistant/Await Configuration flow so it lands before the user hits the desktop.
macOS 13.0 or later. Platform SSO is a macOS 13 feature. Devices running Monterey or earlier receive the profile but cannot register. Build a compliance policy or a filter group to exclude them.
Entra ID P1 (or higher) licensing assigned to the registering user. The SSO extension registers a device-bound credential in Entra; that flow requires P1.
ADE-supervised enrollment recommended. Platform SSO works on user-approved enrolled Macs too, but ADE with locked enrollment ensures the MDM channel is non-removable. An unsupervised user can remove the profile and break SSO.
Network access to Entra ID endpoints on the device — login.microsoftonline.com, enterpriseregistration.windows.net, and the Intune service. Captive portals block registration.
Step 2Configure the Extensible SSO payloadAdd the Authentication > Extensible Single Sign On category
Step 3Assign and scopeTarget a pilot device group before broad rollout
Step 4Validate registrationConfirm with app_sso_util and the Intune device report
Navigate to the configuration profile section. In the Intune admin center, go to Devices > macOS > Configuration > Create > New policy. Select Settings catalog as the profile type.
Add the Extensible SSO category. In Settings Picker, search for Extensible Single Sign On under the Authentication category. Add it. The key fields are:
Team Identifier:UBF8T346G9 (Microsoft's Apple Team ID)
Add the Platform SSO key-value pairs. Under Extension Data (the custom key-value area), add the following:
AuthenticationMethod = Password (or UserSecureEnclaveKey for Secure Enclave)
RegistrationToken = leave blank — registration uses interactive Entra auth, not a pre-shared token
EnableCreateUserAtLogin = 1 — allows Platform SSO to create the local account from an Entra sign-in if no local account exists yet (needed for net-new ADE Mac flows)
NewUserAuthorizationMode = Standard or Admin — controls whether newly-created Platform SSO accounts are standard users or local admins
UserAuthorizationMode = Standard — applies to existing accounts at re-registration
Optionally add the screen-lock SSO payload. To extend Platform SSO to the lock screen (not just login), also add Authentication > Extensible Single Sign On Kerberos is not needed — but do add a second Extensible SSO entry with Platform SSO: Authentication Grace Period set to 3600 (seconds) so a brief screen-unlock does not trigger a full Entra round-trip.
Assign to a scoped device group. Start with a pilot group of 5–10 Macs. Assign as Required. Do not push to All Devices until you have validated registration end-to-end.
Profile ordering matters
Company Portal must be installed before the SSO extension profile is enforced. If the extension payload lands first, the OS cannot load it and the user sees no registration prompt.
If you also deploy a Kerberos SSO extension, keep it in a separate profile. Stacking multiple SSO extension payloads in one Settings Catalog profile can cause only the last one to apply.
Do not deploy both an MSAL/broker extension profile (the older Entra SSO extension) and a Platform SSO profile targeting the same device — they conflict.
The Registration UX — What Users See
After the profile lands and Company Portal is installed, the next time the user unlocks their Mac (or at first login on a new ADE device), a system notification appears: "Sign in to get access to your organization's resources." Clicking it opens a native dialog — not a browser — that prompts for Entra credentials including MFA. On success, the local macOS account is cryptographically linked to the Entra identity. The local account password (for password-sync mode) is then silently synced to match the Entra password.
Users do not change their password at this step. They authenticate with their existing Entra credentials. If they haven't set their macOS password to match Entra yet, Platform SSO will prompt them to update the local password once after registration so they're in sync going forward.
Verify Registration
On the Mac, runapp_sso_util show in Terminal. A registered device shows an SSO account with status Registered and a valid Entra UPN. If you see Not registered, the profile has not fully applied or Company Portal is not running.
Check the Intune device record. In Devices > macOS > select the device > Hardware — the Azure AD registered field should show Yes. Also review the configuration profile assignment state to confirm the SSO profile reports Succeeded.
Test SSO silently. Open Safari and navigate to https://myapps.microsoft.com. The user should land on the My Apps portal with no credential prompt. If a prompt appears, the extension is not brokering tokens — check Company Portal is running in the background and the URLs in the profile are correct.
Insights
Platform SSO is the single highest-impact macOS Intune policy. It solves local-password drift, SSO to all Microsoft 365 apps, Conditional Access device compliance, and the "is this Entra-registered?" question in one profile. Prioritize it over almost everything else in your Mac build.
Password sync drift is a myth if Platform SSO is working. The extension intercepts every macOS password change and pushes it to Entra (and vice versa), so the passwords stay in sync automatically. The old problem of diverging credentials goes away the day registration succeeds.
Secure Enclave delivers phishing-resistant login without smart cards. If your org is moving toward passwordless, Secure Enclave mode on Apple Silicon Macs is the fastest path — the device-bound key registers in Entra as a passkey-equivalent credential. Plan the rollout carefully; it is a one-way door per device without re-enrollment.
The registration notification is easy to dismiss and hard to recall. Users who tap "Later" on the registration dialog may not see it again for days. Build a Company Portal self-service nudge or Installomator/script that re-triggers the notification, or catch them at first ADE boot via Await Configuration.
Company Portal version is the most common root cause of registration failures. Always deploy the latest Company Portal as a required app and pin a minimum version in compliance. An outdated Company Portal silently fails to host the extension.
Conditional Access "require compliant device" gates on Platform SSO registration. A Mac that has not completed registration is not Entra-registered and cannot satisfy a compliant-device CA grant. Stagger your CA enforcement: deploy Platform SSO, validate registration across the fleet, then tighten CA.
Enforce FileVault disk encryption with the recovery key escrowed to Intune.
FileVault is macOS's built-in full-disk encryption — XTS-AES-128 applied to the entire startup volume. On a corporate Mac it's non-negotiable: an unencrypted disk is a data breach waiting for a bag thief. The policy itself is straightforward to push, but the escrow piece is where teams get burned: it's entirely possible to have a fleet where FileVault is enabled on every device yet not a single recovery key is stored in Intune. This page covers the right way to configure both in one shot.
Intune manages FileVault through the Disk Encryption policy type under Endpoint Security. This is separate from a configuration profile and is the recommended path — it gives you per-device encryption status and key-escrow status in the same place, and it wires the personal recovery key directly to Intune without extra scripting.
Applies tomacOS 10.15 Catalina and later (ADE-enrolled or user-approved)
RequiresCompany Portal installed; user must log out/in once for deferred enablement
Gotcha"Enabled but key not escrowed" is silent — always verify escrow status, not just encryption status
Create the Disk Encryption Policy
Step 1Navigate to Disk EncryptionEndpoint Security > Disk Encryption > Create Policy; Platform = macOS, Profile = FileVault
Step 2Configure FileVault settingsEnable FileVault, set escrow to Intune, configure PRK visibility and rotation
Step 3Assign to device groupTarget your Mac device group — never user groups for encryption policy
Step 4Verify escrow healthMonitor Encryption report for the "Escrowed" column — that's your real signal
Key settings in the FileVault profile
Enable FileVault. Set to Yes. Without this, nothing happens. The remaining settings only matter once this is on.
Recovery key type. Choose Personal recovery key for the vast majority of deployments. Each device gets a unique 28-character key stored in Intune. The Institutional key option (a shared certificate-based key) exists but is rarely the right answer in an Entra-joined world — it requires a separate key management workflow and the cert must be protected outside Intune.
Escrow location description of personal recovery key. Set this to a user-visible string like IT Helpdesk. The user sees this message at encryption time — it tells them where the key went so they don't panic.
Number of times allowed to bypass. Set to 0 or a small number (typically 1 or 2) to require the user to enable FileVault at next login rather than deferring indefinitely. Set to Not configured and a determined user can keep clicking "Not now" forever — you'll have stale non-encrypted devices in your compliance report for months.
Hide recovery key. Set to Yes. This prevents the personal recovery key from being displayed to the user at enablement time. The key is silently escrowed to Intune. If set to No, macOS shows the key on screen and the user can note it down — then it's no longer solely in Intune. Recommend hiding it unless your policy requires users to hold their own copy.
Disable prompt at sign-out. Leave as Not configured unless you specifically want to suppress the sign-out prompt; the enrollment flow relies on that prompt to trigger deferred enablement.
Personal recovery key rotation (months). Set to 12 (annually) or as your security policy dictates. Rotation happens automatically: Intune generates a new key, the old one is invalidated, and Intune stores the new one. The user does not see it. See the FileVault Recovery and Escrow page for what happens when a rotation fails mid-flight.
Deferred enablement — what actually happens
When the policy arrives, FileVault is not immediately enabled. macOS defers it to the next user log-in or log-out. The user sees a dialog asking them to enable FileVault; after they authenticate, the disk begins encrypting in the background. The recovery key is escrowed to Intune at that same moment. Encryption completes over the next few minutes to hours depending on disk size — the Mac is fully usable the entire time.
The "Enabled But Not Escrowed" Trap
This is the most common FileVault mistake in Intune environments, and it's invisible unless you look for it. It happens when:
A device was encrypted before MDM enrollment (the user turned on FileVault manually or it was on from a prior management system), and Intune hasn't been able to rotate the key into escrow yet.
The Company Portal was not installed when the policy first applied, so the escrow step failed silently.
The user never triggered the deferred-enablement login prompt (on an existing, already-encrypted device, the rotation prompt can be dismissed).
The fix: in Devices > macOS > select the device > Recovery keys, you'll see "No key" if escrow failed. Use the Rotate FileVault recovery key remote action to force a new key and escrow it. The user must be logged in and Company Portal must be running for the action to complete. For fleet-wide auditing, use the Encryption report at Devices > Monitor > Encryption report — filter by FileVault Profile Status = Succeeded and FileVault Encryption Readiness = Not applicable or Escrowed. Anything showing "Not escrowed" is a risk. The FileVault and Escrow Issues page has the full remediation runbook.
Compliance dependency — order matters
If you add FileVault to a compliance policy before the encryption policy has had time to enable and escrow keys, every Mac immediately goes noncompliant and Conditional Access can block those users.
Deploy the disk encryption policy first, give it 48–72 hours to propagate and for users to complete their login-prompt, then enable the FileVault requirement in your compliance policy.
On an ADE-enrolled Mac, the user completes Setup Assistant and gets to the Desktop before the disk encryption policy arrives — the deferred-enablement prompt is the first thing they'll notice post-enrollment. Set expectations in your onboarding comms.
For most tenants, the personal recovery key path is the right call. The institutional key is a legitimate option for government or regulated industries where IT must be able to unlock a device without a network connection, but it requires you to securely store and manage the institutional certificate outside Intune. See the FileVault deep-dive for the full institutional-key setup.
Retrieving a Recovery Key
When a user is locked out (wrong password, corrupted login), the helpdesk retrieves the key from Devices > macOS > [device] > Recovery keys > Show recovery key. This action is RBAC-gated — only roles with the Read remote tasks and Manage remote tasks permissions can view it. The key is displayed once; retrieving it also schedules an automatic rotation so the seen key is invalidated after next use. Users with the right license can also self-serve at myaccount.microsoft.com > Devices > [device] > Get recovery key — enabling this significantly reduces helpdesk volume. The full recovery flow, including the macOS Recovery Mode steps, is on the FileVault Recovery and Escrow page.
Insights
The Encryption report is your north star, not the compliance report. Compliance reports "not compliant" but doesn't tell you whether encryption failed or just hasn't escrowed yet — the Encryption report shows both dimensions separately.
Deferred enablement requires a user action. On a Mac that ships already encrypted (e.g., a pre-owned device), the deferred prompt may show "enable FileVault" even though FileVault is technically on — this is the key-rotation flow, not re-encryption. It still needs a user login to complete.
Company Portal must be present for escrow. The PRK handshake goes through Company Portal. A Mac that never received or uninstalled Company Portal will encrypt but never escrow — silent failure, reported in the Encryption report.
Rotation failures accumulate quietly. If a rotation is triggered while the Mac is offline or Company Portal is closed, the rotation queues and retries. During that window your Encryption report may show a stale key. Check rotation status after any bulk rotation action.
FileVault is a compliance signal, not a security gate by itself. Pair it with a Conditional Access policy requiring a compliant device — otherwise a non-encrypted Mac can still access resources until someone notices the compliance report. See the macOS compliance policy page for the full check.
Microsoft 365, Edge, Defender, and your essentials via pkg, VPP, and Installomator.
App deployment on Mac is fundamentally different from Windows. There is no Microsoft Store app type that covers most enterprise software, and the Mac App Store is rarely where business apps live. Your day-one app set for a managed Mac comes from three sources: direct pkg delivery through Intune, the Installomator script pattern for community-maintained app updates, and VPP/Apps & Books for the handful of apps that actually live in the Mac App Store. Knowing which tool fits which app saves a lot of pain at scale.
Security tools — Microsoft Defender for Endpoint, any EDR agent, and even Company Portal itself — carry an additional requirement that no other platform has to this degree: they need Privacy Preferences Policy Control (PPPC) payloads and system extension approvals pre-staged before the app installs. Ship the PPPC profile without the app and it is harmless. Ship the app without the PPPC profile and users get permission prompts at best, and silent failure at worst. The deployment order matters.
Applies tomacOS 12 Monterey and later (ADE-supervised)
Console pathApps > macOS > Add
RequiresIntune P1/P2 or M365 E3/E5; Apple MDM Push cert; ABM token
GotchaPPPC + system-extension profiles must be assigned before Defender installs — not after
The Day-One App Set
Keep the required set lean. Apps deployed as Required install silently and must succeed; every additional required app is another thing that can fail silently with no user-visible error. The recommended day-one required set:
App
Delivery method
Required or Available
PPPC needed?
Company Portal
Line-of-business (pkg)
Required
❌
Microsoft 365 Apps for Mac
Microsoft 365 Apps for macOS (built-in type) or pkg
Required
❌
Microsoft Edge
Line-of-business (pkg) or Installomator script
Required
❌
Microsoft Defender for Endpoint
Line-of-business (pkg) via MDE onboarding package
Required
✅ Full Disk Access, accessibility, system extension
OneDrive
Built-in macOS app type or pkg
Required
❌ (Files On-Demand may prompt)
LOB / additional tools
Installomator or pkg
Available (Company Portal)
Depends on app
Microsoft 365 Apps for Mac
Intune has a dedicated built-in app type for the Microsoft 365 suite: Apps > macOS > Add > Microsoft 365 Apps (macOS). This app type delivers Word, Excel, PowerPoint, Outlook, OneNote, and Teams in a single assignment. You do not need to download or host a pkg yourself — Intune pulls the current release from Microsoft's CDN.
Suite or individual packages?
The built-in suite app type is the simplest path for most tenants. If you need to pin to a specific channel or exclude specific apps, use a custom pkg from the Microsoft Office for Mac download page and deploy it as a line-of-business app instead. See deploying Microsoft Apps on Mac for the full channel and customization options.
Add the suite app. Navigate to Apps > macOS > Add, select Microsoft 365 Apps (macOS), and click Select.
Configure app information. Accept the defaults or adjust the name/description. No pkg to upload — Microsoft hosts it.
Assign to your device group. On the Assignments tab, add your Mac ADE device group under Required. Do not use user groups for a device-context app deployment.
Review and create. The suite installs silently. First install on a fresh ADE Mac typically completes within 10–15 minutes of enrollment, depending on network speed.
Microsoft Defender for Endpoint
MDE on Mac is the most operationally demanding app in your day-one set because it requires kernel-adjacent permissions that macOS protects aggressively. Without PPPC and system-extension profiles in place before installation, users see permission dialogs they cannot grant silently, and real-time protection will not function even if the app appears installed.
Step 1Deploy PPPC + system-extension profilesAssign before MDE — these must land first
Step 2Deploy the MDE onboarding packagePkg obtained from the Defender portal; contains the tenant onboarding blob
Step 3Deploy the MDE application pkgLine-of-business app in Intune; the onboarding pkg activates it
Step 4Validate in the Defender portalDevice appears in security.microsoft.com within ~1 hour of enrollment
The PPPC payload must grant SystemPolicyAllFiles (Full Disk Access) to the MDE daemons. The system-extension profile must approve the Microsoft MDE extension with team ID UBF8T346G9. You also need a network-filter (content filter) payload to allow the Network Extension. All three are covered in detail at PPPC — Privacy Preferences Policy Control; Microsoft publishes the exact payload XML in the MDE onboarding documentation.
Ordering is not optional
If the MDE pkg installs before the system-extension profile, the extension is blocked by System Preferences and requires a manual user approval or a device re-enrollment to clear.
MDM-deployed PPPC grants are silent and mandatory — this is why supervised/ADE matters. On user-approved enrolled Macs you cannot silently grant Full Disk Access; the user must approve.
The onboarding package and the application package are two different things. The onboarding pkg (downloaded from security.microsoft.com > Settings > Endpoints > Device management > Onboarding) binds the device to your tenant. Deploy it first.
Edge, OneDrive, and Company Portal
These three are straightforward compared to MDE. Company Portal is required for the Platform SSO registration flow and the self-service catalog; deploy it as a line-of-business pkg obtained from aka.ms/intune-companyportal-macos. Edge and OneDrive are available as built-in Intune app types (Apps > macOS > Add > Microsoft Edge, macOS or Microsoft OneDrive), which keeps them updated automatically without you managing a pkg lifecycle.
For OneDrive, the app itself needs no PPPC grants, but if you enable Files On-Demand, users will see a prompt on first sync. This is not MDM-suppressible in the same way as a background daemon; it is a user-facing feature consent. Consider whether to enable Files On-Demand via the OneDrive configuration profile (com.microsoft.OneDrive managed preferences) rather than leaving it to the user.
Installomator for Everything Else
Installomator is an open-source shell script maintained by the Mac admin community that downloads, verifies, and installs almost any common Mac application from the vendor's own CDN. It is not an Intune-native feature, but it has become the standard pattern for deploying and updating apps that are not in the Mac App Store and where you do not want to manage pkg files yourself.
The pattern in Intune is to wrap an Installomator call in a shell-script deployment: Devices > macOS > Shell scripts > Add. Set the script to run as root, and call installomator.sh <label> for the app you need. Installomator handles the download, SHA verification, and installation silently.
Installomator vs pkg in Intune
Use Installomator when the vendor ships frequent updates and you want auto-update behavior without re-uploading pkgs. Use a static pkg when you need a pinned version, when the app is not in the Installomator label library, or when your security team requires hash-verified artifacts stored internally. The full label library and deployment patterns are in the Installomator Cookbook.
Required vs Available — and Self-Service
Apps assigned as Required install silently at enrollment without user interaction. Use this for the security and productivity tools that every Mac must have. Apps assigned as Available appear in Company Portal for self-service install; use this for role-specific tools (creative software, developer runtimes, VPN clients that only some users need).
Unlike Windows where the Enrollment Status Page can block at desktop until required apps install, macOS has no equivalent ESP gate. Apps install asynchronously after enrollment. For your compliance policy to be meaningful at first sign-in, only the FileVault and platform posture checks matter immediately; app-presence compliance checks are less common on macOS and require custom compliance scripts.
For the full decision tree on app types — built-in, line-of-business, VPP, web clip, and script — see App Deployment Options on Mac.
Insights
The PPPC profile is not optional for Defender, it is the deployment. An MDE installation without Full Disk Access is a running process that cannot scan. Treat the PPPC payload as part of the MDE app deployment, not a separate hardening step.
Test pkg uploads with a small file before you upload a 2 GB Office suite. Intune has a 2 GB line-of-business pkg limit; the Microsoft 365 suite via the built-in app type bypasses this because it streams from Microsoft CDN.
Script-deployed apps (Installomator) do not appear in the Intune app inventory. You will not see them under Apps > macOS with an install status. Use a custom compliance script or Endpoint Analytics to verify installation if you need inventory.
VPP (Apps & Books) is rarely the right answer for Mac app deployment. Most enterprise Mac apps are not in the Mac App Store, and even those that are — like Xcode — are large and better managed via Installomator or direct pkg. VPP shines for consumer-style tools that happen to be in the store.
Assign apps to device groups, not user groups, for ADE Macs. User-targeted required apps install in the user context after login; device-targeted apps install in the system context during enrollment. Security tooling like Defender must be device-targeted.
Land restrictions, privacy, Gatekeeper, and the security baseline on day one.
Enrollment gets a Mac into management; the configuration baseline is what makes it a managed Mac. On day one, every supervised Mac should receive a coherent set of profiles that lock in Gatekeeper posture, the application firewall, software update behavior, password policy, and the PPPC pre-approvals that let your security and management tooling actually function. If these land after the user is already working, you're chasing a moving target and reopening prompts you should have pre-answered.
macOS baseline delivery is split across two profile types: Settings Catalog profiles cover everything Apple has surfaced as a named preference domain in the Catalog, and custom profiles (.mobileconfig) handle the rest — particularly PPPC payloads and any legacy payload keys not yet in the Catalog. You'll use both. The goal of this page is to walk the day-one profile set, the order you should push it, and how to verify it landed correctly before you scale.
Applies tomacOS 13 Ventura and later (ADE/supervised)
Console pathDevices > macOS > Configuration
RequiresIntune Plan 1 (included in M365 E3/E5, Business Premium)
GotchaPPPC payloads only take effect on supervised devices; User-Approved enrollments cannot receive them silently
What belongs in the day-one baseline
The baseline is not a CIS dump. It's the minimum set of controls that every Mac in the fleet should carry from the moment it completes Setup Assistant. The IntuneNerds Mac baseline, which maps directly to the mSCP-derived hardening guidance, groups into four functional areas:
Profile area
Key settings
Delivery method
Restrictions & iCloud
Disable AirDrop to non-contacts, restrict iCloud Drive on managed devices, disable Siri in enterprise contexts
Settings Catalog
Gatekeeper & XProtect
Gatekeeper: assessmentEnabled = true, require App Store or identified developers, notarization enforced
Settings Catalog (System Policy)
Firewall
Application firewall on, stealth mode, block all incoming unless explicitly allowed
Settings Catalog
Password & account policy
Minimum length 12, complexity on, max attempts, screen lock 5 min idle
Settings Catalog (Passcode)
Software update
Managed update cadence via DDM; enforcedSoftwareUpdateDelay for non-critical deferrals
Settings Catalog (DDM)
PPPC pre-approvals
Full Disk Access for Defender, accessibility for management agents, screen recording where needed
Custom profile (TCC payload)
Settings Catalog first, custom profile for what's missing
Apple continuously migrates payload keys into the Settings Catalog. Before building a custom profile, search the Catalog — if the setting is there, use it. Custom .mobileconfig is necessary for PPPC (TCC), certificates, and a handful of legacy domains not yet catalogued.
Order of operations
Profile delivery order matters. PPPC payloads that grant Full Disk Access to Defender, for example, must be present before Defender's onboarding profile runs — otherwise the user sees a TCC prompt during enrollment that can silently block the agent. Baseline profiles should precede application deployments.
Step 1Create & assign baseline Settings Catalog profilesRestrictions, Gatekeeper, firewall, password, software update — all scoped to All Devices or an ADE pilot group
Step 2Create & assign PPPC custom profilesTCC payload granting FDA and accessibility to management/security agents before those agents deploy
Step 3Deploy apps (Company Portal, Defender, M365)Apps land after PPPC is in place; agents get TCC grants silently
Step 4Validate per-setting reportingDevices > macOS > Configuration > [profile] > Device status and Per-setting status
Building the profiles
Settings Catalog profiles
Navigate to the configuration blade. Go to Devices > macOS > Configuration > Create > New policy. Select Settings catalog as the profile type.
Add Gatekeeper settings. Search for Gatekeeper. Enable Enable Assessment and set Allow Identified Developers — this enforces notarized, identified-developer apps. Do not set to App Store only unless your fleet is exceptionally locked-down; it will break most enterprise pkg installs.
Add firewall settings. Search Firewall. Set Enable Firewall to true, Enable Stealth Mode to true. Leave the per-app exceptions to a second-pass profile if you have known inbound services.
Add password policy. Search Passcode. Set minimum length 12, Require Alphanumeric Value, Maximum Auto-Lock5 minutes, and a failed-attempt limit. These mirror what the mSCP Level 1 controls require without being actively hostile to normal use.
Add software update deferral. Search Software Update. Set Enforced Software Update Delay (non-critical) to 7 days. Pair this with a DDM managed-update policy for deadline enforcement — the Settings Catalog deferral controls the update visibility window; DDM forces install by a date. See the DDM update page in this guide.
Assign to your pilot group. Assign to a device group scoped to your ADE pilot ring first. Validate, then broaden to all macOS devices.
PPPC custom profile
Build the TCC payload. The Privacy Preferences Policy Control payload (com.apple.TCC.configuration-profile-policy) cannot be built in the Settings Catalog UI — you need a signed or unsigned .mobileconfig. Use a tool such as Privacy Preferences Policy Control Builder or hand-author the XML. For Defender for Endpoint the payload must grant Full Disk Access to com.microsoft.wdav and com.microsoft.wdav.epsext.
Upload as a custom profile. Go to Devices > macOS > Configuration > Create > New policy > Templates > Custom. Upload the .mobileconfig file.
Assign before the security app. Assign this profile to the same groups as the Defender deployment, but confirm that Intune applies configuration profiles before app installs complete — in practice, both race at enrollment, so the PPPC profile should be created and assigned before the Defender app is added to the scope of the device group.
PPPC only works on supervised devices
User-Approved MDM enrollment (non-ADE) cannot receive PPPC payloads silently. The user will see a system TCC prompt for each agent that needs Full Disk Access.
If a Mac slips through as user-approved rather than ADE-supervised, your security agents will prompt the end user. Audit your enrollment type in Devices > device detail > Enrollment type.
Importing the community baseline
Rather than building every profile from scratch, the IntuneNerds Mac baseline provides a field-tested starting point. The baseline import process walks you through pulling these profiles into your tenant via Graph/import tooling and scoping them to a pilot ring first. Review every profile against your organization's requirements before promoting to production — the baseline is opinionated but ships as a starting configuration, not a final one.
Reconcile with mSCP before deploying broadly
If your organization is targeting a formal benchmark (CIS Level 1 or NIST), run the mSCP audit scripts against a test Mac after baseline deployment to confirm coverage before rollout.
Validating deployment
Per-setting reporting is available for Settings Catalog profiles and is the fastest way to confirm a setting landed. Navigate to Devices > macOS > Configuration > select your profile > Per-setting status. You'll see each setting's state: Succeeded, Conflict, Error, or Not applicable. A Conflict means another profile is delivering the same key with a different value — resolve this before promoting to your full fleet.
For PPPC custom profiles, confirm delivery under Device status on the profile detail page. On the Mac itself, System Settings > Privacy & Security > Full Disk Access will show the pre-approved apps listed and locked (non-toggleable by the user) on a supervised device.
Do
Assign baseline profiles to device groups, not user groups — config follows the Mac, not the person logged in
Scope to a pilot ring first; validate per-setting reporting before broadening
Deploy PPPC before the security/management agents that depend on it
Use Settings Catalog where the key exists; reserve custom profiles for TCC, certs, and legacy payloads
Document every deviation from the baseline and the business justification
Don't
Don't attempt to pre-grant PPPC on user-approved (non-supervised) Macs — it silently fails
Don't set Gatekeeper to App Store-only unless you have validated every app your fleet needs is in the Mac App Store
Don't assign the same Settings Catalog key in multiple overlapping profiles — conflicts are resolved unpredictably
Don't rely on software update deferral alone; pair it with DDM deadlines or updates will be deferred indefinitely by users
Insights
Gatekeeper posture is the most-skipped baseline item. Many teams ship Macs with Gatekeeper left at its default user-controllable state. An MDM-enforced assessmentEnabled removes the "Allow Anyway" bypass and is a meaningful control against unsigned tooling.
PPPC prep eliminates the enrollment-time TCC gauntlet. A well-built PPPC payload means a new Mac running Defender, a management agent, and an EDR sensor never prompts the user with security dialogs during enrollment — critical for a polished first-boot experience.
Conflicts in per-setting reporting are usually the sign of a duplicate profile. If a Gatekeeper setting shows Conflict on half the fleet, you almost certainly have it in two profiles. The Settings Catalog de-duplication check is manual; build a profile inventory.
The firewall stealth-mode setting surprises network teams. Stealth mode drops ICMP echo replies — if your monitoring infrastructure pings Macs for availability, enable the exception before you push stealth mode fleet-wide.
Software update deferral without DDM is a ghost policy. The legacy software update management keys were unreliable before DDM. If you are on macOS 14+, use the DDM managed-update approach for deadline enforcement; the Settings Catalog deferral is still useful for controlling the visibility window.
The XProtect remediation engine runs independently of your baseline. XProtect is always-on and Apple-maintained. Your Gatekeeper config complements it but does not replace it; do not conflate the two in your security documentation.
Define a healthy Mac and gate resources on it with the SSO extension in play.
A compliance policy is the contract between your tenant and your Mac fleet: it states precisely what a healthy Mac looks like, and every device either meets the bar or gets labeled noncompliant. That label has no effect on its own — the teeth come from Conditional Access, which reads the compliance state and decides whether a user gets into Exchange Online, SharePoint, or any other protected cloud resource. On macOS the stakes are higher than most engineers expect, because Platform SSO integrates the Mac login itself with Entra ID — which means a misconfigured CA policy can block the SSO registration flow at first boot, before the device has a chance to prove compliance.
This page builds the macOS compliance policy your fleet needs on day one, configures the noncompliance grace window and escalating actions, and wires the Conditional Access grant that blocks noncompliant Macs. Pay close attention to the first-enrollment chicken-and-egg and the report-only rollout sequence — these are not optional caution notes, they are the difference between a smooth go-live and an IT team locked out of their own tenant.
Applies tomacOS 11 Big Sur and later (macOS 13+ required for full DDM/Platform SSO compliance)
RequiresIntune Plan 1 (EMS E3 / M365 E3+); Entra ID P1 for Conditional Access
GotchaPlatform SSO registration itself requires an Entra network call — a CA policy blocking unenrolled Macs breaks SSO registration at first login
Build the macOS Compliance Policy
Navigate to Devices > Compliance > Policies > Create policy and select macOS. The settings that actually matter for a corporate Mac fleet fall into four categories. See the Compliance Policies for macOS deep-dive for every available setting with guidance on values.
Device Health
Require System Integrity Protection. Set to Require. SIP prevents even root-level processes from modifying critical system files. A Mac with SIP disabled is either a developer box that opted out (rare in corporate fleets) or a compromised machine. Either way, you need to know about it.
Require device threat protection. If you have deployed Microsoft Defender for Endpoint, enable the Defender for Endpoint integration and set Require the device to be at or under the machine risk score to Low. This wires live threat signals into the compliance state — a Mac that Defender flags as compromised immediately becomes noncompliant and loses resource access.
Device Properties (OS Version Floor)
Set a minimum OS version. Use the full version string format, e.g. 13.0 for a Ventura minimum or 14.0 for Sonoma. Pick the oldest macOS you will actively support and fund updates for — this floor becomes a forcing function. Devices below it are immediately noncompliant, which drives users and helpdesk to escalate update issues in a way a dashboard report never does. Coordinate this floor with your DDM software update policy so the deadline and the compliance floor stay in sync.
Maximum OS version. Only relevant if you have certified software that breaks on a new major release. Otherwise leave blank — forcing users to not update is rarely defensible from a security standpoint.
System Security
Require a password. Set to Require. Configure Required password type to Alphanumeric, minimum length 8, maximum minutes of inactivity before screen lock to 5. Users who have completed Platform SSO with a Secure Enclave credential satisfy this at the Entra layer, but the local screen-lock requirement is still enforced by this setting.
Require encryption of data storage on device. Set to Require. This is the MDM self-report of FileVault status. Pair it with a disk-encryption policy (configured separately under Endpoint security > Disk encryption) that enforces FileVault and escrows the recovery key. The compliance setting tells CA whether to block; the disk-encryption policy is what actually turns FileVault on. A Mac can have FileVault enabled by the user without escrow — the compliance check passes, but you have no key. Always verify escrow separately.
Require a firewall. Set to Require. This checks the macOS Application Firewall state (socketfilterfw). The built-in firewall is not the same as a PF network filter — it is the per-application inbound connection firewall. Enabling it is low-risk for corporate Macs and a quick compliance win.
Gatekeeper. Set to Mac App Store and identified developers. This ensures unsigned, unnotarized software is blocked by the OS before it runs. The Anywhere option effectively disables Gatekeeper and should never pass compliance in a corporate fleet.
FileVault compliance vs FileVault enforcement
The compliance setting checks whether FileVault is on. The disk-encryption policy is what turns it on and escrows the key. You need both. A device with only the compliance check will show noncompliant but Intune has done nothing to remediate it — add the Endpoint Security disk-encryption policy to your ADE build to ensure FileVault is enabled at first login.
Noncompliance Actions and Grace Period
Under the Actions for noncompliance section of the policy, the default is to mark the device noncompliant immediately (Day 0). Combined with a CA policy that blocks access, a device with a slightly stale OS version or a FileVault key that hasn't yet escrowed gets locked out before the user sends a single email. Build a grace window instead.
Day 0Send email to end userNotify the user their Mac is noncompliant and what they need to fix — before anything is blocked.
Day 1Mark device noncompliantThe compliance state flips; CA evaluates it as noncompliant from this point.
Day 3Send push notificationEscalate via Company Portal notification if the device is still out of policy.
Day 14Remotely lock or retire (optional)For high-security environments: retire after two weeks of unresolved noncompliance.
Day 0 mark-as-noncompliant combined with CA enforcement is a trap
A Mac that just completed ADE enrollment may have FileVault enabled but the key not yet escrowed — it will be noncompliant for minutes to hours.
If CA is enforcing compliant-device at Day 0, the user cannot authenticate to anything to trigger the sync that would fix it.
Platform SSO registration itself requires an Entra authentication — block that and you break SSO before it can register.
Safe minimum: Day 1 mark-as-noncompliant, CA in report-only until the fleet is broadly compliant.
The Chicken-and-Egg Problem at First Enrollment
This is the most common macOS go-live failure mode, and it is nastier on Mac than on Windows because Platform SSO is in the critical path. The sequence of events on a new Mac ADE enrollment:
Mac completes Setup Assistant, ADE profile is applied, MDM is enrolled.
User creates (or receives) a local account and logs in for the first time.
Company Portal launches and prompts the user to register for Platform SSO — this requires an Entra authentication.
If a CA policy requires a compliant device and the Mac has not yet been evaluated (it hasn't — policy evaluation takes a sync cycle), Entra returns a CA block to the SSO registration call.
SSO registration fails. The user has no SSO token. FileVault deferred enablement may not fire. Compliance cannot be re-evaluated until the device can check in. The device is stuck.
The fix requires two changes. First, set the tenant compliance grace period to at least 1 day under Devices > Compliance > Compliance settings — this treats newly enrolled devices as compliant during the grace window, giving them time to evaluate policies. Second, keep CA in report-only mode for your first wave of ADE enrollments. Only flip to enforcement after you have confirmed that enrolled Macs are reaching compliant state and Platform SSO is registering successfully.
Build the Conditional Access Policy
Open Entra admin center and navigate to Protection > Conditional Access > Policies > New policy. Name it clearly: REQUIRE-Compliant-Device-macOS.
Assignments > Users. Start with your IT pilot Entra group — never All Users for a first enforcement. Expand only after validating the policy is not blocking unexpected sign-ins.
Assignments > Target resources. Set to All cloud apps for full enforcement, or scope to Exchange Online and SharePoint Online for a staged resource rollout. Avoid scoping to "Office 365" — use individual apps or All cloud apps for predictable behavior.
Conditions > Device platforms. Select macOS to scope this policy to Mac sign-ins only. Separate CA policies per platform give you independent enforcement rollouts.
Grant. Select Grant access, check Require device to be marked as compliant. On macOS with Platform SSO, the device identity is surfaced through the SSO extension's device registration — the device must be Entra-registered (which Platform SSO handles) and compliant for this grant to pass.
Enable policy: Report-only. Never start at On. Report-only lets you observe what would have been blocked in Sign-in logs > Conditional Access before any user is affected.
Always exclude break-glass accounts
Create a dedicated break-glass exclusion group and add it to every CA policy's Exclude list. These cloud-only emergency accounts are what you use if CA misconfiguration locks everyone out — including you. Never exclude by individual user; group-based exclusion survives membership changes and is auditable.
Report-Only to Enforce: The Safe Rollout Sequence
Phase
CA State
What to check
Proceed when
1 — Pilot ADE enrollment
Report-only
Compliance state in Devices > Compliance; Sign-in logs > Conditional Access tab for macOS sign-ins
Pilot Macs show Compliant; Platform SSO registered successfully; no unexpected report-only blocks
2 — Broader Mac rollout
Report-only
CA Insights workbook for would-be blocked macOS sign-ins
<2% failure rate; known failures are unmanaged personal Macs (expected)
3 — Enforce on pilot group
On (scoped to pilot group)
Help desk volume; Company Portal registration completions
Zero unexpected blocks after 48 hours
4 — Full enforcement
On (All Users)
Sign-in logs daily for first week
Steady state; no auth failure spike
Assigning the Compliance Policy
macOS compliance policies assign to user groups, not device groups. This matters: the compliance state is evaluated against the policies assigned to the signed-in user. A Mac enrolled with no user affinity (a shared or kiosk Mac) is evaluated against the tenant-wide default compliance policy — which defaults to compliant if no policy applies. For shared Macs, create a device-filter-based assignment or an explicit compliance policy for those devices so they are not inadvertently held to user-targeted settings that do not match their use case.
Insights
Platform SSO is in the CA critical path — sequence matters. SSO registration requires an Entra sign-in, which CA evaluates. If you enforce compliant-device CA before SSO can register, you create an unresolvable loop. Always enroll Platform SSO under report-only CA, confirm SSO is healthy, then flip enforcement.
FileVault compliance and FileVault enforcement are separate controls. The compliance setting reports a pass/fail; the disk-encryption Endpoint Security policy is what actually enables FileVault. You need both deployed to your ADE scope or you will report noncompliant Macs with no automated path to remediation.
The OS version floor is your update enforcement lever. Macs below the minimum version floor become noncompliant, lose resource access via CA, and users call helpdesk. This surfaces deferred-update problems that dashboard reports don't. Set the floor deliberately, not defensively — and pair it with a DDM deadline that gives users advance notice before they get blocked.
SIP off is a signal, not just a setting. System Integrity Protection is disabled by booting into Recovery and running a command. A corporate Mac with SIP off has either been deliberately tampered with or had a careless admin intervention. Flag it, investigate it — do not silently re-enable it via policy and move on.
Compliance state is stamped at last check-in. A Mac that has been offline for a week carries a week-old compliance stamp that CA will consume. If your grace window is shorter than your longest expected offline window (travel, leave), users will return to a CA block. Size your mark-as-noncompliant day count to account for real-world offline periods.
Noncompliant does not mean unmanaged. A Mac marked noncompliant by Intune still receives MDM policies, config profiles, and apps. CA is what gates resource access. Helpdesk runbooks must be explicit about this distinction — a noncompliant Mac is not broken, it is access-gated until it resolves the finding.
Use Declarative Device Management to actually enforce macOS updates by a deadline.
For years, enforcing macOS software updates through MDM was more optimistic than real. You could nudge, defer, and nag — but a determined user (or a Mac that never checked in at the right moment) could stay on a stale OS indefinitely. Declarative Device Management changed that. DDM's managed software update enforcement runs on the device, independent of MDM check-in cadence, and it means what it says: by this date, this Mac will be on this OS version.
This page walks the full DDM update configuration in Intune: the policy itself, deadline mechanics, target version pinning, and the compliance policy interplay that turns an out-of-date Mac into a blocked one. If you are still running the legacy Update Schedule or Software Update restrictions payloads, this is the migration you have been waiting for.
Applies tomacOS 13 Ventura and later (DDM); Intune-supervised via ADE
Console pathDevices > macOS > Update policies for macOS
RequiresSupervised (ADE-enrolled) Mac; Intune Plan 1 or higher
GotchaDDM enforcement is device-side; the device must be on macOS 13+ or the policy silently does nothing
Why DDM Updates Are Different
Legacy MDM update commands (ScheduleOSUpdate, Software Update restrictions) were server-push: Intune sent a command and hoped for compliance. If the device was offline, asleep, or the user declined, the update simply did not happen. Compliance policies could mark the machine noncompliant, but could not force the install.
DDM uses a declarative model: Intune delivers a managed software update declaration that the device stores and evaluates locally. The Managed Software Update declaration includes a target OS build, a target local date-time deadline, and optional intermediate rapid-security-response controls. When the deadline arrives, macOS installs the update regardless of MDM connectivity. Users see a system-native countdown notification; admins get enforcement they can actually rely on.
Supervision is required
DDM update enforcement only applies to supervised Macs enrolled via Automated Device Enrollment. A user-approved (BYOD) Mac enrolled through the Company Portal receives the policy but cannot be force-updated — the device ignores the declaration.
Step 2Set target version and deadlinePick the minimum OS build; set how many days users have before forced install
Step 3Configure deferral and notification cadenceMax user deferrals and the notification start window before deadline
Step 4Assign to device groupsTarget supervised Mac groups; use pilot rings before broad rollout
Navigate to the policy blade. In the Intune admin center go to Devices > macOS > Update policies for macOS and select + Create policy.
Name and describe the policy. Use a name that encodes the intent and target version, for example mac-supdate-ventura-14.5-30d. Scope tags go here if you use RBAC scope tags across your tenant.
Set the target OS version. Under Update settings, choose Update to latest version or select a specific version. For most production fleets, pin to a specific build until you have validated it rather than racing to whatever Apple ships that week.
Configure the installation deadline. Set Maximum user deferrals (how many times the user can postpone the notification) and the Priority field (Low schedules outside active hours; High installs as soon as possible). The Download ahead of time toggle pre-caches the installer when the Mac is idle and plugged in, which dramatically reduces the restart window for the user.
Set the deadline type. Choose A specific local date and time or X days after the policy is applied. The rolling-days model is almost always preferable in production: 14 days gives users two full weeks of warnings before enforcement, regardless of when their Mac first receives the policy.
Assign to groups. Target an Entra device group scoped to supervised Macs. Start with a pilot ring of 10–20 devices before assigning broadly.
Version pinning pitfalls
If you pin to a specific build (e.g., 14.5) and Apple releases 14.5.1 for a security fix, devices already on 14.5 will not receive the patch until you update the policy. Update pinned versions promptly after each Apple security release.
Pinning to a version older than what's already installed has no effect — DDM only updates forward, never downgrades.
What the User Sees
Starting 72 hours before the deadline, macOS surfaces a system notification: "A software update is required. Your Mac will restart in X days." Each deferral the user takes uses one of their configured deferral slots. When deferrals are exhausted or the deadline passes, the OS schedules the install for the next available maintenance window (typically overnight), then forces a restart. The user cannot stop this.
The notifications come from the OS, not from Company Portal, so they look and feel native. This is a deliberate design decision by Apple — policy-enforced updates use the same UI path as automatic updates, which means users are less likely to be startled or confused.
Rapid Security Responses
DDM also supports Rapid Security Response (RSR) deployments — the small targeted patches Apple ships between major point releases. The Rapid Security Response toggle in the policy controls whether these deploy automatically. In most environments, leaving it enabled is correct: RSRs are narrow fixes and almost never break anything. If a specific RSR causes issues, Apple provides a removal path, and you can toggle the setting to block the next one while you investigate.
Legacy Policy vs DDM: Side-by-Side
Behavior
Legacy MDM commands
DDM Managed Update
Enforcement model
Server push; device must be online at command time
Device-local declaration; enforces at deadline regardless of connectivity
User deferrals
Configurable but easily bypassed with persistent decline
Capped deferral count; deadline is absolute
Notification source
Varies; sometimes Company Portal, sometimes nothing
Native macOS system notification
Minimum macOS
macOS 10.15+
macOS 13 Ventura+
Supervision required
No (nudge only for unsupervised)
Yes for enforcement; policy is silently ignored on unsupervised
RSR support
❌
✅
Compliance Policy Interplay
The DDM update policy enforces the install; the macOS compliance policy makes out-of-date machines noncompliant. Wire both together so that a Mac that misses a deadline also loses resource access. The compliance policy setting is Minimum OS required — set it to the same version floor you are enforcing with DDM. A machine on an older build becomes noncompliant, which (with Conditional Access) blocks Exchange, SharePoint, and any CA-protected resource.
The practical sequence: DDM gives the user a deadline and forces the install. Compliance marks it noncompliant if it is still old. Conditional Access blocks resources. The compliance check runs on a schedule (default 8 hours), so the gap between "deadline passed, install queued" and "noncompliant status visible in Intune" is typically under a day. Do not set the compliance OS floor higher than your DDM target version or you will immediately mark every Mac noncompliant.
Stagger the deadline and the compliance floor
Set the DDM deadline 7–14 days before you enforce the compliance OS floor. This gives Intune time to reflect the update status and avoids a wave of helpdesk tickets from users who updated but whose compliance status has not refreshed yet.
Monitoring and Reporting
After assigning the policy, use Devices > macOS > Update policies for macOS > select the policy > Device status to see per-device status: Pending, Succeeded, Not applicable (unsupervised or older macOS), and Failed. The software update failures page covers the common failure reasons and how to read the device logs.
For deeper visibility, the DDM status report on the device is available via sudo softwareupdate --list and the com.apple.ManagedClient logs. Failed DDM declarations frequently show up in mdmclient log output before Intune's reporting catches up.
Insights
DDM is a one-way gate — plan your target version carefully. Once a Mac installs the target build you cannot push it back down. Validate each release on a pilot ring before setting it as the fleet-wide target, especially major point releases like 14.0 → 15.0.
"Not applicable" in the report means unsupervised or pre-Ventura. It is not a failure, but it means those machines have no enforced update path. If you have a tail of macOS 12 Monterey machines, the only lever is compliance policy pressure — DDM will not help.
The compliance OS floor and the DDM target must move together. Orphaned policies — DDM targeting 14.5 while compliance checks for 14.6 — create a permanent noncompliance state. Review both whenever Apple ships a new release.
Download-ahead reduces user disruption more than anything else. The install itself is fast; it's the download that takes 6–12 GB of bandwidth on a slow connection. Enable the pre-download toggle in every production policy.
Check-in with DDM and Software Updates on Mac for the full technical underpinning. This guide page covers the deployment workflow; the deep-dive covers declaration syntax, caching server interplay, and edge cases like Intel vs Apple Silicon update paths.
What the user sees from unboxing to a managed, FileVault-encrypted, SSO-registered Mac.
The ADE enrollment flow is something you build once and then hand to hundreds of users. Getting it right means knowing exactly what the user sees at each step — where they'll hesitate, what they'll misread, and when "it's just installing stuff" is the right answer. This page narrates the entire journey from the moment the box opens to a desktop that is enrolled, encrypted, and SSO-registered, so you can set expectations accurately and spot a stuck enrollment without guessing.
Unlike Windows Autopilot, macOS ADE has no Enrollment Status Page holding the user at a progress screen. Apps and config arrive in the background while the user can already interact with the desktop. That changes what "done" means and requires a different empathy model for both users and your helpdesk.
Applies tomacOS 13 Ventura and later (ADE, supervised)
Console pathDevices > Enrollment > Apple > Enrollment program tokens
RequiresADE-assigned serial, Company Portal, Platform SSO extension deployed
GotchaFileVault and Platform SSO registration are post-login events — the user is not "done" at first desktop
The Journey, Step by Step
Phase 1Power on & Setup AssistantDevice contacts Apple, pulls the ADE profile, Setup Assistant panes run (or are skipped)
Phase 2Local account creation & first loginUser creates (or receives a pre-staged) local macOS account; FileVault deferred-enable triggers
Phase 3Company Portal & Platform SSO registrationUser opens Company Portal, signs in with their Entra credentials, SSO secure-enclave key is generated
Phase 4Apps & config land in backgroundProfiles, restrictions, and required apps install silently; compliance becomes evaluable
Phase 1 — Power On to the Desktop Login Screen
On first boot the Mac contacts iprofiles.apple.com to check whether the serial number is assigned in ABM. If the serial is present and your ADE profile is assigned, macOS enters Setup Assistant in supervised ADE mode. The user sees the standard Apple language/country pane first. After that, every pane your ADE profile is configured to skip vanishes silently — no progress indicator, no explanation. Panes you have not skipped (e.g., Accessibility, Screen Time) remain.
Remote Management screen appears. This is the supervised-enrollment confirmation screen: "This Mac will be automatically configured by Your Organization." The user clicks Continue. This cannot be dismissed or skipped — it is the visible proof that locked enrollment is working. If this screen does not appear, the device is not ADE-enrolled.
Local account creation pane runs (unless you suppressed it in the ADE profile for pre-staged accounts). The user enters their full name, account name, and password. The account is created as standard or admin based on your ADE profile setting. Name this account consistently with your naming convention — it shows up in /Users/ and in the helpdesk.
Remaining Setup Assistant panes complete. Timing from power-on to first desktop is typically 3–6 minutes on a modern Mac with a fast network. On slower links or on first-boot-of-a-new-build, give it 10 minutes before suspecting a problem.
What "Awaiting Configuration" means here
If your ADE profile has Await device configuration enabled, the user sees a "Setting up your Mac" spinner before the desktop appears. MDM has a window (default 5 minutes, configurable) to push critical profiles before the user gets the desktop. Use this for the Platform SSO extension and baseline restrictions so they land before the user opens any browser.
Phase 2 — First Login: FileVault Deferred Enable
The moment the user logs in for the first time, FileVault deferred enablement fires if your disk-encryption policy is set to defer. The user sees a notification prompting them to enable FileVault — or, if you set Hide recovery key from user with automatic escrow, the encryption begins silently and the personal recovery key is sent directly to Intune without the user needing to act.
Verify the encryption prompt (or lack of it) matches your policy. If the user is asked to save a recovery key manually, your disk-encryption policy is not configured for automatic escrow. Revisit Devices > macOS > Configuration > your FileVault policy — the Personal recovery key escrowed to field should be set to Azure Active Directory.
Encryption runs in the background. On Apple Silicon the initial encryption pass is near-instant (data is always encrypted on-chip; it is a key-rotation operation). On Intel with a spinning disk it can take 30+ minutes. The Mac is fully usable throughout.
Compliance becomes evaluable only after the recovery key is escrowed. A device reported as FileVault-encrypted but without an escrowed key is non-compliant in most policies. This is the "enabled but not escrowed" trap that catches teams who do not test the full login-to-escrow flow in their pilot.
Common stuck states at this phase
FileVault prompt loops on every login — often means the device is not yet supervised or the escrow profile has not applied.
Escrow key never appears in Devices > device detail > Recovery keys — check that the APNs channel is healthy and the device has checked in since encryption completed.
User clicks "Remind me later" on the FileVault prompt and encryption never starts — enforce the policy rather than relying on user action.
Phase 3 — Company Portal and Platform SSO Registration
This is the step that separates a modern Mac build from a legacy one. Platform SSO, once deployed, ties the macOS login window to the user's Entra identity — but the user must register the secure-enclave key once before that binding is active. Company Portal is the trigger for that registration.
Company Portal opens automatically if you deployed it as a required app with an opening script or Login Item. If not, the user must find it in Applications or Launchpad. A better experience is to put Company Portal in the Dock via a managed preference and instruct the user to open it after login.
User signs in with their Entra credentials inside Company Portal. This is the first time the device sees the user's organizational identity. On the very first sign-in, Company Portal triggers the Platform SSO registration notification: "Register this device to get access to company resources."
User clicks Register and authenticates. With Secure Enclave authentication mode, macOS generates a hardware-bound key on the T2/Apple Silicon secure enclave, sends a certificate request to Entra, and registers the device. This takes under 30 seconds on a healthy network. The user sees the Intune notification banner and the registration completes silently. For the full Platform SSO detail on what happens under the hood, see the dedicated page.
Verify registration completed. In System Settings > Privacy & Security > Profiles, the user should see the Enterprise SSO extension profile. On next browser launch, cloud apps (Outlook Web, SharePoint) should sign in silently without a credential prompt. If they still prompt, the SSO extension has not yet registered — give it 2–3 minutes and retry.
Time expectations for Platform SSO registration
Registration must complete within the same user session it was initiated. If the user closes Company Portal before completing the registration step, the notification re-appears on the next login. This is not an error state — it resolves itself — but document it in your user guide so your helpdesk does not start a ticket unnecessarily.
Phase 4 — Apps and Config Arriving in the Background
By the time the user reaches the desktop, the MDM channel is established and profiles are queuing. Here is the realistic arrival order and timing on a standard enterprise connection (50 Mbps+):
Remote Management screen appeared during Setup Assistant
Profiles visible under System Settings > Privacy & Security > Profiles within 10 minutes
Company Portal shows device as "Managed" after sign-in
Platform SSO registration notification appeared and was completed
Cloud apps sign in silently (no credential prompt)
Recovery key visible in device detail in the Intune console
Compliance shows green within 30–60 minutes of first login
Stuck signals
No Remote Management screen — serial not assigned in ABM or ADE profile not synced
Profiles pane empty after 15 minutes — APNs issue or MDM URL mismatch
Company Portal says "Not enrolled" — ADE token or push certificate expired
Platform SSO registration never prompts — Enterprise SSO extension profile not applied
FileVault prompt loops — device not supervised or escrow policy not applied
M365 apps still not installed after 2 hours — check the Intune app install status report in the console
Insights
The Remote Management screen is your enrollment receipt. If the user reports it never appeared, the device did not enroll via ADE — it enrolled (or did not enroll) via a user-initiated path. Check the enrollment type in Devices > device detail > Enrollment type.
Platform SSO registration is not automatic — it needs a user action once. Design your onboarding email and your IT orientation script around this step. Users who skip or dismiss Company Portal will not have SSO and will fail Conditional Access policies that require a compliant device with a registered SSO credential.
FileVault deferred enable is not "enabled." Until the user logs in and the escrow completes, the compliance policy will mark the device non-compliant. Build your compliance grace period (typically 12–24 hours) to account for the time between enrollment and first login.
"Awaiting Configuration" is your best tool for a consistent experience. Enabling it on the ADE profile means critical profiles (SSO extension, restrictions) land before the user can open a browser and start fighting with Conditional Access before they are ready. The 5-minute default window is enough for most profiles; increase it only if you have a slow-applying profile that matters for security.
Timing expectations prevent helpdesk noise. Tell users in the welcome email: "Your Mac will fully configure itself within 45 minutes of first login. If apps are still missing after an hour, contact IT." That single sentence eliminates a class of tickets.
The pre-flight before you hand Mac ADE to the business.
Everything you configured over the preceding steps — ADE profile, Platform SSO, FileVault, apps, baseline, compliance, DDM updates — is only as good as the state it's in on launch day. This checklist is the final gate an engineer runs before the first production Mac ships. Work through it top to bottom; each item that isn't green is a problem that will surface as a user ticket instead of a config fix.
The macOS deployment has more moving parts than Windows Autopilot because Apple's connector layer (APNs, ABM token) and the Platform SSO registration sit outside the normal Intune policy pipeline. Missing any of them produces silent failures that only appear during enrollment — often on the new hire's desk, not yours.
Console pathDevices > Enrollment > Apple > Enrollment program tokens
RequiresIntune Plan 1, ABM org, MDM Push Certificate, ADE token in sync
GotchaAPNs certificate and ABM token expire independently — calendar both
Infrastructure Prerequisites
APNs certificate — check expiry and subject. Navigate to Tenant administration > Connectors and tokens > Apple MDM Push certificate. Confirm status is Active and expiry is > 30 days out. If the cert was renewed with a different Apple ID than it was created with, it's already broken — the subject must match end-to-end. Calendar the renewal for 30 days before the annual expiry.
ABM enrollment program token — sync and expiry.Devices > Enrollment > Apple > Enrollment program tokens. Token status should show Active. Hit Sync and confirm serials flow through. Token lifetime is one year from creation in ABM; calendar it independently from APNs.
ABM device assignment is pointing to your MDM. In Apple Business Manager, confirm the MDM Server assignment for your device batch matches this Intune tenant — not a previous MDM or an accidental "None". Devices assigned to the wrong MDM server will boot to Setup Assistant without the Remote Management screen appearing.
ADE Profile and Enrollment Readiness
ADE profile is assigned to serials and locked. In the enrollment program token, open the macOS profile. Confirm Locked enrollment is On (prevents MDM removal), Supervised is on (it always is for ADE), and the profile is assigned to the device group or serial range going live. Unassigned serials enroll as non-supervised user-approved enrollment — there is no warning.
Setup Assistant pane skips are correct. Walk through the Setup Assistant skip list. Items like Accessibility, Appearance, and iCloud sign-in should be skipped for a corporate build. Terms and Conditions is almost always skipped since your acceptable-use policy lands through another mechanism. If you're showing Remote Management, leave it visible — it gives users context.
Local account strategy matches your design. The Account settings in the ADE profile (administrator vs standard, user-creates vs pre-created, skip user creation) should align with your Platform SSO design. If you're using Platform SSO Secure Enclave mode, the local account does not need to share the Entra password — confirm the setup reflects that.
Pilot enrollment validated end-to-end. At least two Macs from the pilot group must have enrolled in the last 48 hours with all of: Remote Management screen appeared, local account created, Company Portal installed, Platform SSO registration completed, FileVault encrypted, and MDM profile shows Non-removable in System Settings > Privacy & Security > Profiles.
Platform SSO and Identity
Platform SSO profile is deployed and registration is confirmed. Check that the Enterprise SSO extension profile has reached all pilot devices (Devices > select device > Configuration — profile should show Succeeded). On the device, the login window (or the Company Portal prompt) should have shown a "Register" step. Confirm the Entra object for the device shows a compliant registration.
Authentication method matches your security posture. If you deployed Secure Enclave mode, confirm users cannot bypass it by falling back to password — the SSO profile must set AuthenticationMethod to UserSecureEnclaveKey and not include a password fallback unless that is deliberate policy. See Platform SSO with Entra ID for the exact keys.
FileVault and Escrow
Pilot devices show keys escrowed in Intune.Devices > select a pilot device > Recovery keys. Each device should show a personal recovery key. If the key is absent, FileVault may be enabled locally but the escrow step failed — which means you have encrypted disks you cannot recover. Do not go live with any device in this state.
Compliance policy requires FileVault. The macOS compliance policy under Devices > Compliance should list Require FileVault disk encryption as a required setting. If it is not there, devices that suppress FileVault (users can do this if deferred enablement is the mechanism) will report compliant anyway. See Compliance and Conditional Access for the full policy build.
"Enabled but not escrowed" devices are zero. Query via Graph (GET /deviceManagement/managedDevices?$filter=operatingSystem eq 'macOS'&$select=deviceName,isEncrypted,fileVaultKey) or the Intune Encryption report under Devices > Monitor > Encryption report. Green = encrypted with key. Any device that shows encrypted but no key is a gap.
Baseline and Apps
Baseline profiles show Succeeded on pilot devices. Every profile in the macOS baseline (restrictions, Gatekeeper, firewall, PPPC pre-approvals, password policy) should be in Succeeded state for pilot devices. A profile in Error or Conflict state on day one means the device is not hardened as intended.
PPPC approvals are deployed for all security and management tools. If you're running Defender for Endpoint or any EDR, the PPPC profile granting Full Disk Access must be on the device before (or simultaneously with) the app — not after. Verify via Devices > device > Configuration that the PPPC profile shows Succeeded and the app is not prompting users for privacy permissions.
Day-one apps are installed. Microsoft 365, Edge, Company Portal, Defender — check the App installation status for each against the pilot group. Required apps should be at 100% install for succeeded devices. Pending after 24 hours usually means the device hasn't checked in or there's a pkg distribution issue.
System extensions and kernel extensions (if any) are pre-approved. Defender and some EDR agents require a system extension approval payload. If it's absent, the user gets a prompt on first launch that admin credentials cannot satisfy remotely.
Compliance and Conditional Access
Step 1Compliance in report-onlyValidate which devices would be noncompliant before enforcement
Step 2CA in report-onlyConfirm the CA policy would block correctly, check for break-glass exclusions
Step 3Enforce complianceSet noncompliant grace period to 7 days minimum before first enforcement
Step 4Enforce CAEnable after compliance is stable; exclude break-glass account explicitly
Conditional Access has a break-glass exclusion. Confirm that at least one emergency-access account is excluded from the "Require compliant device" CA policy before you enforce it. Locking out all admins because a compliance policy has a bug is a recoverable situation, but it's not one you want to debug at 11 PM.
Grace period is set. The compliance policy's Mark device noncompliant action should have a grace period of at least 7 days for the first rollout. This gives newly enrolled devices time to finish all policy application before enforcement kicks in.
Software Updates
DDM update policy has a sane enforced deadline. The managed software update DDM policy should specify a target minimum macOS version and a deadline. A deadline of 1–3 days is appropriate for security patches; 14–30 days for major version upgrades. Confirm the policy is assigned to the correct device group and shows Succeeded on pilot devices under Devices > Configuration.
Compliance OS floor matches your DDM target. If the compliance policy requires macOS 14.5 and your DDM policy targets 14.6, there is a window where devices are noncompliant through no fault of their own. Align them before go-live.
Recovery Runbook and Rollback Levers
Re-enrollment and wipe procedure is documented. Every engineer on the team should know: where to find FileVault recovery keys, how to initiate a remote wipe, what happens to a device after Retire vs Wipe, and how to re-enroll a Mac that was wiped. The Re-Enrollment and Recovery page is your starting point; create a team runbook with your tenant-specific details.
Stolen-Mac playbook is reviewed. Confirm the team knows the escalation path for a lost or stolen Mac — particularly: revoke tokens in Entra, lock with Remote Lock (if online), initiate Wipe, and confirm escrow key is rotated. See Stolen-Mac Playbook for the full sequence.
A rollback group is ready. Create an Entra group called something like mac-deployment-exclude and exclude it from the ADE profile assignment and key compliance/CA policies. If a systematic issue appears post-launch, you can move affected devices or a subset here to stop the bleeding while you fix the root cause.
Do
Validate APNs and ABM token status on the day of go-live, not the day before
Confirm FileVault escrow for every pilot device before broadening scope
Run Conditional Access in report-only for at least a week before enforcing
Test the full enrollment flow on a device you wiped yourself, not one IT pre-configured
Document renewal dates for APNs and ABM token in a shared calendar with 30-day advance alerts
Keep Platform SSO and Company Portal at current versions before go-live — stale versions produce cryptic registration failures
Don't
Don't go live with any device showing FileVault enabled but no key escrowed
Don't skip the PPPC payload for security tools — fix it before the agent ships, not after
Don't set a 1-day noncompliance grace period for the first production rollout
Don't enroll production serials without first confirming they're assigned to the correct MDM server in ABM
Don't rely on the user to complete Platform SSO registration without a clear, tested user communication
Don't forget a break-glass exclusion in your Conditional Access "Require compliant device" policy
Insights
The two connector expiries are your top silent-failure risk. The APNs certificate and the ABM enrollment token expire on separate schedules, often months apart. Either one expiring silently means new enrollments stop working with no obvious error in the admin console — just a Mac that doesn't get the Remote Management screen. Calendar both independently.
FileVault "enabled but no key" is a latent incident. Deferred FileVault enablement lets a user enable encryption at first login without the escrow step completing if policy hasn't applied in time. Run the Encryption report weekly for the first month post-launch and remediate any device with encryption but no key.
Platform SSO registration is user-initiated — plan the communication. Unlike MDM policy, SSO registration requires the user to click through a prompt. If your comms don't set that expectation, half your users will dismiss it, and you'll have a fleet of Macs that are MDM-managed but not Entra SSO-registered. Time the registration prompt to coincide with a moment the user is expecting it (e.g., at first Company Portal launch after setup).
PPPC is the most common reason security tools partially work. Defender with Full Disk Access missing runs in a degraded mode — it tells you it's healthy but can't scan all files. Ship the PPPC payload in the same assignment group as the app, not as a follow-on profile.
ADE serial assignment is a point-in-time operation. Devices must be in ABM and assigned to the MDM server before they boot for the first time (or after a wipe). Buying a new batch and forgetting to assign them to MDM in ABM means the first-boot user gets a consumer Setup Assistant, not your corporate one.
Bring the community Mac baseline into your tenant as Settings Catalog and custom profiles.
The IntuneNerds macOS baseline is a set of pre-built, field-tested profiles covering OS restrictions, privacy permissions, Gatekeeper posture, the application firewall, password policy, and software update enforcement. Unlike Windows, where the Settings Catalog handles nearly everything, Mac baseline profiles split across two types: Settings Catalog profiles for settings Apple has exposed natively in Intune, and custom .mobileconfig payloads (deployed as custom profiles) for everything that still requires a raw configuration profile payload. The import mechanics differ for each — this page covers both.
If you are landing the baseline as part of a first Mac deployment, read Deploy the Configuration Baseline for the full operational context. This page focuses on the import mechanics, what each profile contains, how to reconcile the baseline against CIS Benchmarks and mSCP, and how to scope to a pilot before promoting fleet-wide. The review-before-deploy rule applies here exactly as it does on Windows: no community baseline knows your LOB app stack.
RequiresIntune P1 (M365 E3/E5 or EMS E3/E5); ADE/supervised devices for full restriction enforcement
GotchaCustom .mobileconfig profiles cannot be imported via the portal JSON importer — they must be uploaded as signed or unsigned payload files through the Custom profile path
What the Baseline Contains
The Mac baseline ships as discrete profiles, keeping each domain separately reportable and independently tunable. Where a setting is available in the Settings Catalog, the baseline uses it — that gives you native per-setting reporting. Where it is not, the baseline ships a .mobileconfig with the appropriate payload keys.
Privacy Preferences Policy Control grants for management tooling and security agents — Full Disk Access, Accessibility, Screen Recording for approved identifiers
Gatekeeper & XProtect
Settings Catalog
Gatekeeper assessment policy (App Store and identified developers), notarization requirement, and Quarantine flag enforcement
Application Firewall
Custom (.mobileconfig)
Enable firewall, block all incoming connections except signed software, stealth mode — via the com.apple.security.firewall payload
Password Policy
Settings Catalog
Minimum length (12), complexity, maximum age, failed-attempt lockout, and screensaver idle timeout
Software Update
Settings Catalog (DDM)
Managed software update with enforced deadline, target OS version floor, and rapid security response enablement
PPPC payloads must be signed for production
The PPPC .mobileconfig that ships with the baseline is unsigned for review purposes. Before deploying to production, sign it with your Apple Developer or MDM signing certificate, or leave it unsigned and accept that macOS will display an "unverified" indicator — which is fine for MDM-delivered profiles but worth knowing about.
Import Methods
Settings Catalog profiles use the same JSON import path as Windows. Custom .mobileconfig profiles have a different upload path. Do both in the same session so all baseline profiles exist in your tenant before you assign any of them.
Settings Catalog Profiles (JSON Import)
Download the baseline JSON files from IntuneNerds. Each Settings Catalog profile ships as a separate .json export file.
Navigate toDevices > macOS > Configuration. Click Import next to the Create button.
Select the JSON file for one profile. Intune pre-populates the profile name and all settings. Do not assign — click through to Review + create, verify the setting count, then Create.
Repeat for each Settings Catalog profile in the baseline set (Restrictions, Gatekeeper, Password, Software Update). Import all before assigning any.
Rename each profile to include an environment tag and version: MAC-Baseline-Restrictions-v1-Pilot. The name carries over from the JSON — make it identifiable in your tenant's growing profile list.
Name the profile following your baseline naming convention: MAC-Baseline-PPPC-v1-Pilot, MAC-Baseline-Firewall-v1-Pilot.
Upload the .mobileconfig file. Intune accepts unsigned payloads — it wraps the delivery in its own MDM signing envelope. Verify the payload identifier shown in the UI matches what you expect (e.g., com.intuneNerds.pppc).
Do not assign yet. Finish creating the profile and move to the next one. All profiles — both JSON-imported and custom-uploaded — should exist in the tenant before you run a single assignment.
Graph API Import (Scripted, Settings Catalog Only)
For scripted or CI/CD import of the Settings Catalog profiles, use POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies with DeviceManagementConfiguration.ReadWrite.All scope. The beta endpoint is required — Settings Catalog policies are not fully surfaced on v1.0. Custom .mobileconfig profiles use a different endpoint: POST /deviceManagement/deviceConfigurations with the @odata.type set to #microsoft.graph.macOSCustomConfiguration, and the payload base64-encoded in the payload field. See the Custom Configuration Profiles snippet page for ready-to-use Graph calls.
Import does not check for conflicts or duplicates
Intune accepts any import silently. If you already have a PPPC payload deployed from a prior MDM migration, uploading a second one does not replace it — both apply, and the device sees both payloads. PPPC grants are additive, but check for collisions.
Do not use import as an update mechanism for existing profiles. To update a Settings Catalog profile, edit it in-place. To update a custom .mobileconfig, upload a new version of the file to the existing profile record — do not create a new profile and leave the old one assigned.
Review Before You Deploy
The baseline is designed for a standard supervised Mac fleet. Before assigning to any real group, open every imported profile and walk through the settings with your environment in mind. Developer Macs may need Gatekeeper set to a less restrictive posture. PPPC grants that work for Defender for Endpoint may conflict with a different EDR if you are mid-migration. Software update deadlines may need adjusting if your fleet has an OS validation window before upgrades.
Step 1Review every profile settingDevices > macOS > Configuration — open each imported profile and check every setting group, not just the ones you expect to change
Step 2Cross-reference against mSCP / CISIf your org runs the macOS Security Compliance Project or a CIS benchmark, flag any setting the baseline sets differently and document the deviation
Step 3Audit PPPC identifiersVerify each app bundle ID and code requirement in the PPPC payload matches the exact version of the tool you deploy — a code requirement mismatch silently denies access
Step 4Document every deviationRecord the payload key, original value, your value, and the reason — this is your audit evidence for compliance and for future baseline upgrades
Reconciling Against CIS and mSCP
Many Mac teams run the macOS Security Compliance Project (mSCP) or a CIS Level 1/2 benchmark as their authority. The IntuneNerds baseline is not a CIS clone — it is pragmatic rather than exhaustive, and it deliberately omits settings that cause significant user experience or app compatibility pain on a corporate fleet. The table below shows where the baseline aligns, diverges, and intentionally defers.
Control area
Baseline stance
CIS/mSCP note
Gatekeeper — App Store + identified developers
✅ Enforced
Matches CIS Level 1. App Store only (stricter) breaks too many internal tools.
Application firewall + stealth mode
✅ Enforced
Matches CIS Level 1 and mSCP.
Password: minimum 12 chars, complexity
✅ Enforced
Slightly more permissive than CIS Level 2 (15 chars) — adjust if your policy requires it.
FileVault enforcement
❌ Not in this baseline
FileVault is owned by the disk-encryption policy (Endpoint security); duplicating it here causes conflict.
iCloud Drive disabled
❌ Not enforced by default
CIS recommends disabling; the baseline restricts sync without a blanket block — tune per your data classification policy.
Software update — enforced deadline
✅ DDM 30-day deadline
Stricter than most CIS recommendations; deadline is configurable in the profile.
PPPC Full Disk Access for MDM tooling
✅ Pre-approved
Not addressed by CIS/mSCP (org-specific); essential for Defender and any EDR to function.
Scoping to a Pilot Ring
Assign every baseline profile to a pilot Mac group first and let it soak for at least one week before promoting. The pilot should include a cross-section of hardware (Intel and Apple Silicon if you have both), macOS versions, and user personas — not just IT Macs.
Create a pilot device group in Entra ID — a static group is fine for the pilot phase. Name it GRP-Intune-Mac-Baseline-Pilot and add 10–20 representative Macs.
Assign all baseline profiles — both Settings Catalog and custom — to this group with Required intent. Target device groups, not user groups, so policy applies regardless of who is logged in.
Check per-setting status after 24 hours. For Settings Catalog profiles: open the profile > Device and user check-in status > click a pilot device. Look for Succeeded, flag any Conflict or Error. For custom profiles: check the profile status column — custom profiles report at the profile level, not per setting, so an Error means the entire payload failed to install.
Verify PPPC grants in System Settings on a pilot Mac. Navigate to Privacy & Security and confirm that Full Disk Access and any other pre-approved entries appear greyed out (managed, not user-toggleable).
Promote to production by adding your full managed-Mac group to each profile assignment. Keep the pilot group assigned alongside it.
Software update deadline — set expectations first
The baseline ships a 30-day enforced DDM deadline. Users will see a system notification counting down. If your Mac fleet has never had enforced updates, this is a culture change as much as a technical one — communicate before you deploy.
ADE/supervised Macs receive and enforce DDM update commands. User-enrolled Macs without supervision cannot be forced to update by deadline — they receive the prompt but can defer indefinitely.
Insights
Two profile types means two review paths. Engineers who review only the Settings Catalog profiles and forget to inspect the custom .mobileconfig content will miss the PPPC grants — which are the most operationally sensitive part of the baseline on a Defender-managed fleet.
PPPC code requirements expire when apps update. A code requirement string is tied to a specific binary signature. When Microsoft ships a major Defender update, verify that the PPPC payload's code requirement still matches. A stale code requirement silently revokes Full Disk Access.
FileVault does not belong in this baseline. FileVault is configured via the disk-encryption policy under Endpoint security > Disk encryption. Putting FileVault settings in a restrictions profile creates a duplicate-authority situation and unreliable reporting — keep it in its dedicated policy type.
Custom profile errors are opaque. When a .mobileconfig profile shows Error in the portal, the error message is rarely specific. If the PPPC or firewall payload fails, SSH into a pilot Mac and run sudo profiles -P to see which payloads installed and sudo profiles -e <identifier> to examine details. The portal alone is not enough to diagnose custom profile failures.
mSCP and the baseline are complementary, not competing. Use mSCP to establish your compliance requirement, use this baseline as the Intune delivery vehicle, and reconcile the delta. The baseline is the pragmatic starting point; mSCP tells you exactly how far you need to harden beyond it.
Apple Silicon and Intel behave differently on some payloads. Gatekeeper enforcement and System Extensions interact with the Secure Boot architecture on Apple Silicon. Run your pilot with at least one Apple Silicon device — settings that apply cleanly on Intel may require a different PPPC approach or an additional system extension allowlist on M-series hardware.
How to propose changes to the Mac baseline and keep it field-tested.
The macOS baseline is a living document. It starts opinionated and minimal — just the settings that harden every managed Mac without breaking the developer workflows, creative tools, and line-of-business apps that people actually use. Every setting that ships was argued over, validated across both Intel and Apple Silicon, and earned its place. If you've found a gap, tuned a payload in production, or discovered a preference key that solves a real problem more cleanly, the community wants to hear it. This page explains how to propose a change that will actually get merged.
Before diving into the mechanics, see the Feedback page for how to send a proposed change. The macOS-specific notes below cover what to document, how to export profiles, and how the baseline maintainers evaluate Mac submissions — which are more complex than Windows because the Mac baseline mixes Settings Catalog profiles with custom .mobileconfig payloads where the catalog doesn't reach yet.
Min test matrixApple Silicon (M-series) + Intel, macOS 14 Sonoma and 15 Sequoia
GotchaCustom profile keys that don't exist on one chip architecture will silently no-op or error
The Baseline's Guiding Principle
The macOS baseline is deliberately opinionated but minimal. A setting earns inclusion only when it meets all three tests:
Real security or management value. The setting measurably reduces attack surface, enforces a compliance-relevant posture, or prevents a known misconfiguration — not just "mSCP recommends it at medium level."
Broad compatibility. It must not break common Mac workflows: Microsoft 365 for Mac, Xcode and developer toolchains, Adobe Creative Cloud, VPN clients (GlobalProtect, Cisco), and standard printing and USB peripherals. If a setting breaks a common class of user, it belongs in an optional hardening add-on, not the baseline.
Correct payload type. Prefer Settings Catalog when the key is fully supported there. Use a custom .mobileconfig only when the Settings Catalog genuinely does not expose the key, and document why. Never ship a custom payload that duplicates an existing catalog setting.
Additive first
If a setting is high-value but too aggressive for a universal baseline — Gatekeeper set to App Store only, for example — propose it as an optional hardening add-on profile rather than pushing it into the core. The baseline settings overview shows the existing add-on pattern.
Preparing Your Contribution
Step 1Export or extract the profileSettings Catalog: Devices > macOS > Configuration > Export. Custom profile: download the .mobileconfig from the profile blade.
Step 2Document the payload key referenceFor each key, record the full payload type (e.g., com.apple.security.firewall), the key name, the value, and the Apple Configuration Profile Reference or mSCP rule ID.
Step 3Validate across the test matrixMinimum: Apple Silicon Mac (M-series) and Intel Mac, both on a supported macOS release. Note any architecture-specific behavior.
Step 4Open a pull requestSubmit the exported JSON or .mobileconfig diff plus the documentation; link the Apple developer docs or mSCP rule for each key.
What to Include in the Pull Request
The profile export
For Settings Catalog profiles, navigate to Devices > macOS > Configuration, select your profile, and use the Export button. The JSON contains the catalog keys and values in Intune's format. Strip any tenant-specific fields — assignment group GUIDs, scope tag IDs, tenant ID — before committing. For custom .mobileconfig payloads, download the profile from the profile blade, inspect the XML to confirm it contains only the payload keys you intend (Intune sometimes wraps additional metadata), and remove any PayloadUUID or PayloadOrganization values that are tenant-specific. The baseline import page explains the import format expected on the receiving end.
The payload key reference
For every key you add or change, document:
Payload domain. For example, com.apple.MCX, com.apple.security.firewall, or com.apple.applicationaccess. Settings Catalog profiles abstract these, but the underlying domain still matters for conflict analysis.
Key name and accepted values. Include the exact key string and the value type (Boolean, integer, string, array). Ambiguous values — like an integer that only accepts 0, 1, or 2 — should document what each value means in practice.
Apple source reference. Link the Apple Configuration Profile Reference entry, the mSCP rule ID, or the CIS Benchmark section. Don't cite both mSCP and CIS for the same setting without noting where they differ — they frequently do on enforcement level.
Settings Catalog availability. Note whether the key is exposed in the Intune Settings Catalog. If you're using a custom profile because the catalog doesn't support it yet, say so explicitly — this is the most common reason a reviewer will push back and ask for a catalog migration.
The rationale document
One paragraph minimum, covering:
What the setting does. Plain English, not a copy-paste from Apple docs.
Why it belongs in the baseline. Cite the threat model, the compliance framework requirement, or the operational problem it solves.
What you tested it against. List the apps, macOS versions, and hardware you validated. Specifically note whether you tested against Microsoft 365 for Mac, Xcode (if developer machines are in scope), Adobe Creative Cloud, and any VPN or security agent (Defender for Endpoint, Jamf Connect, GlobalProtect), because these are the most common breakage points on Mac.
Known caveats. Does the setting behave differently on Apple Silicon vs Intel? Does it require a specific minimum macOS version? Does it interact with Platform SSO or PPPC pre-approvals?
The Test Matrix
Test scenario
Required
Notes
Apple Silicon Mac (M-series), macOS 14 or 15
✅
Primary architecture for new hardware; some payloads behave differently than Intel
Intel Mac, macOS 13 or 14
✅
Still common in enterprise fleets; Secure Enclave behavior differs from M-series
Microsoft 365 for Mac (Word, Excel, Outlook, Teams)
✅
Most commonly broken app class by restriction payloads
Supervised/ADE enrollment (locked MDM)
✅
Most baseline settings target supervised Macs; test with supervision active
macOS 12 Monterey
❌
Nice to have; approaching end of Apple security support
Xcode / developer toolchain
❌
Flag if your change affects Gatekeeper, SIP, or PPPC — developer orgs will thank you
Adobe Creative Cloud
❌
Heavily affected by PPPC and extension restrictions; test if your change touches privacy payloads
Settings That Will Not Be Merged
Propose these
Settings with clear Apple payload documentation that are off by default and have measurable security value
Settings that fix a known misconfiguration pattern seen in production Mac fleets
Corrections where a current baseline value is overly aggressive and breaks a common Mac workflow
New PPPC pre-approval entries for security tooling that the baseline already ships (Defender, EDR agents)
New profiles scoped as optional hardening add-ons, clearly labeled as not part of the core baseline
Don't propose these
Custom .mobileconfig payloads that duplicate keys already available in the Intune Settings Catalog
Settings that disable or circumvent macOS software update mechanisms — the update baseline and DDM policy cover this correctly
Gatekeeper set to App Store Only in the core baseline — too many enterprise Mac apps are not distributed through the App Store
SIP-disable or kernel extension allowlisting in the core baseline — these are security regressions, not hardening
Settings that break developer workflows (codesigning, notarization checking, Xcode) without a documented mitigation path
Apple Silicon vs Intel differences
Some payload keys that apply on Intel are no-ops on Apple Silicon (particularly T2-era disk encryption keys and some kernel extension payloads).
Apple Silicon Macs use a different Secure Enclave architecture that affects Platform SSO and FileVault behavior — test any encryption or authentication-adjacent setting on both chip families.
Document explicitly in your PR whether you tested on both architectures and what the behavior difference is, if any. Reviewers will not assume parity.
Insights
The most common rejection reason is "catalog exists but you used a custom profile." Before writing a .mobileconfig, check the Intune Settings Catalog for macOS — Microsoft has been adding keys steadily, and reviewers will send you back to redo it in catalog form if it's already there.
mSCP rule IDs are not pass-through approvals. The macOS Security Compliance Project is a valuable reference, but its recommendations target specific compliance frameworks (NIST, CNSSI) at levels that may be too aggressive for a universal enterprise baseline. Cite the rule, then justify why it fits a broad fleet.
PPPC changes are the most likely to generate support tickets. A PPPC entry that grants access too broadly is a security regression; one that's too narrow breaks the tool silently and generates Finder permission prompts at the worst moment. Test with the target app running under a non-admin user account.
Removal proposals need a concrete incident, not a complaint. If you're proposing to drop a setting because it breaks something, provide the app name, version, macOS version, the error or behavior, and ideally a Console log excerpt. Vague "breaks developer workflows" doesn't move.
Check the full settings overview before proposing. The gap you want to fill may already exist in an add-on profile, or may have been deliberately excluded with a documented reason.
Platform SSO interactions need explicit documentation. Several baseline payload domains intersect with the Enterprise SSO extension and Secure Enclave key material. If your change touches authentication, credential storage, or the login experience, note the Platform SSO interaction or risk a revert when it breaks SSO registration on first boot.
The full Mac baseline at a glance — every profile and what it does.
The macOS baseline is not a single monolithic profile — it is a small, intentional stack of profiles, each managing a distinct concern. This page maps every profile in the community baseline: what it manages, which delivery mechanism it uses (Settings Catalog vs custom .mobileconfig), the payload or CSP involved, and where to go for the deep-dive. Use this as your index when you need to understand what changed, what to tune, or what to omit for a specific fleet.
The baseline is designed to be opinionated-but-minimal. Every setting included has a documented rationale tied to real attack surface or operational hygiene. Nothing is in here because a compliance framework checkbox demanded it without a supporting use case. Before deploying to production, import the baseline into a pilot group and reconcile it against your own risk posture.
Applies tomacOS, ADE-supervised devices
Console pathDevices > macOS > Configuration
RequiresIntune Plan 1 (E3/M365 Business Premium minimum)
GotchaCustom .mobileconfig profiles require manual re-signing if you edit the payload XML — never edit raw XML and upload unsigned
Profile Map
The baseline ships as a set of named profiles. The table below covers each one: its delivery type, the primary payload domain or CSP key, and a summary of what it enforces. Click through to each deep-dive page for the full setting-by-setting breakdown and the rationale for every choice.
Blocks iCloud Drive backup, AirDrop to non-contacts, Siri, screen capture by unauthorized apps, and enforces App Store restrictions. See Restrictions and Privacy Baseline.
PPPC Pre-Approvals
Custom Profile (.mobileconfig)
com.apple.TCC.configuration-profile-policy
Grants Full Disk Access to Defender for Endpoint / EDR agent, accessibility to management tools, screen recording to authorized apps — silently, before the user is prompted. Required for security tooling to function correctly.
FileVault
Settings Catalog (Disk Encryption policy)
FileVault / com.apple.MCX
Enforces FileVault 2 with deferred enablement at next login, personal recovery key escrowed to Intune, key hidden from the user. See FileVault and Security Baseline.
Sets Gatekeeper to allow apps from identified developers only (no unnotarized unsigned binaries), keeps XProtect and MRT auto-updated. See Gatekeeper and XProtect.
Application Firewall
Custom Profile (.mobileconfig)
com.apple.security.firewall
Enables the macOS application-layer firewall, enables stealth mode, blocks all incoming connections not explicitly permitted. The network-level firewall is separate from any endpoint security filter.
Password Policy
Settings Catalog
com.apple.mobiledevice.passwordpolicy
Enforces minimum password length (12 chars), complexity (mixed characters), maximum password age (180 days), history (5), and screen-lock timeout (5 minutes) with a grace period of 5 minutes before credential re-entry.
Software Update (DDM)
Settings Catalog (DDM policy)
Declarative softwareupdate configuration
Sets managed software update deadlines: patch Tuesday + 14 days for security updates, 30 days for major OS versions. Enforced countdown visible to the user. See Software Update Baseline.
Login Window & Banner
Settings Catalog
com.apple.loginwindow
Disables the user list at the login window (shows name-and-password fields only), shows a policy banner (legal notice), disables guest account, disables fast user switching where that would expose managed sessions.
System Extension Approvals
Custom Profile (.mobileconfig)
com.apple.system-extension-policy
Pre-approves the system extensions for Defender for Endpoint, any deployed EDR or DLP agent, and the Enterprise SSO extension (used by Platform SSO). Without this profile the user sees a prompt and the extension is blocked until approved.
Settings Catalog vs Custom Profile
Prefer Settings Catalog for any setting that appears there — it gives per-setting reporting and conflict detection. Drop to a custom .mobileconfig only for payloads not yet surfaced in the Catalog (PPPC, application firewall, system extensions). The boundary shifts with each Intune release, so re-check before building new custom profiles.
Profile Groups at a Glance
Group 1Restrictions & PrivacyiCloud, AirDrop, app controls, and PPPC pre-approvals for management tooling
Group 2FileVault & SecurityDisk encryption with escrow, Gatekeeper, application firewall, SIP expectations
Group 3Update & IdentityDDM-enforced update deadlines, password policy, login-window hardening
Group 4Tooling EnablementSystem extension and network extension approvals that security tools require to function
What the Baseline Does Not Include
The baseline is intentionally scoped. The following are real controls that intentionally ship separately or are not included at all:
Deployed as a separate app/script; PPPC + system extension approvals are in the baseline
CIS Level 2 / mSCP high-security rules
❌
Deliberately excluded; they commonly break developer workflows and LOB apps
Wi-Fi and VPN configuration
❌
Tenant-specific — deploy separately via certificate + Wi-Fi/VPN profiles
Compliance policy
❌
Not a configuration profile; set in Devices > macOS > Compliance policies
Profile Conflicts to Watch
Deploying a second password-policy profile from another source (e.g., a legacy MDM migration profile) will conflict — the most restrictive value wins, but the conflict shows as an error in per-setting reporting.
Gatekeeper settings pushed by multiple profiles (Settings Catalog + a legacy custom profile) create a redundancy that is not harmful but is confusing. Consolidate to one source.
PPPC and system-extension profiles are sensitive to team identifiers and bundle IDs — an incorrect entry silently does nothing while the user still gets prompted.
Scoping and Assignment
Assign all baseline profiles to an Entra device group (not a user group). Mac config profiles are device-scoped. Use a staged rollout: pilot group first, validate per-setting reporting at Devices > macOS > Configuration > the profile > Device status, then broaden. The FileVault and Security Baseline page details how to confirm FileVault key escrow separately from the profile success state — a profile can report success while the key is not yet escrowed if the user has not logged out since enrollment.
Insights
Per-setting status is your audit trail. Every Settings Catalog profile shows which specific setting is in conflict or error per device — use this before opening a support ticket. Custom profiles only show profile-level success/failure, not which key failed.
PPPC profiles need to ship before the app they approve. If Defender for Endpoint installs before the PPPC payload lands, the user gets a Full Disk Access prompt. Order of operations matters; assign the baseline before deploying security apps.
The DDM software update policy has no "defer silently" option. Unlike legacy SoftwareUpdate restriction keys, DDM shows the user a timer. Set deadlines that give users enough runway to not feel ambushed — 14 days for patches is the field-tested minimum that also satisfies most audit requirements.
Custom profiles survive enrollment wipes; Settings Catalog profiles do not need re-signing. If you need to update a PPPC entry, regenerate the .mobileconfig, sign it with your cert, and upload a new version — do not edit the XML in place in the Intune console.
The login-window "list of users" setting is a security control, not a cosmetic one. Showing the user list gives an attacker a valid username for brute-force. Disable it on any Mac that could be accessed in a shared space or left unattended.
The sensible restriction set and the PPPC pre-approvals every managed Mac needs.
Restrictions and PPPC privacy permissions are the two most impactful — and most underestimated — layers of a macOS baseline. Restrictions lock down OS-level behaviors (iCloud data exfiltration, AirDrop, Siri cloud queries, and screenshot recording by untrusted apps) that users rarely notice until they're gone. PPPC pre-approvals go the other direction: they silently grant specific system access to your management and security tooling so that Defender for Endpoint can see every file on the drive, your EDR can load its kernel extension, and your endpoint agent isn't ambushed by a user-visible consent dialog on day one. Get both layers right and the device is both locked down and fully instrumented.
Both halves ship as separate configuration profiles in the baseline — a Settings Catalog restrictions profile and one or more custom PPPC payloads (com.apple.TCC.configuration-profile-policy) delivered as custom configuration profiles. Settings Catalog and custom profiles on Mac covers the mechanics of deploying each type. Here we focus on which settings belong in each and exactly why.
Applies tomacOS 12 Monterey and later (PPPC requires supervision)
GotchaPPPC grants only work from MDM — user cannot override; wrong bundle ID silently fails
Restrictions: What the Baseline Sets and Why
The baseline restrictions profile is built in Devices > macOS > Configuration > Create > Settings Catalog. All settings below live under the Restrictions payload group unless noted.
Setting
Baseline value
Rationale / UX cost
Allow iCloud Desktop & Documents
❌ Disabled
Prevents corporate files syncing to personal iCloud. Users must use OneDrive KFM instead. High friction if announced late.
Allow iCloud Keychain
❌ Disabled
Forces credential storage into managed password vaults (Entra passkeys, 1Password for Business). Personal iCloud Keychain sync blocked.
Allow iCloud Mail / Contacts / Calendars
❌ Disabled
Prevents personal Apple Mail accounts syncing corporate-adjacent data. Entra/Exchange accounts are unaffected.
Allow AirDrop
❌ Disabled
Eliminates a direct file-exfiltration path. Zero UX cost on corporate-only hardware; significant cost on developer/power-user Macs — evaluate before deploying broadly.
Allow Siri
❌ Disabled
Prevents utterances from being processed by Apple cloud. Siri processes text on-device for basic queries but sends context to Apple for complex requests. High privacy posture requires disabling.
Allow Spotlight Internet Results
❌ Disabled
Stops Spotlight from sending search queries to Apple and Bing. Local file/app search still works.
Allow Screenshot
✅ Enabled
Keep enabled — disabling breaks too many legitimate workflows (screen sharing, documentation). Screen-recording access for specific apps is controlled via PPPC, not this setting.
Allow Game Center
❌ Disabled
Removes a non-work Apple account sync surface. Negligible UX cost on corporate devices.
Allow Wallet
❌ Disabled
Blocks Apple Pay and pass storage on managed Macs. Appropriate for corporate fleet; review for devices in hands of field sales.
Stage iCloud restrictions separately
Deploy iCloud restrictions in a second wave, after users have had time to migrate data to OneDrive. Surprise-disabling iCloud Desktop & Documents on a Mac that has 40 GB synced there will cause immediate helpdesk calls.
PPPC Pre-Approvals: Keeping Tools Silent
Privacy Preferences Policy Control (PPPC) is the MDM mechanism that grants or denies system-level access to apps without user interaction — or, critically, that silently approves access so tools get what they need without prompting the user. Every managed Mac fleet needs PPPC payloads for its security and management stack. See the PPPC deep-dive for payload syntax and how to extract the values from an app bundle.
The baseline ships PPPC grants for the following common tooling. Adjust bundle IDs and team IDs to match the exact versions you've deployed.
Full Disk Access (SystemPolicyAllFiles)
Full Disk Access is the most consequential PPPC grant. Without it, Defender for Endpoint cannot scan files in user home directories and protected system paths, and most EDR/DLP agents cannot read the file system. Grant it with Allowed and StaticCode code requirement to the following:
Microsoft Defender for Endpoint — com.microsoft.wdav, team ID UBF8T346G9
Microsoft Defender for Endpoint (helper) — com.microsoft.wdav.epsext, team ID UBF8T346G9
Microsoft AutoUpdate — com.microsoft.autoupdate2, team ID UBF8T346G9
Intune Management Agent — com.microsoft.intune.agent, team ID UBF8T346G9 (required for shell-script execution)
Any third-party EDR/DLP agent installed in your environment (CrowdStrike, SentinelOne, etc.)
Accessibility (Accessibility)
Accessibility access lets assistive automation tools control the UI. Grant it to your endpoint management agent if it drives UI workflows, and to any IT-support remote-assist tooling (e.g., TeamViewer, Splashtop).
Screen Recording (ScreenCapture)
Screen recording access is required for remote-support tools that mirror the display. Grant it to any agent that does screen sharing or screenshot capture as part of its support workflow. Do not grant it broadly — only to explicitly approved tools.
System Extension / Kernel Extension Approvals
System extensions (and legacy KEXTs on older macOS) require a separate payload: com.apple.system-extension-policy (for system extensions) and com.apple.syspolicy.kernel-extension-policy (for KEXTs). Include these in the PPPC profile bundle or as a separate custom profile. Defender for Endpoint's network extension (com.microsoft.wdav.netext) and endpoint security extension (com.microsoft.wdav.epsext) both require system extension approval. Without this, the user is prompted at first launch and Defender cannot start its real-time protection engine.
Wrong bundle ID = silent failure
PPPC grants with a mismatched bundle ID or team ID are silently ignored — no error in Intune, no user prompt, the app just does not get access.
Always verify with codesign -dv --entitlements - /path/to/app and cross-check the team ID against what Intune reports post-assignment.
App updates can change the bundle ID sub-path; re-verify after major version upgrades, especially for third-party EDR agents.
Building and Deploying the Profiles
Step 1Build the restrictions profileSettings Catalog > Restrictions payload; assign to device group, not user group
Step 2Build the PPPC custom profileUpload the signed .mobileconfig with com.apple.TCC.configuration-profile-policy payload
Step 3Pilot ring firstAssign to a 10-device pilot group; verify Defender FDA and no unexpected prompts
Step 4Broaden assignmentSwap assignment to the full managed-Mac device group; monitor profile status in per-device reporting
Create the restrictions profile. Navigate to Devices > macOS > Configuration > Create > New policy > Settings catalog. Search for each setting name listed above and set the value. Name the profile macOS-Baseline-Restrictions-v1 and assign it to your macOS device group.
Prepare the PPPC .mobileconfig. Author the XML payload manually or use a tool like ProfileCreator. The key payload type is com.apple.TCC.configuration-profile-policy. Each entry requires: Identifier (bundle ID), IdentifierType (bundleID), CodeRequirement (from codesign output), Allowed (true), and the service key (e.g., SystemPolicyAllFiles). Sign the profile if your pipeline requires it.
Upload as a custom profile. Go to Devices > macOS > Configuration > Create > New policy > Templates > Custom. Upload the .mobileconfig. Assign to the same device group.
Verify on a pilot device. On the Mac, run sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "SELECT client, auth_value FROM access WHERE service='kTCCServiceSystemPolicyAllFiles';" to confirm Defender (and any other tools) appear with auth_value = 2 (allowed). Absence means the PPPC payload didn't apply — check the profile status in Intune.
Do
Assign restriction and PPPC profiles to device groups, not user groups — PPPC must apply at enrollment before any user logs in
Pre-approve Full Disk Access for all security tooling before deploying that tooling
Communicate iCloud restriction changes to users at least two weeks in advance
Verify PPPC grants on a test Mac with the TCC database query above before broad rollout
Keep a version number in the profile name so you can track drift
Don't
Don't deploy iCloud and AirDrop restrictions simultaneously to a fleet that hasn't been warned — the helpdesk call volume is predictable
Don't grant Full Disk Access to every installed app "just in case" — scope PPPC grants to only the tools that require system-level file access
Don't forget system extension approvals for Defender's network and endpoint security extensions — FDA without system extension approval leaves real-time protection off
Don't use a PPPC payload built for one macOS version and forget to revalidate on major OS upgrades
Insights
PPPC is your most operationally fragile baseline component. A wrong team ID silently breaks your EDR on every new Mac that enrolls; you only discover it when a scan audit shows no events from those devices. Automate a validation script that runs post-enrollment and alerts if Full Disk Access is missing.
iCloud Desktop & Documents is the most impactful restriction for data governance. On unmanaged Macs, files land in iCloud by default. This restriction is the single biggest data-residency win the baseline delivers — but it requires a credible OneDrive KFM story before you flip the switch.
AirDrop blocking is a content-type mismatch on developer Macs. Engineers who use AirDrop to move builds between personal devices will be unhappy. Consider an exception group scoped to a developer OU rather than blanket-blocking, and document the decision in your runbook.
Restrictions alone don't stop a determined user on a non-supervised Mac. PPPC and most restriction payloads require supervision (ADE enrollment). User-approved MDM enrollment cannot enforce these controls — if your fleet has any BYOD or user-enrolled Macs, they need a separate, lighter policy set. The Mac Restrictions Cookbook documents which settings require supervision.
Screen recording PPPC is often the last pre-approval engineers remember. Remote support calls fail silently when the support agent can't mirror the screen because the PPPC grant wasn't in the baseline. Add your remote-assist tool's bundle ID to the PPPC profile on day one. See the iCloud and Apple Account Controls page for the broader Apple account surface this baseline also addresses.
Encryption, Gatekeeper, firewall, and the security posture the baseline enforces.
The security half of the macOS baseline is the part that actually keeps data safe when a Mac walks out the door — or when a careless user runs something they shouldn't have. FileVault, Gatekeeper, the application firewall, and system-integrity expectations are four distinct controls, each configured in a different place, yet they must align with each other and with your compliance policy to do their jobs. This page documents the exact settings the IntuneNerds baseline deploys for each, why each value was chosen, and where the corresponding deep-dives live.
If you haven't imported the baseline yet, start at Importing the macOS Baseline first. Everything here assumes you're working with profiles already in your tenant and are deciding whether to adopt, tune, or override individual settings.
Applies tomacOS 13 Ventura and later (supervised, ADE)
RequiresIntune P1 / Microsoft 365 Business Premium or higher
GotchaFileVault enabled but key not escrowed — Intune reports encrypted; compliance still fails
FileVault Enforcement and Key Escrow
The baseline enforces FileVault via the Intune disk-encryption policy, not a custom profile. Navigate to Endpoint security > Disk encryption > Create policy (platform: macOS, profile: FileVault). The baseline ships with these settings locked in:
Setting
Baseline value
Why
Enable FileVault
Yes
Non-negotiable — disk encryption is the primary data-at-rest control
Recovery key type
Personal recovery key
Institutional keys require a server-side certificate; personal keys escrow to Intune automatically
Escrow location description
Your IT helpdesk name
Shown to the user at the key-display prompt — set something meaningful
Number of times allowed to bypass
0
Forces enable at the next login, no "ask me later" loop
Hide recovery key
Yes
Prevents the user from photographing or distributing the key; Intune is the single source of truth
Disable recovery key rotation
No (rotation enabled)
Rotate after escrow to ensure the stored key is current
The "enabled but not escrowed" trap
A Mac enrolled before the FileVault policy arrived may already be user-encrypted with a personal key that never reached Intune.
Intune reports Encrypted: Yes in the device blade — but the Recovery keys tab is empty.
The compliance policy must check Require FileVault AND the escrow state must be verified separately. Check the FileVault deep-dive for the Graph query that audits escrow health across the fleet.
Deferred enablement at next login is the only practical flow for ADE Macs with local accounts. The user sees a prompt at first login after the policy lands; with bypass set to 0 they cannot dismiss it. FileVault encrypts in the background — the Mac is usable immediately. Full disk pass completes in 10–30 minutes depending on storage size and whether the chip has AES acceleration (Apple Silicon always does).
Gatekeeper and XProtect Posture
Gatekeeper is macOS's app-origin enforcement — it determines which apps are allowed to run based on how they were signed and notarized. The baseline sets this via a Settings Catalog profile:
Setting
Baseline value
Notes
Gatekeeper: Allow apps from
App Store and identified developers
Blocks unsigned apps entirely; notarization is checked for apps downloaded outside the App Store
Allow override (right-click Open)
Disabled (DisableOverride = true)
Prevents users from bypassing Gatekeeper on a per-app basis — critical for high-assurance environments
XProtect updates
Not explicitly configured
XProtect updates ship via macOS Rapid Security Response and are outside MDM control; ensure DDM update policy keeps macOS current
Notarization vs signing
A signed app that has never been submitted to Apple for notarization will be blocked by Gatekeeper on macOS 15+. If an internal or vendor app triggers Gatekeeper blocks after a macOS upgrade, check notarization status first with spctl --assess --verbose /Applications/AppName.app before adding PPPC exceptions or disabling Gatekeeper checks.
For the full Gatekeeper + XProtect configuration story — including runtime protection, malware removal, and the XProtect Behavioral Service introduced in macOS 14 — see the Gatekeeper and XProtect deep-dive.
Application Firewall and Network Content Filters
macOS has two distinct firewall layers. The baseline enables the application firewall (also called the "socket filter" or ALF — Application Layer Firewall) via Settings Catalog. It does not configure a network content filter by default; that's an add-on when you have Microsoft Defender for Endpoint or a third-party DNS/web filter deployed.
Setting
Baseline value
Notes
Enable firewall
Yes
Blocks incoming connections to apps not explicitly listed
Block all incoming connections
No
Blocking all breaks legitimate management: SSH, Screen Sharing, VPN daemons. Leave off unless this is a very restricted role
Enable stealth mode
Yes
Mac does not respond to ICMP ping probes or TCP/UDP probes on closed ports
Automatically allow built-in software
Yes
Prevents the firewall from blocking Apple-signed system services
Automatically allow downloaded signed software
No
Forces explicit approval for third-party signed apps — more secure, with some user-prompt overhead during initial agent install
If your environment deploys Defender for Endpoint with its network content filter extension, that's a separate PPPC + system-extension payload — it rides alongside the application firewall, not instead of it. See macOS Firewall and Network Filters for the full treatment including DNS-over-HTTPS posture and filtering extension prerequisites.
System Integrity and Secure Boot Posture
System Integrity Protection (SIP) and Secure Boot are Apple-enforced controls that Intune cannot configure directly — Apple prevents MDM from weakening them on supervised devices, which is the right call. What the baseline does instead is verify them through compliance:
Step 1Baseline deploys configFileVault, Gatekeeper, firewall settings land on the device
Step 2Compliance policy checks stateFileVault encryption + escrow, firewall enabled, Gatekeeper enabled, OS version floor
Step 3Noncompliant triggers actionGrace period email, then mark as noncompliant, then CA blocks access
Step 4Conditional Access enforcesCompliant Mac required to access M365 and other Entra-protected apps
The compliance policy settings that the security baseline is designed to satisfy are in the macOS compliance policy deep-dive. The key items mapped to this security baseline are:
Require FileVault. The compliance engine checks the MDM-reported encryption state; escrow is verified separately via the device blade or Graph.
Require system integrity protection. Compliance checks SIP is enabled — if a device has SIP disabled (only possible outside of supervised ADE flow), it fails immediately.
Firewall enabled. The compliance check maps to the ALF state you configured in the baseline profile.
Gatekeeper enabled. Checked via the assessmentSettings MDM report; override-allowed Gatekeeper fails this check in strict mode.
Minimum OS version. Set a floor that matches your current DDM software-update target minus one minor release, to account for staged rollout lag.
Insights
FileVault encryption without escrow is a false sense of security. Intune reports the device as encrypted regardless of whether the key reached the Intune recovery-key store. Audit escrow separately with a Graph call before you count any Mac as fully protected.
Bypass count of 0 is the only defensible value. Any number above 0 means a motivated user can dismiss the FileVault prompt indefinitely by rebooting. Field experience: users will find the magic number and exploit it.
Gatekeeper override-disabled breaks some IT tooling. If your script or management agent is unsigned or un-notarized, you'll hit this immediately. Fix: notarize the binary, or deploy it from a signed PKG that installs to a system path Gatekeeper doesn't gate post-install.
Stealth mode is low-friction and high-value. In seven years of deployments, enabling stealth mode has never broken a legitimate corporate app. Enable it in every baseline without exception.
The application firewall and network content filters are independent layers. Engineers frequently confuse "firewall enabled" in the ALF sense with Defender's network extension. Both can run simultaneously; each serves a different threat model.
SIP and Secure Boot status belong in compliance, not policy. You cannot force them on via MDM, but you can detect and block non-compliant Macs from accessing resources. That's the right control point.
The default DDM-enforced update cadence the baseline sets.
The macOS baseline does not leave software update enforcement up to individual admins to figure out. It ships an opinionated DDM managed-update policy as part of the baseline package — one that sets sensible deadline defaults, pairs with a minimum-OS compliance floor, and is designed to be tightened rather than built from scratch. If you are deploying the baseline to a new tenant, this is the update posture you get on day one. If you are reviewing an existing deployment, this page is your reference for what the baseline intends and why.
This is the "sensible defaults" companion to the DDM and Software Updates on Mac deep-dive. That page covers declaration mechanics, Intel vs Apple Silicon paths, caching servers, and troubleshooting. This page covers what the baseline ships and how to tune it for your environment without breaking the intent.
Applies tomacOS 13 Ventura and later; supervised (ADE) Macs
Console pathDevices > macOS > Update policies for macOS
RequiresDDM-capable Intune policy; supervision via ADE
GotchaDDM enforcement is silent on unsupervised Macs — user-approved enrollments will not be force-updated
What the Baseline Ships
The baseline includes one managed software update policy. The defaults are chosen to balance security velocity with operational realism for a fleet that includes knowledge workers who may be in the middle of critical work when a deadline lands.
Setting
Baseline Default
Why
Target version
Latest release of the current major
Tracks Apple's security cadence without forcing a major-version jump
Maximum user deferrals
3
Gives users a weekend or two; does not let them defer indefinitely
Deadline type
14 days after policy applies
Rolling model works across staggered enrollment dates
Priority
Low
Schedules install outside active hours; reduces disruption
Download ahead of time
Enabled
Pre-caches the installer when idle and on power; reduces install window
Rapid Security Responses
Enabled
RSRs are narrow targeted patches; blocking them is rarely justified
14 days is a starting point, not a mandate
Regulated industries or security-sensitive environments should reduce the deadline to 7 days or fewer. The baseline ships 14 days as the default because it is broadly deployable without an immediate flood of helpdesk calls; it is not the recommended floor for a high-security fleet.
Compliance Floor Pairing
The update policy enforces the install; the macOS compliance policy makes out-of-date machines noncompliant. The baseline wires both together. The compliance policy's Minimum OS required setting is set to the same version floor targeted by the DDM policy, with a deliberate lag of 7 days: the compliance floor activates a week after the DDM deadline, giving Intune time to reflect the updated OS version and avoiding a wave of false noncompliance reports from Macs that updated but whose compliance status has not yet refreshed.
The practical result: a Mac that ignores DDM enforcement (rare on supervised hardware, but possible if the device was offline through the entire deadline window) becomes noncompliant, which Conditional Access can use to block Exchange, SharePoint, and any protected resource. See Configure Software Updates with DDM for the full enforcement mechanics.
Version mismatch breaks the fleet
If the DDM policy targets 14.5 and the compliance policy requires 14.6, every Mac that hasn't yet received the DDM update is immediately noncompliant — before DDM even tries to install anything.
Keep the DDM target and the compliance floor in sync. Update both when you advance the target build.
Never set the compliance floor to a version that is ahead of your DDM target. Move the DDM target first, wait one full deadline cycle, then advance the compliance floor.
Tuning the Baseline for Your Environment
Security-sensitive or regulated fleet (healthcare, finance, FedRAMP)Tighten the deadlineReduce to 7 days; consider 3 for critical RSR-equivalent patch releases
Developer-heavy fleet where major updates break toolchainsPin to a specific buildLock the target to a validated build; do not track latest automatically
Mixed fleet: supervised ADE Macs + user-approved BYOD MacsScope the policy to supervised devices onlyDDM is silently no-op on unsupervised; use a separate compliance-only lever for BYOD
Pilot-first rollout for a major macOS version jumpCreate a separate policy for the pilot ringTarget the new major version at a named pilot group before the fleet policy advances
What the Baseline Does Not Cover
The baseline update policy targets macOS point releases and Rapid Security Responses. It does not manage third-party application updates — those are handled separately via Installomator scripts or managed app deployment. It also does not control the macOS beta seed program (seed enrollment is a separate MDM payload) or the Software Update catalog source for organizations running a local caching server. If you need those controls, add them as supplemental profiles; do not bolt them into the baseline policy.
Monitoring Update Compliance
After the baseline deploys, check progress via Devices > macOS > Update policies for macOS > select the policy > Device status. The statuses to watch:
Pending — policy received; deadline has not arrived or the install is queued.
Succeeded — the Mac is on or above the target build.
Not applicable — the Mac is unsupervised or running macOS 12 or earlier. DDM cannot help; rely on compliance pressure only.
Failed — the declaration was rejected or the install errored. Check mdmclient log on the device; common causes are insufficient disk space and an active FileVault unlock screen preventing restart.
The compliance policy report shows the OS version floor separately from the DDM status. Cross-reference both: a Mac can show "Succeeded" in the update policy (it installed the OS) but "Not compliant" in the compliance policy if the compliance check ran before Intune refreshed the device record. Give it 8–12 hours before treating the compliance status as authoritative.
Insights
The download-ahead toggle is the single highest-impact tuning knob. Without it, a user on a slow hotel Wi-Fi connection at deadline time faces a 6–12 GB download mid-meeting. Pre-caching on power and idle makes the deadline feel invisible to most users.
"Not applicable" is not a failure — it is an architectural gap. If a meaningful portion of your fleet shows Not applicable, you likely have unsupervised Macs or machines still on macOS 12. DDM cannot fix that; the only lever is compliance policy pressure combined with a user-facing explanation of why they need to enroll via ADE or upgrade their OS.
Major-version upgrades (e.g., Sonoma to Sequoia) warrant a dedicated pilot policy. Point-release updates are low-risk. Major version jumps can break developer tools, security agents, and LOB apps. Always run a named pilot group for at least two weeks before advancing the fleet-wide target to a new major.
The baseline sets a good floor, not the lowest acceptable bar. Fourteen days and three deferrals are operationally comfortable. They are not the posture you want for a fleet that handles PII or regulated data. Tighten them — the baseline is designed to be tuned, not deployed verbatim to every environment.
Keep the compliance floor and DDM target moving in lockstep. The most common misconfiguration field engineers encounter is a compliance policy that was updated when the team advanced the baseline but the DDM policy was not, or vice versa. Treat them as a coupled pair: update both in the same change window.
There is no "Shared iPad" for Mac — here is what shared Macs actually look like.
macOS has no equivalent of Shared iPad. There is no built-in MDM mechanism that wipes a user session on logout, rotates a managed Apple Account, or hands a pristine workspace to the next person. If you are looking for that feature on Mac, it does not exist — and shipping the wrong architecture because you assumed parity with iPad causes real problems. This page covers what shared Mac patterns actually look like in production and how to choose the right one for your scenario.
The honest framing: a "shared Mac" in the enterprise is a Mac where multiple people sign in using distinct local accounts, or a Mac locked to a single function. Neither pattern gets you the clean per-session isolation of Shared iPad or the automatic account cleanup of Windows Shared PC mode. Understanding that gap before you design is the whole point of this page. See the shared Apple foundation for how Mac and iPad diverge at the MDM layer.
Applies toSupervised macOS (ADE), all Apple Silicon and T2 Macs
No Shared iPad equivalentmacOS does not support managed session wipe-on-logout
Account modelLocal accounts — one per user, or one shared admin/standard account
GotchaSingle shared local account bypasses all per-user audit and FileVault per-user unlock
The Four Real Patterns
Before choosing, name what you actually have. Most "shared Mac" requests fall into one of four categories, and only some of them are well-served by a managed Mac at all.
Named employees who hot-desk or share a Mac in shiftsMultiple Local AccountsEach user gets their own local account — closest to a personal Mac experience, but requires manual provisioning or Platform SSO registration per user.
Anonymous walk-up users (lab, library, reception)Guest Account or Single-Purpose KioskmacOS Guest Account gives a sandboxed, ephemeral session that deletes on logout; for locked-function devices, consider a kiosk-style no-affinity ADE enrollment instead.
A Mac used by a team with no individual accountability neededSingle Shared Local Account (anti-pattern — read the caution)Simplest to operate but eliminates per-user audit trails, FileVault per-user unlock, and any meaningful identity signal.
Pooled compute with user personalization across sessionsVDI / Windows 365 / Azure Virtual DesktopmacOS cannot replicate this. If users need a persistent personalized workspace regardless of which hardware they touch, use cloud-hosted desktops instead.
Multiple Local Accounts (Named Users)
This is the most defensible shared-Mac pattern. Each person who uses the Mac gets their own local account, created at first login — either by IT during provisioning, via Platform SSO's account-creation flow, or by the user themselves if your ADE profile permits a standard account. Apps and configuration are targeted to the device, not the user, so everyone gets the same managed software regardless of who logs in.
Platform SSO and shared Macs
Platform SSO registers a token to the local account that initiated registration — not to the Mac. On a shared Mac with multiple local accounts, each user must complete the Platform SSO registration prompt separately after their first login. There is no fleet-wide "pre-register all accounts" option. Plan your user communication accordingly. See the deep-dive on Platform SSO with Entra ID for the registration flow details.
FileVault behaves differently on multi-user Macs too. FileVault requires that each user who needs to unlock the disk at boot be explicitly enabled as an unlock user — this does not happen automatically when a new account is created. Intune's FileVault policy handles the initial enabled user during deferred enablement, but subsequent accounts added to the Mac must be enabled via sysadminctl or by an admin user who authenticates during the FileVault setup pass. Recovery key escrow is per-device, not per-user, so there is still a single PRK in the Intune device blade.
Guest Account
macOS's built-in Guest Account creates a temporary home directory at login and deletes it on logout — no persistent files, no browsing history, no keychain entries survive. This is the only built-in macOS mechanism that approaches "clean state per user." Enable it via the Settings Catalog (Devices > macOS > Configuration) under the Accounts payload: set GuestEnabled to true and optionally GuestEnablesManagedAppleID if you want Managed Apple Account login at the guest session.
Guest Account limits
Guest sessions cannot be targeted by per-user Intune policy — only device-level config applies.
No FileVault unlock from a guest session — the Mac must already be unlocked.
App licensing (VPP) cannot be assigned to a guest account.
Guest is not a substitute for Shared iPad isolation; a guest user can still access network shares or unmanaged apps available at the device level.
The Single Shared Local Account Anti-Pattern
It is tempting on a lab or loaner Mac to create one local account (e.g., labuser) and hand the password to everyone. Resist this. A single shared account means:
All audit log events — file access, application launches, authentication — are attributed to the same account identity with no way to distinguish individuals.
FileVault shows one unlock user; when that user's password is shared, your encryption posture is effectively open to anyone who has ever been told the password.
Platform SSO cannot register a meaningful Entra identity against a shared local account; the SSO token is whoever most recently registered, and it will break for any other user.
Compliance policies that check for a specific user principal name will mismatch or report incorrectly.
For loaner and lab Macs, a better pattern is no-affinity ADE enrollment, a locked-down no-affinity device with a local admin account IT controls, and a wipe-and-redeploy cycle between loan periods rather than shared credentials.
When to Redirect to VDI or a Kiosk
Requirement
Shared Mac (local accounts)
VDI / W365
Kiosk / no-affinity ADE
Per-user personalization survives logout
✅ (within their own local account)
✅
❌
Clean slate after each user session
❌
✅ (non-persistent)
✅ (if wiped between uses)
macOS-native apps required
✅
❌
✅
Full Entra identity per session
✅ (with Platform SSO per account)
✅
❌ (no affinity)
No licensing per seat (anonymous walk-up)
❌ (each account needs licensing)
❌
✅
MDM manages user data isolation
❌
✅
N/A
If users need roaming personalization across any physical Mac they pick up, the answer is cloud-hosted desktops, not a shared Mac. macOS does not support network home directories in a practical way under Intune-managed ADE enrollment — the mobile account model was deprecated, and Active Directory binding is not a supported pattern for Entra-joined fleets. Local account strategies covers why the AD-bind model is a dead end for modern Mac management.
Do
Enroll shared Macs with no-affinity ADE (no user assigned in Intune) so no single Entra user "owns" the device.
Target all configuration and apps to the device group, not a user group, so config lands regardless of who logs in.
Enable Guest Account for truly anonymous walk-up scenarios where the guest's data should not persist.
Create individual local accounts for named employees even on shared hardware — it preserves accountability.
Plan a wipe-and-redeploy cycle for loaners rather than a password reset on a shared account.
Don't
Create a single shared local account with a known password and call it "shared Mac management."
Try to replicate Shared iPad behavior — macOS does not have that feature and no configuration will approximate it cleanly.
Assign a user affinity to a shared Mac in the ADE profile if multiple people will log in — affinity ties the device record to one Entra user.
Rely on Platform SSO to "just work" for every user on a shared Mac without walking each user through the registration prompt on their first login.
Enable FileVault and assume all users who later create accounts are automatically enrolled as unlock users.
Insights
The most common shared-Mac mistake is assuming macOS will do what Shared iPad does. It will not. State that plainly to your stakeholders before architecture is frozen — retrofitting is painful.
No-affinity ADE is the right enrollment path for any device with more than one regular user. User-affinity ties a device to one Entra account; on a shared Mac that account will drift out of sync with the actual users, causing compliance and CA issues.
FileVault on a multi-user Mac needs an explicit enablement step for each user who should be able to unlock at boot. New accounts added after initial FileVault setup are not automatically enrolled as unlock users — this surprises admins who assume it mirrors per-user behavior.
Platform SSO is per local-account, not per device. On a shared Mac, each local-account holder registers Platform SSO independently. If you skip this briefing in your onboarding docs, users will hit the registration banner mid-workflow and escalate to the helpdesk.
Storage bloat is your long-term enemy on shared Macs. Multiple home directories accumulate without the automatic cleanup Windows Shared PC mode provides. Build a disk-review cadence or use a scripted cleanup via a shell script policy, especially on lab Macs.
The guest account is the closest macOS approximation to "anonymous ephemeral session," but it cannot receive per-user app licenses, cannot unlock FileVault, and does not give you an Entra identity for Conditional Access — do not confuse "clean session" with "fully managed session."
Enrollment, accounts, and policy targeting for a Mac that several people use.
macOS has no "Shared iPad" — no built-in mechanism that wipes a user's session at logout and hands a clean slate to the next person. What it does have is a mature, well-understood multi-user account model that, when combined with ADE no-affinity enrollment, the right login-window configuration, and device-scoped policy, produces a perfectly serviceable shared Mac. The work is in knowing which knobs to turn and which traps to avoid.
This page is the configuration walkthrough. For the strategy layer — choosing between named-user accounts, anonymous walk-up, and single-purpose kiosk — start with Shared Mac Strategies. Come back here once you know your model.
Applies tomacOS 12 Monterey and later (ADE); local accounts work on all managed versions
Console pathDevices > Enrollment > Apple > Enrollment program tokens > Profiles
GotchaFileVault on multi-user Macs needs per-user unlock enabled — a single PRK is not enough
Step 1 — Enroll with No User Affinity
A shared Mac must not be tethered to one person's Entra account. In your ADE enrollment profile, set User affinity to Enroll without user affinity. This skips the Company Portal sign-in step during Setup Assistant and registers the device as a device-only object in Intune — no primary user. See Create the macOS ADE Enrollment Profile for the full profile walkthrough; the key difference for shared Macs is that single setting.
Step 1ADE — No AffinityEnrollment profile: User affinity = Enroll without user affinity
Step 2Local Account ModelDecide: auto-created admin, standard user, or login-window list only
Step 3Login Window & BannerPush login-window config and a legal/policy banner via Settings Catalog
Step 4FileVault + AppsEnable per-user unlock, escrow the PRK, and target all apps to the device group
Step 2 — Local Account Model
With no-affinity ADE, Setup Assistant creates one local account during provisioning — the "management account." You have three choices for how to handle it, and they have meaningfully different security profiles.
Model
How it works
Best for
Risk
Auto-created standard user
ADE profile creates a non-admin local account; an MDM-managed admin account exists separately
Named-user shared Macs where each person creates their own account at first login
Account accumulation over time
Auto-created admin account (shared credential)
One local admin account, shared password, everyone uses it
Lab/utility Macs where simplicity beats security
❌ Shared admin credential is a credential hygiene problem
Login-window list only (no auto-account)
No account created; users authenticate via Platform SSO at the login window
Platform SSO environments with named staff users
Requires Platform SSO; first-login latency
Use a managed hidden admin
Regardless of which model you pick, create a hidden management/admin account via a shell script at enrollment — a local admin with a LAPS-rotated or random password that never appears in the login window. This account is your recovery path if Platform SSO or MDM connectivity fails.
For deep-dive guidance on account creation scripts and the login-window suppression payload, see Local Account Strategies.
Step 3 — Login Window and Policy Banner
On a shared Mac, the login window is user-facing infrastructure. Configure it with Settings Catalog or a custom profile under Devices > macOS > Configuration > Create > Settings catalog, then search for Login Window.
Set the login window to Name and Password. Change LOGINWINDOW > Login Window Text to Name and Password (not the default user-list). On a shared Mac, a list of user tiles exposes every account name to anyone at the keyboard.
Suppress the last-logged-in user hint. Enable Show Full Name and set Disable Console Access to prevent console log-in bypasses.
Push a legal/policy banner. Use the PolicyBanner payload (or the Login Window > Banner keys in Settings Catalog) with your organization's acceptable-use text. The banner appears before authentication — macOS requires the user to click Agree before the password field activates. See Login Window and Policy Banner for payload syntax and gotchas around multi-line text.
Configure sleep and screensaver lock. Set a short idle lock (5–10 minutes) via com.apple.screensaver settings so an unattended Mac locks between users.
Guest account: think before enabling
The macOS Guest account provides a temporary Safari-only session that wipes on logout — it looks like Shared iPad but is not managed and ignores most MDM profiles.
Guest sessions can be used to bypass restrictions that apply to named local accounts.
Disable Guest unless you have a specific walk-up browsing use case and accept the security trade-off.
Step 4 — FileVault on a Multi-User Mac
FileVault on a shared Mac is not the same as FileVault on a single-user Mac. When multiple local accounts exist, every account that should be able to boot the Mac must be an enabled FileVault user. An account added after FileVault was first enabled cannot unlock the disk unless you explicitly enable it.
Deploy the disk-encryption policy as normal. Navigate to Devices > macOS > Configuration > Create > Templates > Endpoint protection, then configure the FileVault section — or use a Settings Catalog disk-encryption profile. See FileVault for the full policy walkthrough.
Enable deferred enablement. On a no-affinity enrollment, deferred enablement fires at next login for the first user who logs in. That account becomes the initial FileVault-enabled user. Subsequent accounts added later are not automatically enabled.
Escrow a Personal Recovery Key (PRK). The Intune disk-encryption policy escrews one PRK per device. On a multi-user Mac, the PRK is your insurance policy when all user passwords are forgotten or accounts are deleted — keep escrow healthy and verify it in the Intune device record (Devices > device name > Recovery keys).
Enable additional users at first login. Script or communicate to each new user that they should go to System Settings > Privacy & Security > FileVault > Enable User after their account is created. Alternatively, script fdesetup add as part of a post-login script to add each new account automatically — requires a FileVault-enabled account's credentials.
Institutional key is not the answer here
Institutional keys require a local keychain and a complex provisioning process; they are rarely worth the operational overhead.
The PRK escrowed to Intune is the right recovery control for most shared-Mac fleets. Make sure you can retrieve it before you deploy.
Step 5 — Apps and Configuration: Target the Device, Not a User
On a no-affinity enrolled Mac there is no primary user. Every app and profile assignment must target a device group — not a user group. This is the most common misconfiguration on shared Macs: apps assigned to a user group simply never arrive.
Create a dedicated Entra device group for your shared Macs. Use a dynamic rule like deviceEnrollmentProfileName -eq "Shared-Mac-ADE" to auto-populate it based on the enrollment profile name you assigned in Step 1.
Assign all apps as Required to the device group. Microsoft 365, Edge, LOB tools — all Required, all to the device group. Apps install to the system level and are available to every account on the Mac.
Assign all configuration profiles to the device group. Same rule: Settings Catalog profiles, custom profiles, PPPC payloads, login-window config — all device-targeted.
Do not assign Available (Company Portal) apps. Company Portal on a no-affinity Mac is not signed into a user account, so Available assignments are meaningless. Required device-targeted deployments are the only reliable delivery mechanism.
Platform SSO Considerations for Shared Hardware
Platform SSO is engineered for the one-Mac-one-user model: it registers a secure enclave key to a specific Entra identity and binds the login password to that account's Entra credential. On shared hardware, the picture is more complex.
Scenario
Platform SSO behavior
Verdict
Named staff users, each has their own local account
Each user registers Platform SSO against their own Entra identity at first login; SSO works normally per-user
✅ Fully supported, recommended
Single shared local account, multiple people use it
Platform SSO registers once to whoever set it up; subsequent users authenticate as that identity
❌ Do not use Platform SSO in this model
No-affinity enrollment with no named users (anonymous kiosk-adjacent)
No user identity to register; SSO extension does nothing useful
❌ Skip Platform SSO; use local accounts only
If your shared Macs follow the named-user model, deploy the Platform SSO extension profile the same way you would for standard Macs, but set Registration token to be user-initiated at first login rather than registration-forced at enrollment. This prevents the extension from trying to register before any user is present.
Verification
Confirm no primary user in Intune. Open the device record in Devices > macOS > the device. The Primary user field should be blank. If it shows a user, the enrollment profile had affinity enabled.
Confirm all profiles report Success. Check Device configuration on the device record. Every profile — login-window, FileVault, PPPC, restrictions — should show Succeeded for the device, not pending a user check-in.
Confirm FileVault escrow. In the device record, open Recovery keys. A PRK should be present. If it is missing, the deferred enablement has not fired yet (no user has logged in) or the disk-encryption policy is not yet applied.
Test the login window. Log out and verify the banner appears, the login window shows Name and Password fields (not user tiles), and an unexpected account name is not pre-filled.
Test app delivery. Log in as a second local account and confirm apps installed to /Applications are present and launch without a per-user install step.
Insights
No-affinity is not optional. If you accidentally enroll a shared Mac with user affinity, it ties primary ownership to whoever ran Setup Assistant — every compliance evaluation, app assignment, and CA evaluation runs against that one person's account. Re-enroll; there is no in-place fix.
Device groups, every time. The single most common shared-Mac misconfiguration: apps and profiles assigned to user groups. On a no-affinity device, user-group assignments never apply. Build the device group first, before you configure a single profile.
FileVault unlock users accumulate silently. If staff accounts are added and removed over months, you can end up with a Mac where the only FileVault-enabled account belongs to someone who left. The PRK is your safety net — confirm escrow is current on every device, not just at initial enrollment.
Account cleanup is your problem to solve. macOS has no automatic stale-account deletion (unlike Windows Shared PC mode). Write a script, run it on a schedule, and remove accounts for users who have not logged in for a defined period. Otherwise disk space and the FileVault-user list grow indefinitely.
Patterns for Macs that rotate through many hands — loaners, labs, and meeting rooms.
Loaners, lab stations, and conference-room Macs all share one characteristic: the device outlives every user who touches it. Unlike a personally assigned Mac that retires when its owner leaves, these devices cycle continuously — and that rotation creates a class of lifecycle and management problems that standard ADE profiles simply are not designed to solve. This page covers the real-world patterns that actually work in production, along with the specific Intune and ADE controls that make each one reliable.
macOS has no "Return to Service" feature equivalent to iOS's same-name flow, so the patterns here are engineering workarounds rather than first-party features. That matters: you are building processes, not clicking a button. The goal is a device that is enrollment-locked, wipes cleanly between users, and re-enrolls automatically without an IT technician touching the keyboard.
Applies tomacOS, supervised ADE Macs
Console pathDevices > macOS > [device] > Overview
RequiresABM device assignment + ADE enrollment profile with no user affinity or "Enroll without user affinity"
GotchaErase Device on macOS does NOT auto-re-enroll the way iOS Return to Service does — you must rely on ADE + Setup Assistant to pull it back in
The Three Rotating-Mac Patterns
Each use case calls for a different enrollment and account model. Choosing the wrong one up front creates pain at scale.
Use case
Affinity
Local account
Wipe trigger
Notes
Loaner pool
None
Shared admin or none (login-window only)
IT-triggered Erase Device or Wipe
ADE re-enrolls automatically at next boot
Lab / classroom
None
Single shared local account (optional)
Scheduled wipe or end-of-term Wipe action
Locked config profile; device-targeted apps only
Conference room / kiosk-adjacent
None
Auto-login account or no local login
Never (static use); periodic full redeploy for OS updates
Minimal payload set; AppleTV or dedicated HDMI display configs
Loaner Pool Hygiene
A loaner pool lives or dies by how cleanly a device transitions from one user to the next. The reliable pattern is Erase Device → auto-ADE re-enrollment → minimal Setup Assistant → login window. The device comes back to you as a clean, supervised, enrolled Mac without IT physically touching it, provided the following conditions are met:
Assign an ADE enrollment profile with no user affinity. In Devices > Enrollment > Apple > Enrollment program tokens, the profile must be set to Enroll without user affinity so no user registration step blocks the flow at Setup Assistant.
Enable locked enrollment. Check Locked enrollment on the ADE profile. This prevents a local admin from removing the MDM profile and leaving a stale device in your fleet — critical for hardware that passes through untrusted hands. See shared Mac configuration for the full enrollment model.
Skip all avoidable Setup Assistant panes. Skip AppleID, iCloud, Screen Time, Siri, Location Services, Express Language, Accessibility, Privacy, and any pane that requires user input. The device should reach the login window with zero interaction.
Issue the Erase Device remote action — not Retire. In the device blade, Devices > macOS > select device > Erase. Erase preserves ABM assignment and triggers ADE re-enrollment. Retire removes the MDM profile and disassociates the device; it will not auto-re-enroll.
Erase Device vs Wipe — which word the console uses
The Intune console calls the action "Erase" for macOS (mirroring Apple's term). It sends the EraseDevice MDM command. On Apple Silicon, this performs a restoreOS via recoveryOS, which is more thorough than a T2/Intel erase. Both result in ADE re-enrollment if the device is still assigned in ABM.
Step 1User returns deviceIT confirms device is still enrolled and ABM-assigned before proceeding
Step 2Issue Erase DeviceConsole: Devices > macOS > [device] > Erase — device wipes and reboots into recoveryOS
Step 3ADE re-enrollmentSetup Assistant contacts Apple servers, pulls the ADE profile, enrolls into Intune — no human input required
Step 4Ready to loanDevice lands at login window, fully enrolled, policies applied; issue to next user
Lab and Classroom Macs
Lab Macs are persistent-enrollment, no-affinity devices with a locked configuration — they should look the same every time a student sits down. The key decisions are whether you allow a shared local login account and how you handle end-of-term resets.
Create a dedicated ADE enrollment profile for labs. Name it clearly (e.g., ADE-LAB-NoAffinity) and assign it to the serial-number group for lab hardware. Keep it separate from loaner and standard profiles so you can tune Setup Assistant pane skipping and account creation independently.
Deploy a local account via a shell script or the account-creation payload if needed. If lab users sign in to a single shared local account (common in art rooms, audio suites), create that account via a post-enrollment script rather than enabling Platform SSO — Platform SSO's per-user enrollment model is not suited to anonymous shared use.
Target all config profiles and apps to the device group, not user groups. Lab Macs have no user affinity and no Entra user context at enrollment. Any policy or app assigned to a user group will never apply. Device groups are the only reliable target.
Schedule end-of-term wipes as a batch Erase action. Use the Intune console or Microsoft Graph (POST /deviceManagement/managedDevices/{id}/erase) to script bulk erases against your lab device group. Re-enrollment and recovery covers the Graph automation pattern in detail.
FileVault on no-affinity lab Macs
With no user affinity and no user account performing the first login, FileVault deferred enablement never fires — the trigger requires an interactive login by the account that will be the unlock user.
If FileVault is required by your compliance policy, a shared local account must exist and log in at least once to enable and escrow the key. Alternatively, suppress the FileVault compliance check for lab device groups if the threat model permits.
The recovery key escrows to Intune only after that first-login enablement. A device that wipes before key escrow loses the key — issue the Erase action only after confirming escrow status in the device blade.
Conference-Room and Single-Purpose Macs
Conference-room Macs — driving an AirPlay-receiving display, running a Teams Rooms session, or acting as a room controller — are effectively static, purpose-built devices. They rarely need to rotate. The management pattern is simpler than loaners but has its own failure modes.
Use no-affinity ADE enrollment with a conference-room-specific enrollment profile. Lock enrollment so facilities staff cannot accidentally un-manage the device.
Suppress the login window entirely using the Login Window payload: enable auto-login for the conference account (com.apple.loginwindow > autoLoginUser) or hide the user list with SHOWFULLNAME = TRUE and define the user manually. The login-window configuration page covers this.
Restrict iCloud sign-in and App Store access. A conference-room Mac should never be used for personal browsing or iCloud-authenticated work. Deploy the Restrictions payload to block Apple Account modification and App Store app purchases.
Plan for OS update redeployment, not in-place upgrades. Because conference-room Macs have no user to respond to a DDM update deadline, and because a mid-session upgrade is disruptive, schedule periodic full Erase-and-redeploy cycles during off-hours rather than relying on DDM to force an upgrade at an awkward moment. See Mac lifecycle and refresh planning for the cadence guidance.
Re-Enrollment Between Users
The most common failure mode in rotating-Mac fleets is leaving stale data or accounts behind. macOS does not have an iOS-style Return to Service that wipes to a clean state and re-enrolls in one step. The Erase Device action is your equivalent, and it works reliably — but only if the device retains its ABM assignment throughout its life.
Do
Confirm ABM assignment is intact before issuing Erase — if the device was factory-reset outside Intune, it may have lost its assignment
Use device naming conventions that identify the pool (e.g., LOAN-001, LAB-AUDIO-04) so the device appears correctly in reports after re-enrollment
Audit the re-enrolled device in the console to confirm all profiles applied before handing it to the next user
Rotate the FileVault recovery key after each loaner return: Devices > device > Rotate FileVault recovery key
Keep an eye on Activation Lock — if a previous user enrolled their personal Apple Account, issue Disable Activation Lock before the Erase action
Don't
Use Retire instead of Erase — Retire removes MDM enrollment; the device will not auto-re-enroll via ADE
Allow loaner users to install a personal Apple Account — this creates Activation Lock exposure that blocks the next wipe cycle
Rely on deleting the user account manually as a "wipe" — this leaves system-level data, cached credentials, and MDM profile state intact
Assign loaner Macs to user-affinity ADE profiles — user-affinity devices register to a specific Entra identity and do not cleanly transfer to a new user
Skip the post-erase policy-compliance check — a freshly re-enrolled device takes several minutes to receive all profiles; do not issue it immediately
Insights
ABM assignment is the linchpin. Every rotating-Mac pattern depends on the device retaining its ABM assignment. If a device is ever wiped via local macOS recovery or DFU without being in ABM, it will not re-enroll. Audit ABM assignment at check-in, not at check-out.
Apple Silicon changes the Erase behavior. On Apple Silicon, the Erase action performs a restoreOS through Apple's servers, which is slower (5–15 minutes) but more thorough than Intel/T2. Plan loaner turnaround time accordingly — do not promise same-hour re-issue.
Platform SSO is per-user and creates debt on shared Macs. If any loaner user registers Platform SSO, that Secure Enclave credential is bound to their account. It disappears on Erase, but if you are attempting multi-user reuse without a full wipe, old SSO registrations can confuse the next user's registration flow. Wipe is safer than account deletion.
Conference-room Macs silently fall out of compliance. With no user to dismiss noncompliance notifications and no DDM update interaction, conference-room Macs frequently drift to an outdated OS and breach the minimum-OS compliance requirement. Separate them into their own compliance policy with an elevated OS floor or a longer grace period, rather than letting them block CA for the entire fleet policy.
Loaner naming matters for helpdesk sanity. A device that shows up in Intune as Thomas's MacBook Pro after a user set it up will confuse every ticket that references it. Use the ADE enrollment profile's device-naming template (%SERIAL% or LOAN-%DEVICENAME%) and verify the name resets correctly on each re-enrollment.
The "shared local account" anti-pattern is a security event waiting to happen. Lab Macs where every student logs in as labadmin with a known password are a shared-credential risk. Consider whether a Configurator-style kiosk profile or full FileVault wipe at end of each day is more appropriate for your threat model than a persistent shared password.
What multi-user Mac fleets teach you the hard way.
Shared and multi-user Macs sound straightforward until you're three months in and a lab cart won't unlock its encrypted drive, a departing employee's profile is eating 40 GB per machine, and nobody can explain why the audit log shows "localadmin" touching sensitive files. macOS was designed around personal ownership, and every shared-Mac pattern is a workaround that trades convenience for at least one operational rough edge. These are the lessons that only show up in production.
FileVault with multiple enabled users means multiple unlock paths — and multiple escrow exposures. When you enable a second (or third) local account and that user logs in, macOS prompts them to enable their own FileVault unlock. If they do, their credentials can now decrypt the drive — even after they leave. Audit who is in the FileVault enabled-user list regularly (fdesetup list via a shell script in Intune) and understand that the escrowed personal recovery key is tied to the device, not to a specific user's slot. When in doubt, rotate the recovery key after any user departure. See FileVault configuration for the full escrow mechanics.
The single shared local account is an audit and security anti-pattern — avoid it. Creating one shared local account that everyone logs into feels simple. In practice it destroys attribution (no audit trail per user), breaks per-user licensing enforcement for apps, leaves a single credential to rotate whenever someone leaves, and makes Platform SSO essentially useless. If you need walk-up access without per-user accounts, the honest answer is a purpose-built kiosk flow, not a shared password.
Platform SSO is bound to the local account that registered it — it does not follow the device. If User A registers Platform SSO and User B later logs in, User B gets no SSO benefit until they complete their own Company Portal registration on that machine. On a shared Mac with five local accounts, you have five separate SSO registrations to maintain. Secure Enclave key binding makes this even stickier — each user's key lives in the Secure Enclave slot created at their registration. There is no shared-device SSO mode equivalent to what some MDMs offer on Android dedicated devices. Plan your shared Mac configuration around this reality.
There is no wipe-on-logout — profile and data bloat is real. Unlike Shared iPad, macOS has no mechanism to discard a user's local profile and data at logout. Over weeks of heavy use, a shared lab Mac accumulates gigabytes of per-user caches, Downloads folders, and app data. Without intervention (a logout hook, scheduled script, or periodic wipe-and-redeploy via ADE), disk pressure degrades performance for everyone. Script a per-user data cleanup on logout, or budget for periodic full re-enrollment and recovery cycles.
Device naming matters more on shared hardware than anywhere else. A shared Mac named MACBOOK-A1B2C3 from the serial number tells you nothing when a helpdesk ticket says "the Mac in lab 3 won't unlock." Use a naming convention that encodes location, role, and asset number — for example LAB03-MAC-0042. Set this at ADE enrollment time via the enrollment profile name template or a post-enrollment script; renaming it later is possible but requires a management command and a reboot. Good names save hours across the device's lifecycle.
No-affinity ADE enrollment is the right foundation, but it has a catch at Company Portal. A shared Mac should be enrolled without user affinity so it is not tied to any one person's account. The catch: Company Portal requires a user to sign in to complete certain actions (app installs, compliance checks). On a truly shared Mac, you need a service account or a nominated "device owner" account for Company Portal purposes — or you accept that Company Portal-delivered apps will only be available after some user signs in. Required (device-targeted) apps via the Intune management extension avoid this limitation; use them for everything that must be present before first login.
Gatekeeper and PPPC pre-approvals break in subtle ways on multi-user Macs. PPPC payloads deploy at the device level and cover system-wide consent for TCC (Transparency, Consent, and Control), so those are fine. But Gatekeeper quarantine flags and per-user TCC database entries can differ across accounts. If a management or security tool is approved for one user but prompts another, the MDM PPPC payload is probably correct — the user's per-app TCC record is not. A full wipe-and-redeploy usually clears this; targeted cleanup via script is possible but fragile.
When a shared Mac should not be a shared Mac. The right answer for anonymous walk-up access (kiosk, check-in terminal, digital signage) is a dedicated single-purpose Mac with a kiosk-style configuration — locked to one app, no local user switching, automatic restart. For roaming named users who need full Mac capability without carrying hardware, the right answer is a VDI session (Azure Virtual Desktop or a comparable solution). Forcing macOS into a Shared iPad mold produces something that is worse than either alternative: it lacks the isolation of Shared iPad and the flexibility of a personal Mac. Be honest with stakeholders about what macOS shared-use actually delivers.
Yes, supervised Macs support Lost Mode now — lock, message, and locate a missing Mac.
Lost Mode on supervised Macs is a genuine remote-lock capability, not a watered-down consumer feature. When a Mac enrolled via Automated Device Enrollment goes missing, you can lock it to a custom message and passcode from the Intune console, retrieve its last-known location, and play an audible alert — all in under two minutes. This is the Mac-side parity to the iOS/iPadOS Lost Mode workflow, and it only works when supervision is in place.
The catch is the dependency stack: supervision requires ADE, ADE requires Apple Business Manager, and Lost Mode requires an active APNs channel to the device. If your Mac fleet isn't fully supervised via ABM-assigned ADE profiles, Lost Mode is not available as a remote action. FileVault is your data-protection fallback in that case, but it can't lock the login screen on demand the way Lost Mode can.
RequiresSupervised Mac (ADE), active APNs push path, Intune device record in compliant state
GotchaLost Mode is not available on user-approved (non-ADE) enrolled Macs — it silently grays out
What Lost Mode Does on a Mac
When you enable Lost Mode, Intune sends a push command via APNs. The Mac immediately:
Locks the screen with a mandatory message you compose (contact number, policy statement, reward language).
Prevents any local login — the lock screen is not the standard login window and cannot be bypassed with a FileVault password alone.
Reports its current or last-known GPS/Wi-Fi location back to Intune (visible on the device overview map).
Remains locked until you explicitly disable Lost Mode from the console — it persists across reboots.
You can also trigger Play Sound independently — useful when the Mac is in the building but physically misplaced. The sound plays at max volume even if the Mac is muted.
Location privacy is audit-logged
Retrieving a device location via Lost Mode is logged in Intune audit logs with the initiating admin's UPN — the same guardrail as iOS. Brief your legal and HR teams before using it on employee-owned or dual-purpose Macs.
Enabling Lost Mode
Step 1Find the deviceDevices > macOS > All devices, search by name or serial
Step 2Open the remote actions menuDevice overview page > three-dot menu or the Lost mode tile under Monitor
Step 3Compose the lock screenEnter message, phone number, and optional footnote — keep the number prominent
Step 4Enable and confirmClick Enable Lost mode; the status updates to "Lost mode enabled" once APNs delivers the command
Navigate to the device record. Go to Devices > macOS > All devices and open the target Mac. Confirm supervision status shows Supervised: Yes in the device properties — if it shows No, Lost Mode will be unavailable.
Initiate Lost mode. In the device overview, select Lost mode (found under the ... overflow menu or the device action buttons depending on console version). If the action is grayed out, the Mac is either not supervised, not ADE-enrolled, or the APNs push certificate is expired.
Fill in the lock-screen message. Enter a Message (displays prominently on the lock screen), a Phone number (ideally your IT service desk), and an optional Footer. Spell out the return process — staff often do the right thing if the screen is clear.
Enable and monitor delivery. Click Enable. The device action history will show Lost mode - Pending until APNs delivers the command and the Mac acknowledges. On a Mac that is online, this typically completes in under 60 seconds. If the Mac is offline, the command queues and executes on next APNs contact.
Retrieve location (optional). Once Lost Mode is active, return to the device overview. The map widget under Monitor will display the last-reported location. Click Locate device to request a fresh location ping.
APNs is the single point of failure
If the Mac has no internet connectivity, the Lost Mode command queues but does not execute until the device comes online.
An expired APNs push certificate means no commands reach any Apple device in your tenant — check Tenant administration > Apple MDM push certificate for expiry before an incident.
Corporate network egress rules that block Apple's APNs IP ranges will prevent delivery — verify *.push.apple.com is reachable from wherever corporate Macs travel.
Disabling Lost Mode
Once the Mac is recovered, disabling Lost Mode is a single action from the same device blade: Devices > macOS > [device] > ... > Disable Lost mode. The Mac resumes normal login immediately after the command is acknowledged. Document the recovery in your ticketing system — the Intune audit log captures enable and disable events but an ITSM record is cleaner for legal purposes.
Lost Mode vs Find My Mac — The Difference
Capability
Intune Lost Mode (supervised)
Find My Mac (consumer)
Lock screen remotely
✅ Mandatory, message-bearing
✅ Via iCloud (personal Apple ID)
Location lookup
✅ Admin-initiated, audit-logged
✅ Owner-visible via iCloud
Play Sound
✅
✅
Works without user Apple ID
✅
❌ Requires signed-in personal Apple ID
Corporate IT initiated
✅
❌ End-user only
Requires supervision
✅ ADE/supervised only
❌ Any Mac with iCloud signed in
Blocks Activation Lock bypass
❌ Separate action
Activates Activation Lock
For supervised corporate Macs, use Intune Lost Mode — it is IT-controlled, audited, and does not depend on a personal Apple ID being signed in. Refer to the Find My Mac and Activation Lock page for the consumer overlap and the Activation Lock decommission flow that often accompanies recovery.
Apple Silicon Considerations
Apple Silicon Macs (M-series) have a hardware-level security architecture that affects recovery scenarios. Lost Mode on Apple Silicon works the same way over MDM as it does on Intel+T2 — the APNs command locks the device. However, if a Mac with an active Lost Mode lock is brought to the Recovery Mode environment, note:
Erasing a supervised Apple Silicon Mac in MDM Lost Mode via Recovery Mode is possible locally — Lost Mode is not a hardware lock the way Activation Lock is. Pair Lost Mode with FileVault escrow confirmation and Activation Lock management for the full defense in depth.
See the Apple Silicon operations page for the recovery mode and revive/restore implications specific to M-series hardware.
Insights
Supervision status is the gate-check, not MDM enrollment. User-approved enrolled Macs (the manual Company Portal path) are MDM-managed but not supervised — Lost Mode will not appear as an available action regardless of license or compliance state.
FileVault and Lost Mode are complementary, not redundant. Lost Mode locks the login screen on demand; FileVault protects data at rest regardless of remote connectivity. You need both: a powered-off unencrypted Mac returned by a finder is a data breach even without a login.
The message field is underused. Engineers often leave it blank or put "IT property." Write the message for the person who finds it — a clear return address, a phone number that is answered, and a reward mention dramatically increase voluntary returns.
Stale device records fail silently. If the Mac's Intune check-in is weeks old and the APNs token cached on the device has drifted, commands may not deliver. Confirm check-in health before declaring Lost Mode a failure — the command may be pending, not rejected.
Pair Lost Mode with an immediate Entra session revocation. Lock the device, then go to Entra ID and revoke the user's refresh tokens. Lost Mode stops local logins; token revocation stops cloud resource access from any authenticated session that was open before the Mac went missing.
Stop Activation Lock from turning a returned Apple Silicon Mac into a paperweight.
Activation Lock on Mac is the same hardware-level protection as on iPhone — once a user enables Find My on their Mac, the device is cryptographically bound to their Apple Account. Without that account's credentials, or a supervised bypass code, the machine cannot be activated, erased cleanly, or resold. On Apple Silicon, this binding lives in the Secure Enclave and survives even a full DFU restore. The result: a returned or decommissioned Mac that still has Activation Lock set is effectively a brick until someone with the right credentials intervenes.
Supervised Macs enrolled via ABM give you real tools — a bypass code escrowed to Intune at enrollment, a Disable Activation Lock remote action, and a restriction that blocks users from enabling Find My at all. Engineers who end up with stranded hardware almost always skipped the supervised-escrow step or forgot to clear Activation Lock before wiping. Don't be that team.
Applies tomacOS (T2 and Apple Silicon), ADE/supervised enrollment
RequiresSupervised (ADE) enrollment — bypass code is escrowed only at enrollment time
GotchaWipe without disabling first strands the hardware — no bypass code survives an unchecked wipe
How the Bypass Code Works
When a Mac completes ADE enrollment as a supervised device, Intune automatically fetches a supervised Activation Lock bypass code from Apple and stores it against the device record. You do not configure this separately — it is a byproduct of supervised enrollment. Find the code under Devices > macOS > [device] > Hardware tab, labeled Activation Lock Bypass Code.
The bypass code is a one-time credential
It is generated once at enrollment. Using the Disable Activation Lock action voids the stored code — a fresh enrollment generates a new one.
Non-supervised (user-approved) Macs have no bypass code. This is a hard reason to enforce ADE-only enrollment for corporate hardware.
Copy the bypass code to a safe location before any wipe workflow. If the Mac ends up offline or at a depot, you may need to enter it manually during Setup Assistant.
Blocking Activation Lock via Restrictions
The cleanest operational posture is to prevent Find My from being enabled at all. In a Settings Catalog profile (Devices > Configuration > Create > macOS > Settings Catalog), search for Allow Activation Lock under Restrictions and set it to Disabled. With this deployed, supervised Macs cannot have Find My enabled, Activation Lock is never set, and decommission is always clean. Find My is a personal-device feature — it has no operational value on managed corporate hardware when you already have a stolen-Mac playbook and Lost Mode available.
Posture
Activation Lock blocked?
Bypass code available?
Best for
Restriction: Allow Activation Lock = Disabled
✅ Never enabled
N/A
Most corporate fleets — cleanest decommission
No restriction + supervised with escrow
❌ User can enable
✅ Escrowed at enrollment
Fleets where users need Find My
Non-supervised (user-approved enrollment)
❌ User can enable
❌ No bypass code
Avoid for corporate hardware
The Decommission Flow
Every Mac leaving the fleet should follow this sequence. Skipping steps is how hardware gets stranded. The Activation Lock page covers the shared iOS/macOS mechanics — the Mac flow below is Mac-specific.
Step 2Disable Activation LockRemote action from the device Overview — Mac must be online; wait for confirmation
Step 3Issue WipeOnly after Activation Lock reads Disabled — select Wipe with Erase content and settings
Step 4Release from ABMIf the device is leaving the org permanently, release the serial in ABM to clear supervised status
Apple Silicon Recovery Nuances
Apple Silicon Macs (M1 and later) enforce Activation Lock at the Secure Enclave level. Unlike Intel Macs, a full DFU restore via Apple Configurator 2 does not clear Activation Lock — the hardware identity stays locked through even the lowest-level recovery. This is a meaningful operational difference. See Apple Silicon Operations for the recovery mode hierarchy and what each level can and cannot do on M-series hardware.
The practical implication: on Apple Silicon fleets, the supervised bypass code and the Allow Activation Lock restriction are not optional hygiene — they are the only viable escape hatches.
ABM Org-Release as the Last Resort
If a Mac is stranded — Activation Lock is on, the bypass code is gone, and the user's Apple Account is inaccessible — Apple Business Manager org-release is the final option. In ABM, an org admin can release the device from the organization. This removes the ABM supervision link and opens a path to work with Apple Support, but it does not automatically remove a personal Find My lock. Expect this to require proof of ownership documentation and to take days, not minutes. Preventing this scenario with the Allow Activation Lock restriction is far cheaper.
Do
Deploy the Allow Activation Lock restriction to all supervised Macs
Verify Activation Lock status before every wipe action
Copy the bypass code before any decommission workflow
Release the device from ABM when it permanently leaves the org
Use ADE/supervised enrollment for all corporate hardware
Don't
Wipe a Mac without first confirming Activation Lock is Disabled
Assume a DFU restore will clear Activation Lock on Apple Silicon
Enroll corporate Macs via user-approved enrollment — there is no bypass code
Delete a user's Entra/ABM account before clearing Activation Lock on their device
Rely on ABM org-release as a routine decommission path
Find the recovery key and get a locked-out user back into an encrypted Mac.
FileVault is the encryption control that keeps data on a lost or stolen Mac out of the wrong hands. But encryption only protects you if you can still get in — and that means the personal recovery key must be escrowed in Intune before the user gets locked out. This page is the one you open mid-incident: where the key lives, how to hand it to a user staring at the FileVault unlock screen, and what to do when escrow never happened.
For the configuration side — enabling the disk-encryption policy, deferred enablement, and the escrow setting itself — see the FileVault deep-dive. This page assumes encryption is deployed and focuses entirely on the recovery and operational health story. For the Windows parallel, see BitLocker Recovery and Key Escrow.
Applies tomacOS · Supervised (ADE) and user-approved enrolled Macs
RequiresIntune license; FileVault policy with PRK escrow configured
GotchaThe key only escrows after the user logs in post-policy-assignment; "enabled" ≠ "escrowed"
Where the Recovery Key Lives
When Intune's FileVault disk-encryption policy is configured with Personal recovery key escrow enabled, macOS generates a unique 28-character personal recovery key (PRK) at the moment FileVault is first enabled (or rotated). That key is sent back to Intune over the MDM channel and stored against the device record.
Open the device record. Navigate to Devices > macOS > select the Mac by name or serial number.
Select Recovery keys. In the left-hand blade menu, choose Recovery keys. If escrow succeeded, the PRK is shown as a masked value.
Click Show recovery key. The full key is revealed. This action is audit-logged in Intune's audit log — reviewer, timestamp, device. Treat it as sensitive.
Read the key to the user. The key is in the format XXXXXXXX-XXXXXXXX-XXXXXXXX-XXXXXXXX and typed at the FileVault pre-boot screen when macOS prompts for it.
Self-service portal
Users can retrieve their own recovery key at myaccount.microsoft.com under Devices if your tenant has that option enabled. Enabling self-service is the single best way to cut helpdesk volume on FileVault recovery calls — implement it before you deploy FileVault at scale.
Helping a User at the FileVault Screen
The user is sitting in front of a Mac that shows the FileVault pre-boot unlock screen — a gray background with a padlock icon and a password field. They cannot log in because they forgot their password or the account is otherwise inaccessible. The recovery key is the escape hatch.
Confirm the right device. Ask the user for the serial number (printed on the Mac, or visible in the recovery key lookup in Intune). Do not read a key from the wrong device record.
Retrieve and reveal the PRK from Devices > macOS > device > Recovery keys > Show recovery key.
Have the user type the recovery key at the FileVault prompt. macOS accepts it in place of the user password and boots normally.
Rotate the key immediately after. Once the user is back in the OS, trigger a key rotation — either via the Intune Rotate FileVault recovery key remote action, or by having the user log out and back in if the policy is configured to rotate on use. Do not leave a revealed key as the active escrow value.
Key rotation is mandatory after retrieval
A revealed key is no longer secret — anyone who saw it during the support call could use it.
Trigger Rotate FileVault recovery key from the device's remote actions immediately. The device must be online and APNs-reachable for the action to fire.
After rotation, verify escrow by checking that the Recovery keys blade shows a new PRK — not the same value that was just revealed.
The "Enabled but Not Escrowed" Trap
This is the most common and most painful FileVault operational failure. The compliance policy reports the device as encrypted, but when you open Recovery keys in Intune, the value is empty. There is no key. If the user loses their password now, there is no recovery path short of wiping the Mac.
Why it happens:
FileVault was enabled by the user before the Intune disk-encryption policy arrived, using their own key that was never sent to Intune.
The disk-encryption policy was deployed but the user has not yet logged in after the policy applied — deferred enablement requires a logout/login cycle to trigger escrow.
A network or APNs failure interrupted the MDM escrow at the moment FileVault was enabled.
The Mac was off the network for an extended period after FileVault activated.
Detect it before it bites you
Filter your Intune FileVault report at Devices > Monitor > Encryption report for status Not escrowed or FileVault enabled but key not escrowed. Any device in that state is a gap — remediate it before a ticket arrives.
Remediation: Getting an Unescorted Key Escrowed
If the Mac is currently encrypted but the key is not escrowed, the remediation path depends on whether you have the institutional key deployed (see below) or only PRK-based escrow.
Verify the disk-encryption policy is correctly assigned to the device and that the Escrow location description of personal recovery key field is set in the policy. Check the policy assignment status from the device's Device configuration blade.
Confirm the user has completed a logout/login cycle after the policy arrived. If not, ask them to log out and back in — deferred enablement runs at the next login.
Use the Intune "Escrow FileVault Recovery Key for macOS" remote action if the device is already encrypted with a user-held key. This prompts the Company Portal to collect the key at next login. The user will see a Company Portal prompt asking them to enter their current recovery key — Intune then re-escrows a new one.
If all else fails and the device is unrecoverable, document the gap and plan a wipe-and-redeploy through ADE so the next enrollment starts clean with escrow from day one.
Institutional Recovery Key
Intune supports deploying an institutional recovery key (IRK) — a certificate-based key managed centrally rather than per-device. The IRK is an alternative to the PRK, not a complement: if both are configured, the PRK escrow to Intune is still preferred for individual recovery. The IRK is typically used in highly regulated environments where a centrally-held physical certificate is a compliance requirement.
Key type
Stored where
Per-device unique?
User self-service
When to use
Personal recovery key (PRK)
Intune / myaccount portal
✅
✅
Default for almost every org
Institutional recovery key (IRK)
Certificate managed by IT
❌ (same cert)
❌
Compliance mandates, air-gap environments
If your policy deploys an IRK and you need to recover a Mac using it, the unlock process requires the private key from the certificate store — not anything in the Intune portal. Ensure the IRK private key is stored securely and access is documented.
Auditing Escrow Health Across the Fleet
Do not wait for a ticket to find out which Macs have escrow gaps. Run a regular check:
Open the Encryption report. Go to Devices > Monitor > Encryption report. Filter Platform to macOS.
Sort by FileVault status. Look for devices where FileVault is Enabled but Escrow status is not Backed up to Azure AD (Entra ID).
Export the report and action each row: either trigger the remote escrow action or flag for re-enrollment.
Set a compliance policy check. The macOS compliance policy has a FileVault enabled check, but it does not verify escrow. Use the Encryption report — not compliance — as your escrow health signal.
For Graph-based fleet-wide escrow auditing (useful at scale or for automated reporting), the GET /deviceManagement/managedDevices/{id}/getFileVaultKey endpoint returns the PRK if escrowed. Querying for devices where encryptionState is encrypted but no key is retrievable surfaces the gap list programmatically.
Watch out when troubleshooting escrow failures
APNs connectivity issues silently block the escrow channel — if escrow consistently fails after new enrollments, check FileVault and Escrow Issues for the APNs and network diagnostics.
If a user changes their local account password, the PRK is not automatically rotated. Only a policy-driven rotation or a new FileVault enablement generates a new escrow.
Wipe-and-retire operations remove the escrowed key from Intune — confirm before executing a wipe that you do not need the key for legal/data-recovery purposes first.
Insights
The reveal action is audit-logged — use that. Every time a helpdesk agent clicks "Show recovery key", it is logged in the Intune audit log. If you have a high volume of reveals from unexpected accounts, that is a signal.
Compliance says "encrypted" but escrow is empty more often than anyone admits. Run the Encryption report on your fleet right now and count the not-escrowed rows. At most organizations, it is not zero.
Deferred enablement is the right choice, but it delays escrow. The key only exists after the user's first login post-policy. If a Mac goes missing between enrollment and that first login, there is no key yet.
Self-service via myaccount is the lever that actually reduces tickets. Enable it, communicate it to users, and watch FileVault recovery calls drop. Most users can type in a key themselves if they know where to find it.
Key rotation after use is non-negotiable, not optional. Every incident response guide says this and every helpdesk skips it when they are under pressure. Build a checklist that enforces it.
The runbook when a corporate Mac is reported lost or stolen.
A stolen Mac report lands on the helpdesk and the clock starts. The good news: a properly managed Mac is one of the harder enterprise endpoints to monetize for a thief — FileVault-encrypted, Activation Lock-bound, with Entra session tokens you can kill in seconds. The bad news: if you haven't pre-staged the controls (escrow confirmed, Lost Mode enabled at the right moment, Activation Lock bypass code in hand), a single misstep during the incident can turn recoverable hardware into a permanent write-off. This runbook gives you the decision sequence in the right order.
Work through this in parallel with your HR and legal notification process. Most steps take under five minutes each; the sequencing matters more than the speed.
RequiresSupervised (ADE) for Lost Mode; FileVault policy with escrow for data protection
GotchaWipe before disabling Activation Lock = bricked hardware; always bypass first
The Incident Flow
Step 1Lock it downEnable Lost Mode and kill Entra sessions before anything else
Step 2Confirm data protectionVerify FileVault is enabled and the recovery key escrowed
Step 3Locate and documentPull location from Lost Mode; screenshot for legal/insurance
Step 4Retire the hardwareDisable Activation Lock bypass, then wipe — in that order
Step-by-Step Runbook
Enable Lost Mode immediately (supervised Macs only). Navigate to Devices > macOS > select the device > Lost mode. Enter a lock message (include your IT contact number), an optional phone number, and a footnote. The Mac displays a full-screen lock and APNs pushes it in seconds if the device is online. If the Mac is offline, the command queues and executes on next connectivity. See Lost Mode for Supervised Macs for the full behavior details.
Revoke the user's Entra sessions and tokens. In the Entra admin center, find the user account and select Revoke sessions. This immediately invalidates all refresh tokens — Exchange, Teams, SharePoint, everything. Follow with Disable account if the theft warrants it. Active sessions can persist for the token lifetime (typically one hour) after revocation; disabling the account accelerates shutdown. The Conditional Access policies in your tenant back this up — a disabled or non-compliant device will be blocked at the CA grant, but token revocation is the faster kill.
Confirm FileVault is enabled and the recovery key is escrowed. On the device blade, select Recovery keys. If a personal recovery key is listed, data is protected — an unbooted thief cannot read the disk. If no key is escrowed, flag this as a potential data breach per your incident-response policy. You cannot retroactively escrow from a stolen device; this gap is a pre-incident failure. Full details at FileVault Recovery and Escrow.
Get the location while Lost Mode is active. From the device blade, select Locate device. The location returned is from the Mac's last known position — GPS on equipped models, Wi-Fi triangulation otherwise. This is audit-logged. Screenshot the coordinates and timestamp for the police report and insurance claim.
Disable the user's account and change credentials. Reset the user's Entra password. If the Mac was using Platform SSO with password-sync, the local account password cannot be changed remotely — the local credential is decoupled from Entra until next successful login. This is expected behavior, not a gap; FileVault is the data control.
Retrieve the Activation Lock bypass code before wiping. Navigate to Devices > macOS > [device] > Activation Lock bypass code and copy it. Store it. If you wipe the device without the bypass code and it comes back (returned, found, law-enforcement recovery), you will be unable to re-enroll it without the user's personal Apple ID. For supervised Macs enrolled through ADE, you can also use Disable Activation Lock as a remote action before the wipe. See Find My Mac and Activation Lock for the full decommission flow.
Queue the wipe. From the device blade, select Erase. On Apple Silicon Macs, this triggers a secure cryptographic erase via the Secure Enclave — the fastest and most thorough wipe available. On T2 Macs, it is equivalent. The wipe will execute when the Mac next has connectivity. If the device never comes back online, FileVault encryption has already protected the data at rest.
Rotate the FileVault recovery key after recovery (if the Mac is recovered). If the device is recovered intact and re-enrolled, rotate the personal recovery key immediately. From the device blade, select Rotate FileVault recovery key. The old key is invalidated; a new one escrows to Intune on next check-in.
Document for legal and insurance. Record: device serial number, Intune device ID, user, theft date/time, Lost Mode activation timestamp, last known location, Entra session revocation timestamp, and wipe command timestamp. Many insurers require evidence that remote data-protection steps were taken. The Intune audit log (Tenant administration > Audit logs) captures all remote actions with timestamps and the acting admin's identity — export this.
Wipe vs Retire: Choose Correctly
Action
What it does
Use when
Erase (Wipe)
Cryptographic erase of the entire disk; re-enrolls as factory-new via ADE
Corporate-owned Mac, confirmed stolen; hardware may be recovered
Retire
Removes MDM management, company data, and certificates — leaves the OS intact
BYOD/user-approved enrollment only; not appropriate for a stolen corporate Mac
Delete device record
Removes the device from Intune without sending a command
Never use for stolen devices — leaves the machine unmanaged with no wipe
Activation Lock order matters
Always disable or bypass Activation Lock before issuing the wipe. If you wipe while Activation Lock is still user-bound, the Mac emerges from recovery mode demanding the user's personal Apple ID. On Apple Silicon, this can leave the device permanently unusable without that credential.
The Disable Activation Lock remote action is only available on supervised, ADE-enrolled Macs where the bypass code was escrowed. If supervision was never established, your only fallback is ABM org-level release.
Lost Mode works offline too
The Lost Mode command queues in Intune and delivers over APNs the moment the Mac has any internet connection. A thief who connects to any Wi-Fi network to check it — even briefly — will receive the lock command and display your contact message.
Do / Don't
Do
Enable Lost Mode as the first remote action — it locks the screen and enables location simultaneously
Revoke Entra sessions immediately after enabling Lost Mode
Retrieve and record the Activation Lock bypass code before the wipe command
Verify FileVault escrow before assuming data protection — "device shows as encrypted" is not the same as "key is in Intune"
Export the Intune audit log entry for every remote action taken — insurers and legal teams ask for this
Check whether the device last checked in recently; a device that has been offline for days may not receive commands promptly
Don't
Wipe before disabling or bypassing Activation Lock — you may permanently brick recoverable hardware
Delete the device record instead of wiping — the machine remains live and unmanaged
Skip the Entra session revocation — an active refresh token lets a determined attacker access cloud resources even with a locked device
Assume the wipe has completed just because you clicked it — check device status; it queues until online
Retire instead of erase for a corporate-owned stolen Mac — Retire leaves the OS and local data intact
Insights
FileVault is the actual data-protection control, not the wipe. If the Mac is never recovered and never comes online, the wipe command never executes. FileVault AES-128 encryption means the disk is unreadable without the recovery key or user credential — which is why confirming escrow at the time of theft, not after, is non-negotiable.
Lost Mode location is one-shot on Mac, not continuous. Unlike iOS, macOS Lost Mode does not stream continuous location updates. You get a single location lookup. Take it as soon as you can.
Supervised-only is a real gate. Lost Mode, Activation Lock bypass, and the Disable Activation Lock action all require a supervised, ADE-enrolled Mac. Macs enrolled via user-approved enrollment have none of these. This asymmetry is the strongest argument for requiring ADE for all corporate Macs.
Token lifetime matters after session revocation. Revoking sessions invalidates refresh tokens immediately, but existing access tokens live until they expire (typically 60–75 minutes for Entra ID). The Conditional Access continuous access evaluation (CAE) feature can reduce this to near-real-time — worth enabling if you're not already.
The helpdesk call for the recovery key will come. If the user had the Mac FileVault-unlocked and the Mac is recovered, IT will eventually be asked for the recovery key to re-establish access. Keep the Intune key rotation step in the re-enrollment runbook so the old key — which the thief may have observed — is invalidated.
The one connector that makes Android Enterprise work — bind your tenant to Managed Google Play.
Before you can enroll a single Android device through Intune — work profile, fully managed, dedicated, or COPE — you need one prerequisite in place: a Managed Google Play binding. This is the enterprise infrastructure connector between your Microsoft Entra tenant and Google's Android Enterprise platform. Without it, Android Enterprise enrollment profiles cannot be created, apps cannot be pushed from Managed Google Play, and app configuration policies have nothing to attach to. Get this right once and the entire Android deployment unlocks.
The connection is free, tenant-wide, and deliberately simple. Microsoft handles the enterprise account creation on your behalf using a Google-managed enterprise account tied to your tenant's domain — you do not need a personal Google account or a pre-existing Google Workspace subscription. The binding takes less than five minutes to complete, but the email address used and the account lifecycle decisions you make here matter for years. This page walks every step and flags the failure modes engineers hit in production.
Applies toAll Android Enterprise management modes
Console pathDevices > Enrollment > Android > Managed Google Play
RequiresIntune license; no Google account pre-requisite
GotchaThe email used to bind becomes the recovery contact — use a shared mailbox, not a personal address
What the Managed Google Play Binding Actually Does
When you complete the binding wizard, Intune creates a Google-managed enterprise account (EMM-bound) on your behalf. Google registers your tenant as an Android Enterprise organization and returns an enterprise ID that Intune stores internally. From that point on:
Intune can silently distribute apps from the Managed Google Play Store to enrolled devices without users needing a personal Google account.
Corporate-owned enrollment profiles (fully managed, dedicated, COPE) become available under Devices > Enrollment > Android.
Managed Google Play app approvals sync into the Intune app catalog.
App configuration policies can target managed apps through the Android Enterprise channel.
This is the same connector that powers every deployment mode described in the Android Enterprise overview. There is no per-mode binding — one connection covers all modes in the tenant.
Step-by-Step: Creating the Connection
Step 1Navigate to the binding wizardDevices > Enrollment > Android > Managed Google Play > Connect
Step 2Agree to the termsCheck "I agree" and click Launch Google to connect
Step 3Complete the Google sign-inSign in with the shared mailbox you will use as the EMM recovery contact
Step 4Confirm back in IntuneThe console shows "Managed Google Play is connected" and the linked account email
Open the binding wizard. In the Intune admin center, go to Devices > Enrollment > Android > Managed Google Play. Click Connect.
Accept the terms. Read the data-sharing summary, check I agree to grant Microsoft permission to send both user and device information to Google, then click Launch Google to connect. A pop-up or redirect opens the Google EMM enrollment flow.
Sign in to Google. Use the shared mailbox or service account you designated as the EMM admin contact — for example, intune-android@contoso.com. This account is stored by Google as the enterprise recovery contact. It does not need Google Workspace; a standard Gmail or any Google-backed account works. If the pop-up is blocked, allow it in the browser and retry.
Complete the Google enrollment steps. Google walks you through confirming the enterprise name (pre-filled from your tenant) and agreeing to the Android Enterprise agreement. Click Confirm when prompted.
Return to Intune and verify. After Google redirects back, the Managed Google Play pane should show the status as Connected with the linked Google account email displayed. If the status still shows Not configured, refresh the page and wait up to two minutes for the sync to complete.
Use a shared mailbox, not a personal address
The Google account used here becomes the EMM admin contact for your enterprise's Android Enterprise registration. If that person leaves, Google's recovery path requires access to that inbox. A shared mailbox or service account with a distribution list behind it is the correct pattern.
What the "No Google Account Needed" Model Means in Practice
A common point of confusion: end users enrolling Android Enterprise devices do not sign into a Google account during enrollment for corporate-owned management modes (fully managed, dedicated, COPE). Managed Google Play distributes apps silently using the enterprise binding — Google identifies the device as part of your enterprise, not as belonging to a specific user's personal Google account. This is what distinguishes Android Enterprise from the legacy Device Administrator model.
For BYOD work profile enrollment, the user's personal Google account remains in the personal profile, but the work profile apps are sourced from Managed Google Play using the enterprise binding — again, not the user's personal account. See the detailed Managed Google Play setup guide for the full account model.
What Breaks if the Connection Lapses
Failure scenario
Impact
Recovery
Binding account deleted or disabled
App syncs fail; new enrollment profiles may not validate
Re-authenticate with a valid Google account in the Managed Google Play pane
Token expiry / manual disconnect
Managed Google Play app catalog goes stale; new app approvals blocked
Reconnect via Devices > Enrollment > Android > Managed Google Play
Google enterprise account deleted at the Google side
Full loss of Android Enterprise capability; enrolled devices may lose app access
Create a new binding; existing enrolled devices may need re-enrollment
Admin consent not granted correctly
Intune cannot query Managed Google Play; app sync shows errors
Disconnect and reconnect, ensuring the Global Admin performs the binding
Never disconnect the binding in production
Disconnecting the Managed Google Play binding does not automatically remove apps from already-enrolled devices, but it breaks all future app distribution and policy enforcement from the Android Enterprise channel.
If you are migrating tenants, establish the new binding before any device migrations begin — do not disconnect the old tenant until all devices are moved.
Only Global Administrators can create or modify the binding; Intune Service Administrators alone cannot complete this step.
Verifying the Connection Is Healthy
Check binding status. In the Intune admin center, Devices > Enrollment > Android > Managed Google Play. Status should read Connected with a linked account shown.
Confirm app sync works. Go to Apps > Android and attempt to add a Managed Google Play app. If the store picker opens without error, the binding is functioning.
Check tenant-level enrollment blockers. If enrollment profiles are not appearing under Devices > Enrollment > Android > Corporate-owned, confirm the binding is present — it is a prerequisite for the UI to render those options.
Next Steps After Binding
With the Managed Google Play connection in place, the next decision is which management mode fits your use case — work profile for BYOD, fully managed or COPE for corporate-owned, or dedicated for kiosk/frontline. That choice drives every subsequent enrollment profile, restriction policy, and app deployment decision. Once the mode is chosen, you can start deploying Managed Google Play apps to your device groups.
Do
Use a shared mailbox or service account as the binding Google identity
Document the binding account and store the credentials in a secure vault
Verify the connection immediately after setup by attempting an app sync
Have a Global Administrator perform the binding — not just an Intune Service Admin
Treat the binding as a tenant-wide singleton — one connection covers all Android Enterprise modes
Don't
Use a personal employee Google account as the binding identity
Disconnect the binding in a production tenant without a full migration plan
Assume the binding renews automatically without monitoring its health periodically
Confuse the EMM binding account with end-user Google accounts — they are unrelated
Insights
The binding email is not surfaced to users. End users never see the Google account used for the EMM binding during enrollment or app installation — it is purely an infrastructure identity between Google and Microsoft.
App approvals are a separate step from the binding. After connecting, an admin must still visit Managed Google Play inside Intune (or the standalone play.google.com/work portal) and approve each app before it can be deployed. A connected binding does not automatically surface all apps.
The binding is free at any scale. There are no per-device or per-user charges from Google for Android Enterprise or Managed Google Play distribution. Licensing costs are entirely on the Microsoft/Intune side.
One binding, many modes. Engineers sometimes ask if they need separate bindings for work profile vs. fully managed. They do not — the single binding covers all Android Enterprise management modes simultaneously in the same tenant.
Browser pop-up blockers break the wizard silently. If the Google authentication window fails to open during setup, it is almost always a pop-up blocker on the admin's browser. Use a browser profile with pop-ups allowed for intune.microsoft.com and accounts.google.com.
Work profile, fully managed, COPE, or dedicated — pick before you provision.
Android Enterprise gives you four distinct management modes, and the one you pick determines what Intune can control, what data gets separated, how the device is reset, and what the user experience looks like. This decision must be made before the first device is provisioned — you cannot migrate a work-profile device to fully managed in place, or re-enroll a fully managed device as COPE without a factory reset. Get this wrong and you are doing a re-enrollment project.
The fundamental fork is ownership. User-owned (BYOD) phones go down the Android Enterprise work profile path every time. Corporate-owned devices get three options that differ by how much of the device Intune manages and whether a personal space exists. Understand the consequences of each before you open the door to enrollment.
Applies toAndroid Enterprise — all management modes
RequiresManaged Google Play connected to the tenant
GotchaMode is set at enrollment time and cannot be changed without a factory reset
The Four Modes at a Glance
Mode
Ownership
Intune manages
Personal space
Reset on retire
Work Profile (BYOD)
User-owned
Work profile only
✅ Fully private
Work profile wiped, personal untouched
Corporate-Owned Work Profile (COPE)
Corporate
Full device + work profile
✅ User-accessible personal space
Full factory reset
Fully Managed (COBO)
Corporate
Full device, no personal space
❌ None
Full factory reset
Dedicated (COSU)
Corporate
Full device, locked to one or a few apps
❌ None
Full factory reset
Mode Deep-Dive
Work Profile — BYOD
The work profile creates a cryptographically isolated container on the user's personal phone. Work apps (Teams, Outlook, your line-of-business apps) run inside it and show a badge icon. Personal apps are completely invisible to Intune — the policy engine cannot enumerate personal apps, see personal data, or touch the personal side. When you retire the device, only the work profile is wiped; the user's personal data stays intact. This is the only appropriate mode for employee-owned devices. See Work Profile Enrollment (BYOD) for the full provisioning walkthrough.
Corporate-Owned Work Profile (COPE)
COPE gives you the full-device management authority of a corporate-owned device while still giving the user a personal space for their own apps. Intune can enforce restrictions at the device level (hardware controls, system apps, device-level passcode) and also at the work-profile level. The user gets both a work and a personal profile, but the company owns the device and a retire action triggers a factory reset — not just a profile wipe. COPE is the right choice for corporate smartphones where you want to give the user a personal experience without losing visibility over the whole device. A COPE device always enrolls as corporate-owned; it never starts as BYOD.
Fully Managed (COBO — Corporate Owned, Business Only)
Fully managed devices have no personal space. The user signs in with a corporate account during provisioning and the entire device is under Intune's control. There is no personal app store access, no side-loading path that you don't explicitly allow, and no separate profile — it is one unified device. This is the right mode for dedicated corporate-liable devices where you want the strongest management boundary: rugged handhelds, shared frontline devices that nonetheless need user-affiliated management (worker signs in each shift), and high-security environments. See Fully Managed Enrollment for provisioning steps via QR code or zero-touch.
Dedicated Devices (COSU — Corporate Owned, Single Use)
Dedicated devices are the Android equivalent of a kiosk. They are corporate-owned, fully managed at the device level, and locked to a curated set of apps using Managed Home Screen or an OEM launcher. No user affiliation is required — the device does not sign in to a specific user identity. This is the right mode for retail POS terminals, scanning guns, digital signage, and clinical workstations where the device serves a single function. See Dedicated Device Enrollment for the enrollment token and kiosk profile walkthrough.
Choose Your Mode
User-owned phone, employee wants to keep personal life privateWork Profile (BYOD)Personal data is untouched by IT; work data is isolated in the work profile.
Corporate smartphone, user wants a personal app experience tooCOPEFull-device management plus a user-accessible personal space; factory reset on retire.
Corporate phone, no personal use, worker has a named identityFully ManagedStrongest MDM control, no personal distraction, user-affiliated compliance reporting.
Shared or single-purpose device (scanner, kiosk, POS, signage)DedicatedNo user affiliation needed; lock the UI to one or a curated set of apps.
COPE vs fully managed is the most common misfire
If your organization issues corporate phones and your acceptable-use policy allows limited personal use, COPE is almost always the right call — users stay happier and you keep device-level control. If personal use is prohibited by policy or by use case (clinical, rugged, frontline shared), go fully managed.
Why This Decision Cannot Wait
Android Enterprise management mode is embedded in the enrollment token and baked in at first boot. There is no in-console switch to change a device from work-profile to fully managed, or from fully managed to COPE. The only path is a factory reset and re-enrollment. This means you need to finalize the mode decision before you hand the first device to a user — not halfway through a pilot when someone realizes work-profile restrictions are too loose or too tight. Document the decision, tie it to your ownership and acceptable-use policies, and brief the helpdesk on what each mode means for remote actions (a work-profile retire does not wipe the user's photos; a fully managed wipe does).
For a full treatment of the tradeoffs — including privacy disclosures, per-app VPN scoping, and the compliance policy differences per mode — see Choosing a Management Mode in the Android fundamentals section. Once you have settled on the right mode for each device population, the next step is setting up the provisioning mechanism: QR-based fully managed enrollment or zero-touch for at-scale corporate deployments.
Things that bite engineers who choose too late
Enrolling BYOD phones as work-profile then switching policy to block personal app access — you cannot restrict the personal side from a work-profile device; you need COPE or fully managed for that.
Choosing fully managed for a population that expects personal app access — expect immediate pushback and a COPE re-enrollment project.
Assigning COPE to a shared kiosk scenario — COPE requires a named user; use dedicated devices for shared hardware.
Skipping enrollment restrictions until after go-live — without blocking personal-device enrollment, users will self-enroll BYOD into corporate-owned profiles.
Insights
Most orgs need two or three modes simultaneously. Corporate phones for knowledge workers (COPE or fully managed), shared rugged scanners for the warehouse floor (dedicated), and personal phones for part-timers who will never accept a corporate device (work profile BYOD). Model each population separately.
COPE compliance policy covers the whole device, work profile policy covers just the profile — both apply. A fully managed device only has device-level compliance. Know which compliance conditions land where or you will end up with gaps.
App protection policies (MAM) and MDM enrollment are not the same thing. For BYOD populations that refuse enrollment entirely, MAM-only app protection is the fallback — but that is a separate architecture, not a management mode.
Dedicated devices need Managed Home Screen or an OEM launcher configured before you hand the device to a line manager. Dropping a fully managed device without a kiosk profile produces a confusing bare Android experience that no one expects.
Provision corporate Android at scale with Google Zero-Touch and Samsung Knox Mobile Enrollment.
For corporate-owned Android fleets, shipping devices that self-enroll the moment an employee powers them on is a solved problem — if you have the right reseller relationship and portal configured before the first box ships. Google Zero-Touch Enrollment and Samsung Knox Mobile Enrollment (KME) are the two mechanisms that make this happen. Both eliminate manual QR scanning and token entry at scale, but they serve different hardware footprints and carry different operational overheads. Getting either wrong costs you a re-flash of every device in the first wave.
This page walks the complete setup for both paths: the Zero-Touch portal and its Intune binding, the Knox portal and its MDM profile, and how to decide which approach — or which combination — fits your deployment. For the detailed mechanics of the Knox portal itself, see the Samsung KME Deep Dive. For QR-code and enrollment-token alternatives when you're under 50 devices or your reseller doesn't support either program, see the QR and Provisioning Payload Reference.
Applies toAndroid Enterprise — Fully Managed (COBO/COPE) and Dedicated devices
RequiresReseller enrolled in Zero-Touch or Knox program; Google Play managed account linked to Intune
GotchaZero-Touch doesn't work on Samsung devices running Android 8 or earlier; KME doesn't work on non-Samsung hardware
Choosing Your Path: Zero-Touch vs KME
The decision mostly comes down to hardware vendor, not preference. Zero-Touch is the Android Enterprise standard; KME is Samsung's proprietary layer on top of it. Both achieve the same end-state — a fully managed device that enrolls automatically — but they are configured in different portals and have different reseller requirements.
Mixed fleet or non-Samsung Android hardware (Pixel, Nokia, Zebra, Honeywell, etc.)Google Zero-TouchGoogle's standard works across all Zero-Touch-capable hardware from enrolled resellers
Samsung-only fleet and your reseller is Knox-enrolledSamsung KMEMore granular Knox customization, works on Android 6+ (vs Zero-Touch's Android 8+ requirement)
Samsung fleet and reseller supports bothKME first, Zero-Touch fallbackKME applies at the SIM/device level; Zero-Touch catches re-flashed or replaced handsets
Under 50 devices or no reseller program availableQR / enrollment tokenSlower but requires no reseller relationship; see the provisioning payload reference
Google Zero-Touch Setup
Step 1 — Establish the Reseller Relationship
Zero-Touch only works for devices purchased from a reseller that is enrolled in the Google Zero-Touch program. When you order hardware, give the reseller your Zero-Touch customer ID so they can associate device IMEIs/serial numbers to your account at the time of purchase. Devices that already shipped cannot be retroactively added through a reseller — you'd have to use a QR code or factory-reset and re-provision via another method.
Confirm reseller enrollment before you order
Not every Android reseller is in the Zero-Touch program. Ask explicitly before placing the order — not after the devices arrive.
The customer ID you give the reseller is found in the Zero-Touch portal under Account > Customer ID. Give this to procurement before any PO is raised.
Step 2 — Link Zero-Touch to Intune
Step 1Open the Zero-Touch portalGo to partner.android.com/zerotouch, sign in with a Google account that has admin rights
Step 2Connect Intune in the Intune consoleDevices > Enrollment > Android > Zero-touch enrollment — sign in and authorize
Step 3Create a configuration in the Zero-Touch portalConfigurations tab > New configuration — paste the Intune DPC extras JSON, assign to devices
Step 4Assign the configuration to device setsAll devices in your account, or filtered by metadata the reseller attached
Configuring the DPC Extras JSON
The Zero-Touch portal's configuration binds a Device Policy Controller (DPC) — in Intune's case, the Microsoft Intune app — to your tenant. You select Microsoft Intune as the EMM DPC, then in the DPC extras field you provide a JSON blob that identifies your enrollment profile.
In Intune, create or verify an Android enrollment profile. Navigate to Devices > Enrollment > Android > Android Enterprise > Corporate-owned, fully managed user devices (or Dedicated depending on your mode), and create a profile. Copy the enrollment token value.
In the Zero-Touch portal, open Configurations > New configuration. Set the EMM DPC to Microsoft Intune. In the DPC extras field, enter the JSON:
{"android.app.extra.PROVISIONING_LEAVE_ALL_SYSTEM_APPS_ENABLED":true,"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN":"<your-token>"} Replace <your-token> with the token from Intune.
Set a descriptive name and save. Names like Intune-COBO-Production keep things sane when you have multiple configurations for different device classes.
Assign the configuration to All Devices (or a metadata-filtered subset if your reseller tagged devices by department or region).
Enrollment tokens expire
Android enrollment tokens have a 90-day expiry by default (configurable up to a year). If your Zero-Touch configuration references an expired token, new devices will fail provisioning silently. Calendar a recurring check or set the token expiry to align with your device procurement cadence.
When a Zero-Touch device is powered on for the first time, Setup Wizard detects the Zero-Touch configuration, downloads the Intune app, and begins enrollment — no user interaction required beyond accepting the management policy prompt. For a broader enrollment walkthrough, see the Zero-Touch and KME overview.
Samsung Knox Mobile Enrollment (KME) Setup
KME is Samsung's proprietary provisioning system built into the Knox firmware. It fires before Android Setup Wizard even launches, which gives it advantages Zero-Touch doesn't have: it survives factory resets (the device will re-enroll automatically), it works on Android 6+, and Samsung resellers can bulk-upload device IMEIs via CSV at point of sale.
Prerequisites
A Knox Portal account at knox.samsung.com — register with a business email; Samsung reviews new accounts.
A reseller enrolled in the Knox Reseller Program who can associate purchased device IMEIs to your Knox account at time of sale.
An Android Enterprise enrollment profile already created in Intune (same one you'd use for Zero-Touch, or a dedicated one).
KME Configuration in the Knox Portal
Log into the Knox portal at knox.samsung.com and navigate to Knox Mobile Enrollment > Profiles > Create Profile.
Set the MDM server. Under the MDM section, enter your Intune custom enrollment URL. This is the same DPC extras / enrollment token mechanism as Zero-Touch — paste the Intune server URI and enrollment token into the MDM Server URI and MDM Extra Data fields respectively.
Configure Knox settings. Choose whether to skip Setup Wizard steps, allow the user to cancel enrollment (almost always No for corporate devices), and set the enrollment type to Android Enterprise.
Save the profile and assign it to your uploaded devices under Devices > Assign Profile.
Upload device IMEIs. If your reseller hasn't already pushed devices into your account, use Devices > Upload Devices to bulk-import a CSV of IMEI numbers. The CSV must include IMEI, serial number, and optionally a user or tag.
KME device ownership caveats
Devices remain in your Knox account permanently until you explicitly release them. If you're re-using devices previously enrolled in another tenant's KME, the previous owner must release them from the Knox portal first — you cannot enroll them under a new profile until that's done.
If a device's IMEI is not in your Knox account, KME provisioning won't trigger. The reseller must upload it at point of sale or you must add it manually before the device reaches the end user.
For detailed Knox portal navigation, profile option explanations, and the full Intune MDM profile field reference, the Samsung KME Deep Dive covers every setting you'll encounter.
What If You Have No Reseller Program?
For fleets under ~50 devices, or in situations where your reseller can't participate in either program, QR-code provisioning and enrollment tokens deliver a functionally identical end-state — but with a technician scanning or entering the code at first boot. This is entirely reasonable at small scale and removes the reseller dependency entirely. The QR and Provisioning Payload Reference covers how to generate the QR, encode the enrollment token, and what happens when you use NFC bump instead of a QR.
Insights
Get the customer ID to procurement before the first PO. The single most common Zero-Touch failure is devices arriving without IMEI association because the reseller never got the customer ID. Make it part of the hardware procurement checklist, not an afterthought.
Enrollment tokens in Zero-Touch configs expire silently. A Zero-Touch config with an expired token will let devices power on normally but fail to enroll — the device just drops into a standard personal setup. Monitor token expiry dates like you would a certificate.
KME survives factory resets; Zero-Touch doesn't always. A factory-reset Zero-Touch device re-triggers provisioning only if the IMEI is still in your portal. KME is baked into the Knox firmware and re-triggers automatically. For shared or high-turnover fleets, KME's persistence is a genuine operational advantage.
You can run both simultaneously on Samsung hardware. KME fires first; Zero-Touch acts as a backstop. If your Samsung reseller supports both, configure both — they don't conflict and it covers edge cases like carrier-unlocked replacement units that bypass KME.
The enrollment profile assigned at Zero-Touch time is not locked in. Changing the DPC extras JSON in the Zero-Touch portal affects newly provisioned devices only. Already-enrolled devices are managed by whatever policy Intune is pushing — the Zero-Touch config is a boot-time trigger, not an ongoing policy binding.
Build the corporate-owned enrollment profile and token per management mode.
Android Enterprise enrollment profiles are the bridge between a factory-reset device and a fully managed Intune object. For corporate-owned modes — fully managed, dedicated, and COPE — the profile generates an enrollment token that gets embedded in a QR code or a zero-touch/KME config. For BYOD work profile, no token is needed; Company Portal walks the user through it. Getting the profile right before devices leave the box saves you from re-provisioning at scale.
Each management mode has its own profile type and its own verification path. This page walks each one, covers the token lifecycle, and explains how to build dynamic Entra groups on enrollment profile name so policies land automatically on day one.
Applies toFully managed, dedicated, COPE (corporate-owned work profile), BYOD work profile
RequiresManaged Google Play connected; Intune license assigned
GotchaEnrollment tokens expire (default 90 days, max 65 years); devices provisioned after expiry silently fail
Corporate-Owned Profiles: Fully Managed, Dedicated, and COPE
All three corporate-owned modes share the same profile-creation flow in the console. The key difference is the Enrollment profile type you select, which determines what the provisioned device can and cannot do.
Step 1Create the profileNavigate to the enrollment blade and choose the profile type that matches your mode.
Step 2Configure token settingsSet token expiry and optionally embed Wi-Fi credentials in the QR payload.
Step 3Download or share the QR / tokenExport the QR code image or copy the JSON token for zero-touch/KME binding.
Step 4Target with dynamic groupsCreate an Entra dynamic device group filtered on enrollmentProfileName to auto-assign policy.
Step-by-step procedure
Open the enrollment blade. Go to Devices > Enrollment > Android > Enrollment profiles under the Corporate-owned section. You will see three sub-types listed: Fully managed, Dedicated devices, and Corporate-owned work profile (COPE).
Create a new profile. Select the appropriate sub-type and click Create profile. Give it a descriptive name that you will use later for dynamic group targeting — something like Corp-FullyManaged-US-Warehouse works better than Profile1.
Set token validity. The default token expiry is 90 days; you can extend it up to 65 years for long-lived deployment scenarios. For dedicated and kiosk devices that rarely get touched by IT, set a longer expiry. For short-term pilot tokens, keep it tight. The token expiry is shown in the profile blade after creation.
Optionally embed Wi-Fi in the QR payload. Under Wi-Fi, enter the SSID, security type, and password. This is critical for devices being provisioned out of the office or in a warehouse with no open network — the QR scan will join Wi-Fi before downloading the management profile. Without this, devices need to be on a known network or connected via Ethernet adapter during setup.
Save and retrieve the token. After creation, open the profile and click QR code to download the scannable image, or click Token to copy the JSON blob for use in a zero-touch or KME configuration. Both represent the same token — the QR code is just a visual encoding of it.
Create a dynamic device group in Entra. Navigate to Entra ID and create a new device group with a dynamic rule: (device.enrollmentProfileName -eq "Corp-FullyManaged-US-Warehouse"). Devices enrolled via that profile will automatically join the group within minutes of enrollment, pulling down any assigned configuration profiles, apps, and compliance policies without manual targeting.
Name your profiles for dynamic targeting
The enrollment profile name is the single most useful dynamic group attribute for Android Enterprise. Treat it like a structured identifier — include mode, region, or purpose — because you cannot change it after devices enroll.
Work-profile enrollment for personal (BYOD) devices uses a completely different path — the user downloads Company Portal from the Google Play Store and walks through enrollment themselves. There is no enrollment profile to create in the corporate-owned section. Intune automatically provisions a work profile container on the device. The only pre-configuration you need is ensuring enrollment restrictions are not blocking personally owned Android devices, and that your compliance and app protection policies are assigned to user groups.
Common token and provisioning failures
Expired token: devices get a generic "could not add your device" error during QR provisioning. Check the token expiry in the profile blade before any deployment event.
QR scan on wrong Android version: QR provisioning requires Android 9 or later. Older devices need NFC bump or manual DPC identifier entry (afw#setup).
Wrong profile type used: fully managed and dedicated profiles look identical in QR output but produce different management modes. Label your QR codes — once a device is enrolled as dedicated, it is not trivially flipped to fully managed without a factory reset.
Wi-Fi not embedded: provisioning stalls at "Checking for update" on devices without network access. Embed the credentials in the QR or pre-stage a guest network for enrollment.
QR Provisioning and Token Reference
The enrollment token is also surfaced as a raw JSON object — useful when binding Intune to Google Zero-Touch or Samsung KME programmatically. See the QR and provisioning payload reference for the full schema, including how to add custom DPC extras for Intune-specific provisioning options.
When using zero-touch, you paste the enrollment token JSON into the zero-touch portal's DPC extras field. When using Samsung KME, the same token embeds in the Knox Deployment App config. Both methods mean devices boot straight into managed setup without a QR scan — ideal for devices shipping directly to remote sites.
Verifying Enrollment Per Mode
Factory-reset a test device and provision it using the QR code for the relevant mode.
Check Devices > All devices in the Intune console. The device should appear within 5 minutes of completing setup. Verify the Management type column shows Android Enterprise and the Ownership shows Corporate.
Confirm the enrollment profile name is populated on the device record (visible under Hardware or via Graph at managedDevices/{id}/enrollmentProfileName). If it is blank, the dynamic group rule will not match.
Check the dynamic group in Entra — the device should appear within 5–15 minutes. Trigger a manual policy sync from the Intune device blade if you need to accelerate the first policy application.
For BYOD work profile: confirm the device shows as personally owned, and verify the work profile badge appears on managed apps on the device. The work-profile container must be active before app protection policies can apply.
Rotate tokens before deployment events
Before a large provisioning event — an office opening, a warehouse rollout — regenerate the token in the profile blade to reset its expiry clock. You keep the same profile name (and thus the same dynamic group targeting), while getting a fresh QR code with a new expiry date.
Insights
One profile per population, not per device model. Use enrollment profiles to reflect deployment populations (region, role, management mode), not hardware SKUs. Dynamic groups do the targeting; you do not need dozens of near-identical profiles.
Token expiry is an operational risk that bites at scale. Build a calendar reminder for every enrollment token — even long-lived ones. A stale QR circulating in a field technician's toolkit will fail silently until someone investigates a support call.
COPE and fully managed look identical to the provisioning person. Add a visual indicator to your QR printouts (color coding, large text label) so warehouse staff and field techs cannot accidentally mix them up during device staging.
The dynamic group attribute enrollmentProfileName is case-sensitive. Mismatches between the profile name in Intune and the string in your dynamic group rule result in devices sitting un-targeted. Verify with a Graph query before go-live.
BYOD users who skip Company Portal enrollment still get MAM. App protection policies apply to managed apps even on unenrolled personal devices. Do not require full MDM enrollment if MAM-only is sufficient for your BYOD population — it reduces friction and support calls.
Land restrictions, passcode, and the hardening baseline appropriate to the mode.
Android's multi-mode architecture is one of its greatest strengths and one of its sharpest sharp edges. The same device-restriction profile that locks down a fully managed corporate device will silently no-op — or worse, break enrollment — when pushed to a work-profile device, because the two modes expose entirely different policy surfaces. Deploying the Android configuration baseline means building separate profiles for each mode you operate and being deliberate about what you assign to whom before the first real device touches enrollment.
This page walks the day-one baseline deployment: passcode and device restrictions scoped correctly per management mode, the hardening additions that sit on top, targeting strategy (device vs user groups), and how to validate that policies actually landed rather than silently failing. If you haven't decided on your management mode yet, settle that first — see choosing a management mode before proceeding.
Applies toAndroid Enterprise: Work Profile (BYOD/COPE), Fully Managed, Dedicated
A "Fully Managed/Dedicated/Corporate Work Profile" restriction profile pushed to a BYOD work-profile device will show as Succeeded in reporting but enforce nothing — the MDM channel rejects settings it doesn't recognize for that enrollment mode.
Always use dynamic Entra groups filtered on deviceEnrollmentType or enrollmentProfileName to gate the right profile to the right mode.
Build the Work-Profile Baseline (BYOD & COPE)
The work-profile baseline is intentionally constrained. You're operating inside someone's personal device. The profile enforces work-side hygiene without touching personal space — your passcode and lock policies and device restrictions documentation covers the full setting reference.
Step 1Create the work challenge profileDevices > Configuration > Create > Android Enterprise > Personally Owned Work Profile > Device restrictions
Step 2Set work-profile restrictionsCross-profile copy/paste, contact sharing, screen capture, camera in work profile
Step 3Assign to BYOD groupTarget a dynamic device group scoped to personally owned work-profile enrollments
Step 4Validate per-setting statusDevices > Configuration > [profile] > Device and user check-in status > Per-setting status
Key Work-Profile Restriction Settings
Work profile password type. Set to Numeric complex or Alphanumeric with a minimum length of 6. This enforces only the work challenge — the personal screen lock is the user's business and cannot be set from here on a BYOD device.
Block cross-profile copy and paste. Set to Block. This is the most-requested data-loss control on BYOD. Note it prevents copying from work apps to personal apps but does allow the reverse (personal-to-work) unless explicitly blocked.
Block contact sharing from work profile. Set to Block to prevent work contacts from appearing in the personal dialer — a common privacy and data-leakage concern in regulated industries.
Screen capture in work profile. Set to Block to prevent users screenshotting work content with the personal camera app.
Work profile camera access. Leave Not configured unless you have a specific reason — blocking the camera inside the work profile will prevent work apps like Teams from using it.
COPE adds corporate-side controls
For corporate-owned work-profile (COPE) devices, create a second profile using the Corporate-Owned Work Profile type. This unlocks device-level controls (safe boot, USB, developer mode) that aren't available on personally owned BYOD profiles, while still maintaining the work/personal separation the user expects.
Build the Fully Managed & Dedicated Baseline
Corporate-owned fully managed and dedicated devices are yours end-to-end. The restriction surface is much broader, and the hardening baseline for these modes includes controls that would be invasive on a BYOD device but are appropriate on a company-issued device.
Create the fully managed restriction profile. Navigate to Devices > Configuration > Create > Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile > Device Restrictions. Name it clearly, e.g., AND-Corp-Restrictions-FullyManaged-v1.
Configure the passcode section. Set Required password type to Numeric complex minimum 6 digits, or Alphanumeric for higher-assurance environments. Set Maximum minutes of inactivity before screen locks to 5. Set Number of sign-in failures before wiping device to 10 — lower than you might think, because automated retry attacks can hit fast on Android.
Lock down Safe Boot and developer options. Set Block Safe Boot to Block and Block developer options to Block. Safe boot allows the device to bypass MDM protections — this is the one setting that must not be left open on any corporate device.
Control USB. Set USB file transfer to Block for most corporate fleets. On dedicated/frontline devices used for data capture, evaluate whether to allow USB OTG for specific hardware.
Factory Reset Protection account. Configure an FRP-bypass Google account under Google accounts that can remove Factory Reset Protection. Without this, a wiped device locks to the last enrolled Google account and becomes a brick — a common and expensive mistake in return/reissue workflows.
Play Protect and app verification. Ensure Google Play Protect is Enabled. On dedicated devices, also consider enabling Block installing apps from unknown sources — on fully managed devices this is enforced by the MDM channel, but the explicit restriction adds belt-and-suspenders.
Assign to corporate-owned device groups. Use a dynamic group filtered on deviceEnrollmentType -eq "androidEnterpriseDedicatedDevice" or "androidEnterpriseFullyManaged". Keep fully managed and dedicated in separate groups so you can tune restrictions independently.
Device vs User Assignment Targeting
Android Enterprise has a clear targeting rule that trips up engineers used to iOS or Windows:
Profile Type
Assign to
Why
Device restrictions (all modes)
Device groups
Restrictions are device-level; they apply regardless of who is signed in
Passcode/work challenge
User groups for BYOD; device groups for fully managed
Work-profile passcode is user-scoped; fully managed passcode is device-scoped
App configuration policies
User groups
App config is delivered to the user's managed Google account
Compliance policies
User groups (evaluated per user)
Compliance is always user-targeted in Intune
Dedicated devices have no user — assign to device groups
Dedicated (kiosk) devices have no associated user. Every policy that must apply to them — restrictions, passcode, app deployment — must target device groups. User-group assignments will never reach a dedicated device.
For compliance on dedicated devices, use the dedicated-device compliance policy with a device-group assignment.
Hardening on Top of Restrictions
Base device restrictions give you the day-one posture. The Android hardening baseline adds the next layer: stricter keyguard settings (disable camera and notifications on lock screen), Google account controls, system app block-lists, and Play Protect verification enforcement. Deploy hardening profiles to the same groups as restrictions, after piloting restrictions first.
Do
Pilot the baseline on a small device group (5–10 devices per mode) before broad deployment
Check per-setting status in the profile report to confirm each setting applied — not just the top-level "Succeeded"
Name profiles with mode, platform, and version: AND-WP-Restrictions-v1, AND-FM-Restrictions-v1
Keep work-profile and fully-managed restriction profiles entirely separate — never reuse the same profile across modes
Configure an FRP bypass account on fully managed devices before deployment reaches production scale
Don't
Assign fully managed restriction profiles to "All Devices" — work-profile enrollments will silently ignore them but clutter your reporting
Forget that the work-profile passcode only enforces the work challenge — it does not set the personal lock screen
Set sign-in failure wipe count below 6 on BYOD — users who hand phones to curious toddlers will file a lot of helpdesk tickets
Skip FRP account configuration on fully managed devices hoping you won't need it — you will
Validating That Policies Landed
Per-setting status report. Open the profile in Devices > Configuration, select the profile, then Device and user check-in status. Scroll to Per-setting status. Any setting showing Not applicable is a signal the profile type does not match the enrolled mode on that device — stop and audit your group targeting.
Device compliance report. Once passcode policies are assigned, verify the compliance policy picks up the password-not-set noncompliance for any device that hasn't yet set a work challenge. This confirms end-to-end policy delivery.
On-device verification. On a test work-profile device: confirm the work profile badge appears on managed apps, that copying text from a work app to a personal app is blocked, and that the work challenge prompts separately from the personal lock screen. On a fully managed device: confirm developer options are grayed out in Settings, and that unknown source installs are prevented.
Insights
The "Succeeded" lie. An Android restriction profile can report Succeeded at the device level while delivering zero enforcement, if the profile type doesn't match the enrolled mode. Always check per-setting status — the top-level status is just the delivery receipt, not a policy confirmation.
Work-profile restrictions can only touch the work side. If a BYOD user disables their personal screen lock, you cannot force it back from a work-profile restriction profile. Design your compliance policy to catch this at the device level and mark the device noncompliant instead.
FRP is the return-to-service blocker nobody plans for. Every team that skips the FRP bypass account configuration eventually has a wiped device they cannot re-enroll. Configure the bypass account on day one when you can do it at scale — retrofitting is painful.
Pilot with devices, not users. Dynamic device groups on enrollmentProfileName are the cleanest way to gate baseline profiles to a pilot ring without the user needing to do anything. Once validated, broaden the group scope rather than moving policies.
Import the community baseline to skip the build. Rather than constructing restrictions from scratch, import the Android baseline and tune from a known-good starting point — it already handles the mode split and has the FRP, Safe Boot, and keyguard settings populated for both work-profile and fully managed targets.
Managed Google Play apps, app config, and the required/available model.
Getting apps onto Android devices managed by Intune means going through Managed Google Play — not the consumer Play Store, not sideloading. Every app you push, whether it is a Microsoft first-party app, a third-party business tool, or an in-house APK, flows through your connected Managed Google Play organization. That connection gives Intune the app catalog to assign from, and it gives Android Enterprise the trust anchor that makes silent installation possible on fully managed and dedicated devices.
The day-one app set is small by design. Pile too many apps into the required list and you slow down every first enrollment, create remediation tickets for every install failure, and make compliance miserable. Start with the apps users cannot work without, use app configuration policies to pre-populate accounts silently, and let the rest land via available assignment or self-service.
MDM agent on work profile; required even when invisible
❌ Configured via enrollment profile
Company Portal is always required on work profile
Even though users on a work profile never open Company Portal to enroll (they use the dedicated flow), the app must be assigned as Required to every work profile group. Without it, app protection policies and compliance reporting break silently.
Required vs Available Assignment
The assignment type determines whether the app pushes silently to the device or appears as a catalog item in the work Managed Google Play store.
Assignment type
Behavior on fully managed
Behavior on work profile
Use for
Required
Silent install, no user action
Prompted install in the work profile Play Store
Productivity core, compliance-gated apps
Available (enrolled)
Visible in managed Play; user installs
Visible in work Play Store; user installs
Tools most but not all users need
Uninstall
Removes app silently
Removes from work profile only
Retiring or replacing an app
No silent install on work profile — that is by design
Android Enterprise work profile deliberately requires user consent before any app installs, including Required assignments.
The app appears in the work profile Play Store icon with a badge and waits for the user to tap Install.
If compliance depends on an app being present, give users a grace period to self-install before marking noncompliant.
App Configuration Policies for Silent Onboarding
The biggest time-saver on any Android rollout is account pre-configuration. Instead of asking every user to type their email address into Outlook and Teams, push the account via an app configuration policy that targets the managed app. Intune delivers the configuration as Android Managed Configurations (formerly app restrictions) through the Android Enterprise channel — no Company Portal required.
Step 1Approve app in Managed Google PlaySync to Intune — the app appears in Apps > Android
Step 2Assign app as RequiredTarget device group (fully managed) or user group (work profile)
Step 3Create App Configuration policyApps > App Configuration Policies > Add > Managed devices; link the same assignment groups
Step 4Configure Managed ConfigurationsSet com.microsoft.outlook.EmailProfile.EmailAddress = {{userprincipalname}} and similar tokens
Key configuration values for Outlook
Navigate to the app configuration. Go to Apps > App Configuration Policies > Add > Managed devices. Set platform to Android Enterprise and select your Outlook assignment.
Set the email address token. Add key com.microsoft.outlook.EmailProfile.EmailAddress with value type String and value {{userprincipalname}}. Intune substitutes the enrolled user's UPN at delivery time.
Set the account domain. Add key com.microsoft.outlook.EmailProfile.EmailAccountName with a friendly display name like Corporate Email.
Enable Account Setup Only mode. Set com.microsoft.outlook.AccountSetupOnly to true to prevent users adding personal accounts in the work profile Outlook — critical for a clean separation.
Assign to the same groups as the app. Mismatched assignment is the most common reason config never arrives.
Auto-Update Modes
Managed Google Play gives you four update behaviors per app. The right choice depends on whether you are managing a stable corporate fleet or allowing more flexibility. See the full breakdown on the App Update Modes page; for the day-one set, use these defaults:
Mode
Behavior
Recommended for
Default
Updates per device user preference
BYOD work profile — respects personal device habits
Not every app lives in the public Play Store. Internal APKs and web shortcuts both go through Managed Google Play as private apps or web apps. Approve a private APK via the Google Play developer console linked to your managed account, and it appears in your Intune app catalog exactly like a public app. Web apps create a home-screen shortcut with a managed icon — useful for intranet portals and SaaS tools that do not have a native Android app.
On work profile devices, every managed app shows a small briefcase badge in the bottom corner of the icon. This is the user's visual signal that the app is in the work container and subject to IT policy. Outlook, Teams, and Company Portal all appear with the badge on the work profile home screen page or in the work apps drawer, depending on the device launcher.
Users see two separate app stores: the regular Play Store for personal apps, and a work-badged Managed Google Play icon for work apps. Required apps that have not yet been installed show up in the work store automatically. Explain this to your helpdesk — "I don't see Teams" is almost always the user looking at their personal app drawer instead of the work one.
Insights
Sync Managed Google Play after approving apps. After approving an app in the Managed Google Play console, hit Sync in Intune (Tenant Administration > Connectors and tokens > Managed Google Play) before expecting the app to appear in the Apps list. The sync runs on a schedule but waiting for it during a rollout wastes time.
Required assignment on user groups delivers per-user, not per-device. For fully managed devices with a fixed user (user-affinity enrollment), assign required apps to user groups so the app follows the user. For dedicated/no-affinity devices, assign to device groups — there is no user to target.
App config and app assignment must share the same group scope. A config policy assigned to Group A delivering settings for an app assigned to Group B is a recipe for silent failure. When troubleshooting "config not arriving," check group alignment first.
Authenticator cannot be pre-configured silently. Unlike Outlook, Microsoft Authenticator registers itself with Entra during sign-in. There is no managed configuration that pre-registers the account; it just needs to be present before the user signs in to any other app.
Test on both BYOD and fully managed before go-live. Silent install behavior, config delivery timing, and the badge UX are meaningfully different between modes. A required app that installs silently on your test fully-managed device will still prompt a BYOD work-profile user.
Define a healthy Android device and gate resources — including Play Integrity.
Android compliance in Intune is the enforcement layer that turns policy into access control. You define what a healthy Android device looks like — minimum OS version, disk encryption, no rooted hardware, Play Integrity attestation passing — and Conditional Access gates Exchange, SharePoint, and Teams on that signal. Get the policy wrong and you either block legitimate users on their first enrollment day or you leave the door open to compromised devices. This page builds both halves correctly.
The Android story has one extra dimension that iOS and Windows don't share: the MDM-vs-MAM split for BYOD. Corporate-owned Work Profile and Fully Managed devices evaluate a device-level compliance policy. BYOD personal devices enrolled as Android Enterprise personally-owned work profile evaluate the same device policy — but unenrolled BYOD goes through App Protection Policy, and Conditional Access needs a separate grant condition for that lane. Both paths are covered below.
RequiresIntune P1 for compliance; Entra ID P1 for Conditional Access (included in M365 E3/E5)
GotchaPlay Integrity attestation has a known delay of up to 24 hours on first enrollment — don't enforce CA immediately after rollout
Build the Android Compliance Policy
Navigate to Devices > Compliance > Policies > Create policy and select Android Enterprise as the platform. You will be asked to choose the profile type: Fully managed, dedicated, and corporate-owned work profile for corporate devices, or Personally-owned work profile for BYOD enrollees. Each gets its own policy — the settings surface differs between them.
Device Health — Play Integrity. Set Google Play Integrity verdict to at minimum Check basic integrity. For higher-assurance corporate devices, set Check basic integrity & device integrity (hardware-backed attestation, requires certified hardware). The Strong integrity check option further validates boot chain integrity. Avoid enabling strong integrity for a mixed fleet on launch day — older certified devices may not pass and you'll block valid hardware. See the Play Integrity deep dive for the full verdict breakdown.
Device Health — Rooted devices. Set Rooted devices to Block. This is non-negotiable on corporate-owned hardware; on BYOD you can debate leniency, but blocking is the right default.
Device Properties — OS version. Set Minimum OS version to your supported floor. A common field-tested floor for 2025 is Android 12 for corporate-owned and Android 11 for personal. Anything below Android 10 lacks full Android Enterprise feature parity and should be retired, not accommodated.
System Security — Encryption.Require encryption of data storage on device should be Require. On modern Android (6+) this is enforced by default, but the compliance check confirms the OS is reporting it correctly. If a device fails this setting, it is almost certainly a sign of a compromised or modified OS.
System Security — Password. Set a minimum password complexity. For corporate-owned devices, High complexity (8+ characters, alphanumeric) is appropriate. For BYOD, Medium (4+ character PIN with no repeating sequences) is a reasonable ask that won't generate a flood of support tickets. Set Maximum minutes of inactivity before password is required to 5 minutes or less.
Microsoft Defender for Endpoint — Threat Level. If you are deploying Defender for Mobile Threat Defense, add the MTD connector condition here: set Require the device to be at or under the device threat level to Secured or Low. This ties Defender signal into the compliance evaluation. Skip this setting if MTD is not yet deployed — do not reference a connector that is not configured, as every device will report a pending state.
Noncompliance actions. Open the Actions for noncompliance tab. Set Mark device noncompliant with a grace period of at least 1 day (7 days is reasonable for a new rollout). Add a Send email to end user action on day 0 so users know why they are being flagged before access is cut. Do not start at 0 days grace unless you have a tested pilot population that is known to be in good shape.
Personally-owned work profile compliance
The personally-owned work profile policy only evaluates settings within the work profile container — it cannot see the personal side of the device. You cannot require full-disk encryption on a personal device using this policy type; that setting applies only to fully managed and corporate-owned profiles. Scope your expectations accordingly.
The MAM-vs-MDM Conditional Access Split
Android BYOD comes in two flavors and CA must cover both. Enrolled BYOD (personal work profile) evaluates device compliance like any MDM-managed device. Unenrolled BYOD — users who only have Outlook and Teams protected by App Protection Policy — never gets a compliant-device signal because there is no device record to evaluate against. Conditional Access handles this via the Require app protection policy grant, not Require compliant device.
Scenario
Enrollment
CA Grant Condition
Corporate-owned Fully Managed / COPE
MDM enrolled
Require compliant device
BYOD Android Enterprise personal work profile
MDM enrolled
Require compliant device
BYOD unenrolled (MAM-only, Outlook/Teams only)
Not enrolled
Require app protection policy
Personal device, no management at all
None
Block ✅ / Allow ❌ — your choice
The practical CA design is two policies targeting the same cloud apps (Exchange Online, SharePoint Online): one requiring compliant device for managed Android, one requiring app protection policy for unmanaged. The Filter for devices condition combined with Exclude logic keeps the grants from conflicting. See the Conditional Access deep dive for the policy structure.
Conditional Access: Report-Only Then Enforce
Step 1Build CA in report-onlyCreate the policy with Grant: Require compliant device, set to Report-only mode in Entra
Step 2Watch Sign-in logs for 1-2 weeksEntra Sign-in logs show what would have been blocked; hunt for false positives before enforcing
Step 3Exclude break-glass and shared accountsEmergency-access accounts and service principals must be excluded by group, not name
Step 4Flip to On and monitorEnable enforcement, watch for a spike in noncompliant sign-in failures, triage within 24 hours
The first-enrollment chicken-and-egg
A device must enroll in Intune and receive the compliance policy before it can be evaluated as compliant.
If CA is enforcing before enrollment, users need an Intune-capable app (Company Portal) to trigger enrollment — but CA may block app access to start the flow.
Exclude the Intune enrollment endpoint (Microsoft Intune Enrollment cloud app) from the compliant-device CA policy. Company Portal communicates through a separate endpoint that is not gated by the MDM-compliance CA policy, so enrollment itself is not blocked — but the Intune service app exclusion is still good hygiene.
Android device compliance evaluation requires the device to check in post-enrollment. Play Integrity results can take up to 24 hours to populate on first evaluation. Use the grace period to absorb this delay.
Validating Compliance State
Go to Devices > Compliance > Monitor > Device compliance to see the aggregate pass/fail picture. Drill into any noncompliant device by selecting it and reviewing the Device compliance blade — each setting reports its individual result. For Play Integrity specifically, the setting will show Not evaluated on a device that has never checked in with the Play Integrity API; do not confuse that with a failure.
Use Devices > All devices > filter by OS = Android and Compliance = Noncompliant to build your remediation list before you flip CA to enforcement mode. For fleet-wide compliance health, the Compliance Policies for Android page covers the per-setting reporting in more depth.
App Protection Policy as the BYOD Safety Net
For unenrolled BYOD covered by App Protection Policy, the compliance signal comes from the app, not the device. Intune evaluates whether the APPis present, whether the policy settings are met (PIN, copy-paste block, jailbreak/root check within the app), and whether the account is targeted. The CA grant Require app protection policy then surfaces this evaluation as an access gate on Exchange and SharePoint. This path requires Intune P1 and the target apps must be policy-managed apps (Outlook, Teams, Edge — not generic browsers). Review the App Protection Policies page for the full setting catalog before using APP as your BYOD CA gate.
Insights
Play Integrity is not SafetyNet. SafetyNet Attestation was deprecated. If your compliance policy still references SafetyNet (older tenants may have this), migrate it to Play Integrity now — the SafetyNet check will eventually return errors rather than results, and devices will sit in a perpetual pending state.
Grace period is your friend during rollout. A 7-day grace period lets you catch OS version outliers, attestation delays, and old devices before the helpdesk gets swamped. Tighten it to 1 day once you are in steady state and have a documented remediation path.
The 'Not evaluated' compliance state will surprise you. Devices that have never connected after receiving the compliance policy sit in Not evaluated, which CA treats as noncompliant by default. Watch for this on devices that were enrolled but sitting in a drawer — they will fail at first sign-in after CA is enforced.
Corporate-owned vs personal work profile need separate policies. The setting surface differs, the enforcement expectations differ, and assignment needs to target the right dynamic groups. Assigning a corporate-owned policy to a personal device will either silently fail or apply incorrect restrictions.
Android Go and Android (device administrator) have limited support. Device Administrator enrollment is being retired by Google. If you still have DA-enrolled devices, plan migration to Android Enterprise. DA devices will not pass most modern compliance checks and the DA compliance policy surface is much smaller.
Add Microsoft Defender for Endpoint as the MTD signal feeding compliance.
Microsoft Defender for Endpoint on Android is not just an antivirus — it is your Mobile Threat Defense (MTD) signal. When wired correctly, device risk assessed by Defender flows into Intune compliance, which flows into Conditional Access, so a device that detects a phishing URL or a malicious app is automatically cut off from corporate resources until it is clean. This page walks the full setup: connector, app, app config, web-protection VPN profile, and the compliance wire-up.
Android introduces wrinkles that Windows does not have: work-profile (BYOD) and fully managed devices need different deployment paths, the web-protection feature tunnels traffic through a local VPN that users can disable on BYOD devices, and the MTD threat-level signals only land in compliance if the connector is enabled before the compliance policy is saved. Get the sequence wrong and the risk feed is silently ignored.
Applies toAndroid Enterprise — work profile (BYOD/COPE) and fully managed/dedicated
Console pathEndpoint security > Mobile Threat Defense > Add connector
RequiresMicrosoft Defender for Endpoint Plan 1 or Plan 2; Intune license; Managed Google Play connected
GotchaEnable the connector before creating the compliance policy — adding threat-level to an existing policy does not back-fill the signal
Step Overview
Step 1Enable the MTD connectorTurn on the Defender for Endpoint connector in Endpoint security and set the threat thresholds
Step 2Deploy the app and app configPush Defender from Managed Google Play with a silent app config that ties it to your tenant
Step 3Deploy the web-protection VPN profileA VPN profile enables local phishing-URL filtering; required config differs by management mode
Step 4Wire threat level into complianceAdd the Device threat level condition to your Android compliance policy and test the signal
1. Enable the MTD Connector
Navigate to Endpoint security > Mobile Threat Defense > Add. Select Microsoft Defender for Endpoint. In the connector settings, toggle on the platform connections you need:
Connect Android devices version 6.0 and above to Microsoft Defender for Endpoint — enable this.
App protection policy evaluation — enable if you want MAM-enrolled (unenrolled BYOD) devices to also report risk. This is the MAM/no-enrollment path and uses App Protection Policy conditions rather than compliance policy.
Connector first, policy second
The compliance policy's "Device threat level" condition only evaluates if the connector is already active. Enable the connector, wait for the Connected status, then create or edit the compliance policy. Existing policies do not reprocess the signal when you add the connector later without re-saving them.
2. Deploy the App and App Configuration
Defender for Endpoint on Android is deployed from Managed Google Play. Go to Apps > Android > Add > Managed Google Play app and search for Microsoft Defender: Antivirus. Approve it and sync.
Assign the app as Required to your device groups (not Available — users must not be able to skip it). Then create an App Configuration Policy:
Navigate to Apps > App configuration policies > Add > Managed devices. Target Android Enterprise, choose the Defender app, and set the configuration designer format.
Add the key DefenderMAMConfigs or use the Defender-specific managed configuration schema. The critical values are the onboarding blob that silently registers the device to your Defender tenant without a user sign-in prompt. In the Intune console, the Defender app exposes the onboarding configuration key as a pre-built template — use that.
Assign the app config to the same groups as the app. The config must deploy before or simultaneously with the app or the user will be prompted to manually sign in to Defender.
BYOD scope limits
On a work-profile (BYOD) device, Defender runs inside the work profile and can only see work-profile apps and the local VPN. It cannot scan the personal side of the phone.
On fully managed and COPE devices, Defender has broader device-level visibility, including system app scanning.
Users on BYOD can disable the web-protection VPN from Android network settings — inform your compliance team this is expected behavior and not a policy failure.
3. Deploy the Web Protection VPN Profile
Defender's phishing-URL and malicious-site protection works through a local loopback VPN (not a real network tunnel — traffic stays on-device). You must push a VPN profile to enable it; without it, web protection is inactive even if Defender is installed.
Management Mode
Profile Type
VPN App
Connection Type
Work profile (BYOD/COPE)
VPN profile scoped to work profile
Microsoft Defender
Custom (per-app or device-wide within work profile)
Fully managed / dedicated
VPN profile scoped to device
Microsoft Defender
Custom — device-wide
Create the profile at Devices > Android > Configuration profiles > Create > VPN. Set the connection type to Microsoft Tunnel (standalone client) is not required here — instead select the Defender-specific connection type or use a custom OMA-URI profile with the DefenderForEndpointVPN managed configuration. The Intune documentation for Defender Android references the exact app config keys; the key you need is VPN set to 1 in the same managed config policy you deployed in Step 2 — there is no separate VPN profile required when using the app config approach. Confirm by opening Defender on a test device and verifying the Web Protection tile shows "Active."
4. Wire Threat Level into Compliance
Navigate to Devices > Android > Compliance policies and open your Android compliance policy (or create one per the Android compliance policies guide). Under Microsoft Defender for Endpoint > Require the device to be at or under the machine risk score, select your threshold:
Threat Level
Meaning
Typical Use
Secured
No threats detected
High-security / regulated environments
Low
Low-severity threats only
Most corporate fleets — recommended starting point
Medium
Medium and below threats tolerated
Rarely used — too permissive
High
Any threat level compliant
Effectively disables the signal — avoid
Start with Low. A device that Defender rates as Medium or High risk becomes noncompliant, and if your Conditional Access policy requires a compliant device, that device loses access to email and Teams until the threat is resolved or the user remediates and the device re-checks in.
Test the signal end to end
On a test device, use Defender's built-in test feature or trigger a sample detection. Confirm the device moves to noncompliant in the Intune console within 15 minutes, then remediate and confirm it returns to compliant. Do this in report-only mode before enforcing CA.
BYOD vs. Fully Managed: Deployment Differences
Aspect
Work Profile (BYOD/COPE)
Fully Managed / Dedicated
App deployment
Required to work profile
Required device-wide
App config scope
Managed devices — work profile
Managed devices — device owner
Web protection VPN
Scoped to work profile — user can disable from personal settings
Device-wide — more resilient
Scan scope
Work profile apps only
Full device including system apps
Compliance integration
✅ via MDM compliance policy
✅ via MDM compliance policy
MAM/no-enrollment path
✅ via App Protection Policy + connector
❌ not applicable
For a deeper look at the threat signal architecture and how to configure non-Microsoft MTD vendors, see the Mobile Threat Defense integration guide. For the Defender-specific platform deep-dive including advanced threat categories and the Microsoft 365 Defender portal view of Android signals, see Microsoft Defender on Android.
Insights
The connector status "Connected" does not mean devices are reporting. It means the channel is open. Devices only report once Defender is installed, the onboarding config is applied, and the app has checked in. Check the Device threat level column in the compliance report to see which devices are actually delivering a signal.
Silent onboarding via app config is the only production-viable path. Without the managed configuration onboarding blob, users on BYOD devices see a Defender sign-in prompt and most will abandon it, leaving the device without an MTD signal and showing "Not evaluated" in compliance.
Work-profile VPN can be defeated by the user — design around it. A BYOD user can turn off the local VPN from their Android network settings, disabling web protection. This does not mark the device noncompliant (it is not a policy violation); it simply means web-protection coverage is lost. Fully managed fleets have much stronger VPN persistence.
The "Secured" threat level will break compliance on first enrollment. Defender needs a few minutes to complete its initial assessment after installation. Setting the threshold to Secured with a short noncompliance grace period will mark freshly enrolled devices noncompliant before Defender has time to check in. Give a 24-hour grace period or start with Low.
App Protection Policy + MTD covers unenrolled BYOD. If you have users on personal devices that will never enroll in MDM, enable the App protection policy evaluation toggle in the connector and add the threat condition to your App Protection Policy in Intune. This path covers MAM-only scenarios without MDM enrollment.
One app, two modes — get the app config targeting right. The same Defender app serves both work-profile and fully managed modes, but the app config policy must be targeted to the correct enrollment type (work profile vs. device owner). Targeting the wrong type results in no config being applied and silent onboarding failure.
What the user sees enrolling a work profile or a fully managed device.
Android gives you two very different enrollment journeys depending on device ownership. A BYOD employee enrolling their personal phone through Company Portal and a helpdesk tech scanning a QR code onto a brand-new corporate handset are living in completely separate experiences — different apps, different prompts, different privacy boundaries. Understanding both journeys from the user's point of view is what separates a smooth rollout from a flood of Day-1 support tickets.
This page narrates each path end-to-end: what the user sees, what takes time, what looks alarming (but is fine), and what signals a genuine failure. Run through both yourself in a test tenant before you hand the keys to the business.
Applies toAndroid Enterprise work profile (BYOD/COPE), fully managed, dedicated
PrereqManaged Google Play connected; enrollment profile/token created
Key appIntune Company Portal (BYOD); Android Device Policy (corporate-owned)
GotchaUsers misread "work profile" as meaning IT controls their whole phone — address this in comms before Day 1
Journey 1: BYOD Work Profile via Company Portal
This is the most common Android enrollment path and the one with the most user anxiety. Walk your employees through what actually happens — most concerns dissolve once they understand what the work profile is and is not.
Step 1Install Company PortalUser downloads from Google Play and signs in with their work Entra account.
Step 2Consent to work profile creationAndroid prompts to create a managed work profile — a separate, encrypted container for work apps.
Step 3Profile provisioningAndroid Device Policy is silently installed in the work profile; takes 1–3 minutes on most devices.
Step 4Apps and compliance checkRequired Managed Google Play apps push to the work profile; compliance evaluation runs.
What the user sees after enrollment
Once the work profile is set up, the user's launcher shows a briefcase badge on all work apps — Outlook, Teams, Authenticator, and anything else you pushed. These live alongside personal apps but are entirely separated at the OS level. Work apps cannot read personal data; personal apps cannot read work data. Attempting to copy text from Outlook and paste into a personal app will be blocked if you have cross-profile copy/paste restricted.
There are two separate Google Play instances visible: the regular Play Store for personal apps, and a badged "Work" Play Store that only shows Managed Google Play apps you have approved. Users do not need a personal Google account for the work profile — the managed profile provides its own Google play context.
Privacy messaging matters more than the config
Send a plain-language one-pager before enrollment that says: IT can manage apps in your work profile, wipe the work profile, and see device info (OS version, device model, compliance status). IT cannot see your personal photos, texts, browsing history, or app list outside the work profile. This one-pager cuts support calls by half.
What good vs. stuck looks like (BYOD)
Symptom
Normal?
Action
Briefcase badge appears on work apps
✅ Expected
Enrollment complete
Work profile setup spins for >5 min
❌ Stuck
Check APNs reachability; retry enrollment
User sees "Your organization can see..." consent screen
✅ Expected
This is Android's built-in privacy disclosure — user must accept
Apps appear in personal space (no badge)
❌ Wrong
App was assigned to user not device, or pushed without work-profile scope
Compliance shows "Not compliant" immediately after enrollment
Normal briefly
Wait up to 15 min for first evaluation; check if work challenge / passcode policy is pending
For a deeper look at the BYOD enrollment flow and common failure points, see the BYOD enrollment experience page, which covers the specific error codes users hit during Company Portal provisioning.
Journey 2: Fully Managed and Dedicated — QR or Zero-Touch First Run
Corporate-owned fully managed and dedicated devices go through a completely different path. There is no Company Portal download step; the MDM agent (Android Device Policy) is provisioned during the Android setup wizard itself, before the user ever touches the home screen. The device is IT's from the moment it powers on.
QR code provisioning (most common for non-zero-touch fleets)
Factory-reset the device (or unbox new). At the first Android Welcome screen, tap the screen six times rapidly to invoke provisioning mode — the device will prompt for a QR scanner.
Scan the enrollment QR code from Devices > Enrollment > Android > Corporate-owned devices > (your enrollment profile) > Token > QR code. The QR encodes the MDM enrollment token, Wi-Fi credentials, and language/locale.
Android Device Policy downloads and installs. The device connects to Google, pulls the management agent, and registers with Intune. On a solid Wi-Fi connection this takes 3–6 minutes. The screen shows a plain setup progress animation — this is normal.
Device registers with Intune. Policies and apps begin pushing. Required apps for a fully managed device install before the user reaches the home screen if they are in the enrollment profile's required set.
User signs in (user affinity) or device boots to Managed Home Screen / kiosk (no affinity). If you chose user affinity, the user enters their Entra credentials at this point. For dedicated/kiosk devices, you arrive directly at the Managed Home Screen.
Timing traps to warn users about
The QR provisioning step requires the device to reach Google's servers — make sure provisioning happens on an approved network, not a captive-portal hotel Wi-Fi.
If the Wi-Fi credentials in the QR code are wrong, provisioning fails silently at the download step. Re-generate the QR with corrected credentials.
The six-tap gesture window is brief on some OEMs. If the device moves past it, you must factory reset and start again.
Zero-touch first run
With Google Zero-Touch or Samsung KME configured, the provisioning is invisible to the user at the hardware level — the device connects to the zero-touch portal on first boot and pulls the Intune configuration without any QR scan. See the fully managed enrollment page for the zero-touch config steps. From the user's perspective, they simply turn on the phone and are guided through a shortened setup wizard before landing at the corporate home screen. The experience feels much cleaner than QR provisioning and is strongly recommended for fleet-scale deployments.
What good vs. stuck looks like (fully managed)
Symptom
Normal?
Action
Plain "Setting up your device" animation for 3–8 min
✅ Expected
Android Device Policy downloading and registering
Device stays at QR scan screen with "Cannot connect"
❌ Stuck
Wi-Fi creds in QR wrong or network blocks Google services
Apps installing before home screen appears
✅ Expected
Required Managed Google Play apps deploying
Device shows a personal Google account prompt
❌ Wrong config
Enrollment profile missing "Block Google accounts" — device is not fully managed
Device enrolls but shows in Intune as "Android device admin" not "Android Enterprise"
❌ Wrong mode
Provisioning fell through to legacy DA; factory reset and re-provision via QR/zero-touch
The Work/Personal Split: What IT Can and Cannot See
This is the conversation you will have repeatedly with employees, their managers, and occasionally your legal team. Be accurate.
IT can see (work profile and fully managed)
Device model, OS version, serial number
Compliance status and the reasons for noncompliance
Apps installed in the work profile (not the personal side)
Last check-in time and enrollment status
Device location (if Lost Mode is activated — audit-logged)
IT cannot see (work profile BYOD only)
Personal apps installed on the device
Photos, messages, calls, or browser history in the personal side
Location without an explicit Lost Mode action
Anything outside the managed work profile container
Fully managed is different
On fully managed (corporate-owned) devices, IT has visibility over all installed apps and the full device. This is expected because the device is corporate property. Make sure your acceptable-use policy reflects this and that users know before they enroll.
Insights
The "six taps" trick trips up first-time provisioners. Practice QR provisioning on a spare handset before your first wave. The six-tap window lasts about two seconds on some OEMs and the gesture is easy to miscount.
Work profile enrollment takes longer than iOS DEP — set expectations. Between Company Portal download, Google Play sync, profile creation, and app push, budget 10–20 minutes for a first enrollment on an average Android device and network. Don't let users close Company Portal during provisioning.
The biggest BYOD complaint is the separate work launcher area. Some users dislike navigating between personal and work app drawers. Explain this before enrollment; it is not a bug and cannot be changed without switching modes.
"Not compliant" right after enrollment is nearly always the work challenge. The passcode/work challenge policy needs the user to set a work-profile PIN even if they already have a device PIN. If compliance hangs, look here first — then check the work profile enrollment page for the work-challenge setup flow.
Factory Reset Protection (FRP) is the trap on fully managed resets. If a user-affiliated fully managed device is factory-reset without unenrolling, FRP may lock the device to the user's Google account. Retire through Intune first, or ensure FRP bypass is in your enrollment profile.
Apps not appearing in the work profile means the Managed Google Play sync has not run. After adding apps to a policy, trigger a sync in the Managed Google Play console or wait up to 24 hours. Forcing a sync via Tenant administration > Connectors and tokens > Managed Google Play > Sync accelerates it.
OS update control, OEM lifecycle, and keeping the fleet patched.
Controlling OS updates on Android is more nuanced than any other platform Intune manages. The degree of enforcement you can achieve depends almost entirely on management mode — fully managed and dedicated devices give you real policy-driven control, while work-profile devices leave the personal OS in the user's hands. Get this wrong and you'll be chasing a fragmented fleet six months post-launch, wondering why half your Pixel 8s are still on the April security patch.
This page walks through every lever available in Intune, where OEM-specific firmware tools (Samsung E-FOTA) fill the gaps, and how Android Enterprise Recommended lifecycle commitments should shape your device-refresh planning from day one.
Applies toAndroid fully managed, dedicated, COPE, work profile (limits apply)
GotchaWork-profile owners cannot be forced to update the personal OS — policy silently has no effect
System Update Policy Types
For fully managed and dedicated devices, Intune exposes a System Update policy under Devices > Configuration when you target the Android Enterprise platform and Fully managed, dedicated, and corporate-owned work profile profile type. There are four modes:
Mode
What it does
Best for
Automatic
Device installs available updates as soon as they are offered by the OEM, without user interaction.
Updates install only within a daily time window you specify (start and end hour). Device restarts occur inside that window.
Shift-based frontline workers; shared devices with predictable downtime
Postpone
Updates are deferred up to 30 days. After 30 days the device installs automatically regardless.
Managed corporate phones where you want a short soak period before mass rollout
Default (OEM)
Intune imposes no override; the device follows OEM defaults (usually automatic).
Use only when OEM FOTA handles the scheduling independently
Windowed + Postpone can be layered via OEM
Intune's native postpone cap is 30 days. If you need longer deferral (e.g., 60 or 90 days for regression testing), you must use OEM-level FOTA tooling — Intune alone cannot do it.
Work Profile: What You Cannot Control
This is the most common misunderstanding on Android update strategy. When a device runs in work profile mode — whether BYOD or corporate-owned with a work profile (COPE) — the personal side of the OS is not yours to govern. The Android platform explicitly blocks MDM from touching the system update behavior of the personal profile owner. Any System Update policy you assign to a work-profile device has no effect on the base OS.
Your only real lever is compliance policy: flag devices below a minimum OS version or security patch level as non-compliant, then use Conditional Access to block corporate resource access until the user updates. This is a social/enforcement control, not a technical one. See system update configuration for the exact compliance settings to pair with this approach.
OEM FOTA: True Enforcement for Samsung (and Others)
For organizations running Samsung hardware, Samsung Knox E-FOTA (Enterprise Firmware Over The Air) gives you what Intune's native policy cannot: guaranteed firmware version pinning, forced update scheduling, and rollback protection. The integration path is:
License Knox E-FOTA One through Samsung. Each device requires a Knox Suite or standalone E-FOTA license.
Connect SEAMS (Samsung Enterprise Alliance Management Service) to Intune via Tenant administration > Connectors and tokens > Samsung Knox. This creates the service-to-service trust.
Create a Knox enrollment profile so devices get Knox services registered at enrollment time, not as an afterthought.
Build E-FOTA campaigns in the Knox Admin Portal: target specific firmware builds, set installation windows, and pin devices to an approved version until you release them.
Non-Samsung OEMs (Zebra, Honeywell, Motorola) have their own FOTA programs and vendor-specific Intune OEM Config policies. The pattern is the same — OEM cloud + Intune OEM Config for settings, with Intune compliance for the enforcement backstop. For a full breakdown of these options, see the firmware and FOTA control page.
Do not rely solely on Intune postpone for security patch compliance
Intune's 30-day postpone means a device could be 30+ days behind on critical patches — plan your compliance window accordingly.
OEM update cadences vary wildly. A device with no active Intune update policy might auto-update mid-shift and interrupt a frontline worker session.
Some OEMs push updates outside the declared window on carrier networks. Test before you trust.
Android Enterprise Recommended and Lifecycle Planning
Not all Android hardware is created equal for enterprise use. Android Enterprise Recommended (AER) is Google's validation program that sets minimum bars: at least one Android version update and three years of security patches from the device's market launch date. Many enterprise-grade devices (Pixel, select Samsung Galaxy, Zebra, Honeywell) exceed this baseline.
Before you standardize on a device model, check its end-of-security-patch date against your expected device refresh cycle. A cheap device that loses patch support in 18 months will be a compliance liability before the asset is fully depreciated.
Step 1Verify AER statusCheck device on androidenterprise.google.com/intl/en_uk/solutions/recommended-devices before procurement
Step 2Set compliance baselineDefine minimum Android version and patch age in your compliance policy; tie to Conditional Access
Step 3Assign update policyApply Automatic or Windowed policy to fully managed/dedicated devices; pair OEM FOTA for Samsung fleets
Step 4Monitor and retireUse Intune device reports to surface OS version spread; trigger refresh when patch-end approaches
Monitoring the Fleet
Intune's built-in reports give you OS version distribution under Reports > Device compliance > Reports > Noncompliant devices and settings. For deeper OS fragmentation visibility, the Device OS versions report under Devices > Monitor shows a breakdown by platform version. Set a recurring review cadence — quarterly at minimum — and flag devices running OS versions older than your policy baseline before they cascade into Conditional Access blocks that surprise end users.
Do
Use Windowed update policy for shift-based or kiosk fleets to avoid mid-shift restarts
Set a compliance minimum patch age (e.g., no older than 90 days) backed by Conditional Access
Validate device AER status and patch-end date before standardizing a model
Use Samsung E-FOTA if you need deferral longer than 30 days or true firmware pinning
Document your expected device refresh cycle and build it into procurement SLAs
Don't
Apply System Update policy to BYOD work-profile devices expecting it to control the personal OS
Rely on the 30-day postpone alone as your only security-patch enforcement mechanism
Mix "Default (OEM)" policy on frontline devices without confirming the OEM default behavior
Skip the Knox SEAMS connector setup and wonder why E-FOTA campaigns aren't applying
Assume all Android devices from the same brand have the same patch-end date — check per model
Insights
Postpone is a testing buffer, not a patch strategy. The 30-day cap exists to let you validate stability before mass rollout — treat it as a runway, not a permanent deferral.
Work-profile update control is a social contract. Compliance policy + Conditional Access is the only real enforcement mechanism; make sure your end-user communication sets the expectation before the block fires.
OEM FOTA investment pays off fast on large Samsung fleets. The Knox licensing cost is almost always lower than the helpdesk hours spent chasing patch compliance on uncontrolled firmware.
AER is a procurement filter, not a set-it-and-forget-it guarantee. Devices age out of AER commitments; track end-of-support dates in your asset management system alongside the physical asset.
Windowed policy timing matters more than most realize. A 2 AM–4 AM window sounds safe until you learn your night-shift warehouse runs devices during those hours. Always validate the window against shift schedules.
The pre-flight before you open Android enrollment to the business.
Android deployments have more moving parts than any other platform in Intune. You are coordinating Managed Google Play, multiple management modes, Play Integrity attestation, Mobile Threat Defense, and Conditional Access policies that need to coexist without locking your users out on day one. This checklist is the gate you run through before enrollment opens to the business — a structured check that each layer is solid before the next depends on it.
Work through the sections in order. Each item is a real failure mode that surfaces in production. Check the box when you can verify it, not when you think it should be true.
RequiresIntune license, Managed Google Play connection, Entra ID
GotchaCompliance + CA enforced before piloting = guaranteed lockout at rollout
Phase 1 — Infrastructure
Confirm Managed Google Play is connected and the token is healthy. Go to Tenant administration > Connectors and tokens > Managed Google Play. Status must show Active with a valid expiry date. A stale or disconnected binding breaks app sync silently — apps show as available in the console but never appear on devices.
Verify the management mode decision is documented. Work Profile (BYOD/COPE), Fully Managed, and Dedicated each use separate enrollment profiles and separate restriction profiles. Confirm the modes you are deploying are the modes your enrollment profiles cover. If you are running both Work Profile and Fully Managed, confirm you have distinct policies — they do not share a baseline.
Check the enrollment token or QR code has not expired. Go to Devices > Android > Android enrollment and confirm the token expiry for Fully Managed and Dedicated profiles. Tokens expire in 90 days by default. An expired token produces a cryptic provisioning failure and is one of the most common causes of day-one enrollment failures — see Android Enrollment Errors for the full list.
Confirm Zero Touch or KME enrollment is configured if used. Verify the DPC extras JSON is correct and pointing to your tenant, and that at least one test device has provisioned successfully end-to-end via the touchless path before rollout day.
Phase 2 — Configuration Baseline
Pilot the baseline on a test group before broad assignment. Assign all restriction, passcode, and configuration profiles to a scoped pilot group (10–20 devices, mix of real OEMs). Confirm policy applies via Devices > [device] > Device configuration. Check for any Not applicable states on settings you expected to apply — work-profile restrictions silently do not apply to the personal side, and some Samsung-specific OEMConfig settings no-op on Pixel hardware.
Validate app config (managed configuration) on the pilot. Open the Managed Google Play app you configured, confirm the managed config values arrive as expected. A missing bundle ID, wrong permission, or mismatched app version will cause silent misconfiguration — users get the app but not the corporate account.
Confirm required apps install on enrollment. At minimum: Company Portal (if used for work-profile enrollment), Managed Google Play app assignments scoped to the right groups, and Defender for Endpoint (if deploying MTD). Check the app install report under Apps > [app] > Device install status — do not proceed if install failures exceed 5% of pilot devices.
Phase 3 — Compliance and Conditional Access
Enforce in stages, not all at once
Set Conditional Access to Report only mode for at least one week before switching to On. Users who enroll during the report-only phase remain unblocked while you validate compliance signal.
Never enable CA enforcement and compliance enforcement simultaneously on the same day as general availability rollout.
Review the compliance policy and confirm Play Integrity is configured correctly. In the compliance and CA setup, you chose a Play Integrity attestation type. Confirm it is set to Check basic integrity as a minimum, and that Check basic integrity & device certification is reserved for fully managed corporate devices — applying the stricter level to BYOD work-profile devices will generate a wave of spurious noncompliance reports from users on legitimate but uncertified hardware.
Confirm the noncompliance grace period and actions are set. A grace period of at least 1 day before marking devices noncompliant prevents a race condition where a newly enrolled device triggers compliance evaluation before all policies have arrived. Set Mark device noncompliant to 1 day minimum for rollout; tighten post-stabilization.
Validate Defender MTD risk signal is flowing. Open Tenant administration > Connectors and tokens > Mobile Threat Defense and confirm the Defender connector shows Enabled. On a pilot device, confirm the device risk level appears in the device overview blade. An MTD connector that is enabled but not receiving data from enrolled devices will not block enrollment — it will quietly produce incorrect compliance results.
Set the CA break-glass account exclusion. Your CA policies must exclude at least one emergency-access account that is not scoped by device compliance. If the CA policy applies to all users including break-glass accounts and those accounts lack a compliant device, you lose tenant access if a CA misconfiguration occurs.
Run a CA What If check. In Microsoft Entra ID > Security > Conditional Access > What If, test a target user against the policies in report-only mode. Confirm the expected policies apply and no unexpected blocks exist for newly enrolled devices.
Phase 4 — Lost, Stolen, and Reset Runbook
Document the wipe and retire procedure. Confirm that all IT staff who handle device incidents know the difference between Wipe (factory reset, re-enrollable), Retire (removes management but leaves personal data on BYOD), and Delete (removes the record from Intune). The wrong action on a BYOD work-profile device is a data-protection and trust incident. Link to the Stolen-Device Playbook in your internal runbook.
Confirm remote lock is tested. Issue a Remote Lock from Devices > [device] > Remote lock on a pilot device and verify it executes within an acceptable window. Note that Remote Lock requires the device to be online and APNs-reachable; a device that has been offline for days may not respond immediately.
Verify Activation Lock bypass is not applicable. Android Enterprise fully managed devices do not have the iOS Activation Lock problem, but confirm that any device-owner Google accounts used during provisioning are managed accounts (from Managed Google Play), not personal Google accounts. A personal Google account bound to a fully managed device at enrollment time creates a lock that cannot be bypassed remotely.
Go/No-Go Decision
Do
Open enrollment to a named pilot group first; let it run for a full business week before GA
Keep compliance in report-only for the first week of GA, then enforce
Have a rollback group exclusion ready — an Entra group you can add users to that excludes them from MDM-required CA policies during an incident
Publish the enrollment guide to your helpdesk before GA day
Test the BYOD work-profile enrollment experience on an unmanaged personal device — what the user sees matters
Set a calendar reminder for the enrollment token expiry date (90 days) and the Managed Google Play binding renewal
Don't
Enforce compliance and CA on the same day enrollment opens to the business
Apply Fully Managed restriction profiles to Work Profile devices — they silently fail or cause unexpected behavior
Skip OEM testing; Samsung One UI, Pixel, and Zebra all behave differently on OEMConfig and system-update policies
Assume app config arrives instantly — it can take up to 15 minutes after enrollment for managed configuration to push
Include break-glass accounts in device-compliance CA scopes
Open enrollment without a documented escalation path for users who fail Play Integrity on legitimate hardware
Insights
Play Integrity fails are the top day-one support ticket. Rooted devices, outdated Google Play Services, and some OEM firmware builds all fail basic integrity. Have a documented process for exceptions before rollout — not after the helpdesk is flooded.
Work-profile enrollment via Company Portal is personal-user initiated, and users abandon it. The enrollment guide you send matters. Spend time on user communications; a confusing setup email generates more support tickets than any misconfigured policy.
App config (managed configuration) is not real-time. Policies and app configs are pushed on a check-in cycle. If a user opens an app within 60 seconds of completing enrollment, the managed configuration may not have arrived yet. Build this expectation into your user guide.
Defender MTD web protection requires a VPN profile on work-profile devices. If you ship Defender without the Always-on VPN app config, web protection is inactive and your MTD signal is incomplete. Validate this on the pilot before GA.
Enrollment token expiry is invisible until it breaks. Set an Entra admin calendar reminder for 80 days post-provisioning — regenerate before the 90-day expiry or new fully managed and dedicated enrollments will fail silently with a provisioning error that is easy to misdiagnose as a device problem.
Bring the community Android baseline into your tenant, scoped per management mode.
Unlike iOS or Windows, Android Enterprise does not offer a single unified baseline profile you simply import and assign. The management mode — work profile (BYOD), corporate-owned work profile (COPE), fully managed, or dedicated — determines which device restriction and configuration policies even apply. Import the wrong profile type and Intune will either silently ignore it or error on assignment. The IntuneNerds Android baseline ships as distinct profile sets per mode, and understanding that split before you touch the console saves a round-trip factory reset.
The import workflow itself mirrors the pattern you may have used for the broader Android baseline deployment in the complete guide: export from Graph or the GitHub repo, validate the JSON, import into your tenant, scope to a pilot group, review every setting before broad assignment. This page covers the Android-specific wrinkles that do not exist on iOS or Windows.
RequiresManaged Google Play connected; Intune license; baseline JSON files from the repo
GotchaDevice restriction profiles are mode-specific — a fully managed profile cannot be assigned to a work-profile device and will show as Not applicable
What the Android Baseline Contains
The community Android baseline is split into two top-level groups: work-profile/BYOD profiles and corporate-owned profiles (covering fully managed, COPE, and dedicated). Within each group you will find:
Profile
Mode(s)
Key settings
Passcode / lock screen
All modes
Minimum 6-digit PIN, biometric allowed, max failed attempts before wipe
Always-on VPN enforcement, trusted Wi-Fi requirements — review against your network design before deploying
Mode-specific profiles will show "Not applicable" if misassigned
The fully managed device restriction profile cannot configure a work-profile device — Intune will report it as Not applicable rather than erroring loudly.
The work-profile restriction profile has no effect on a fully managed device. You will not see a failure; settings simply will not apply.
Always check the Device configuration report filtered to Not applicable after your first pilot assignment.
Import Flow
Step 1Get the baseline filesDownload the per-mode JSON profiles from the IntuneNerds GitHub repo or export from a reference tenant via Graph.
Step 2Import into your tenantUse the Intune console import function or the Microsoft Graph API to create the profiles.
Step 3Review every setting before assigningOpen each imported profile and validate settings against your environment — especially USB, VPN, and Google account restrictions.
Step 4Assign to a pilot group and validateTarget a ring of test devices per mode, check per-setting reporting, then promote to broad deployment.
Importing via the Intune Console
Navigate to the configuration blade. Go to Devices > Configuration and click Import at the top of the profile list. This feature accepts the same JSON schema used by the custom configuration profile export/import tooling.
Upload the profile JSON. Select the JSON file for one profile at a time — for example, start with android-wp-restrictions.json for the work-profile restriction set. The console will pre-populate the profile name and platform from the file. Review the name before saving; rename it to match your org's naming convention (e.g., BL-Android-WP-Restrictions-v1).
Repeat per mode. Import each profile separately. Do not attempt to batch all modes into a single JSON — the schema is per-profile, not per-collection.
Do not assign yet. Save each profile unassigned. You will review settings and assign to the pilot ring as a separate step.
Importing via Microsoft Graph
Authenticate. Use Graph Explorer or a scripted call with DeviceManagementConfiguration.ReadWrite.All scope.
POST each profile. Send a POST to https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations with the profile JSON as the request body. The @odata.type field in the JSON determines the profile type — for example, #microsoft.graph.androidWorkProfileGeneralDeviceConfiguration for work-profile restrictions and #microsoft.graph.androidDeviceOwnerGeneralDeviceConfiguration for fully managed/COPE.
Capture the returned ID. The response includes the newly created profile's GUID. Use this to assign the profile in a follow-on PATCH or to verify it appeared in the console.
Use Graph for bulk import at scale
If you manage multiple tenants or need to roll the baseline out to a new tenant in a repeatable way, scripting the Graph import is faster and auditable. Store the JSON files in source control alongside your tenant documentation.
Settings to Review Before You Deploy
The baseline ships opinionated but not one-size-fits-all. Before assigning to production groups, open each imported profile and confirm these settings match your environment:
Setting
Baseline default
Common override scenario
USB data transfer mode (fully managed)
Block all transfer
Warehouse or field devices that require USB file transfer or OTG accessories
Personal Google accounts on device
Blocked
Shared devices where a non-work Google account is needed for a specific app
Always-on VPN
Not configured (optional profile)
Enable only if your network architecture requires per-device VPN; adds latency and battery impact
Screen capture — work profile
Blocked
Some support tooling and screen-share apps legitimately need this; evaluate per population
Factory reset protection (fully managed)
Enabled
Ensure the FRP account is a shared service account, not a departing employee's personal account
Scoping to a Pilot Ring
Before broad assignment, target the imported profiles at a named pilot group — typically a dynamic Entra group filtered on enrollmentProfileName for corporate-owned devices, or a static group of volunteer BYOD users for the work-profile baseline. See the Android hardening baseline page for the compliance pairing that makes the hardening settings enforceable. The device restrictions reference page lists every available setting and its mode applicability if you need to verify a specific control.
Run the pilot for at least a week before promoting to broad deployment. The most common pilot-phase findings on Android are:
Work-profile copy/paste block interfering with a specific LOB app that legitimately needs cross-profile clipboard access.
USB restriction blocking a USB-C dock or accessory that the device population relies on.
Play Integrity attestation failing on specific device models that are not certified — identify these in the compliance report before broad rollout and decide whether to exclude them or replace the hardware.
After Import: Validate Per-Setting Reporting
Open each profile under Devices > Configuration and click the profile name to get to the Device and user check-in status view.
Check for "Not applicable" results. Any device showing Not applicable for a profile likely has the wrong mode for that profile type — revisit your group targeting.
Check for "Error" or "Conflict" results. Conflicts indicate another profile is managing the same setting. Resolve before broad deployment; see the Deploy the Configuration Baseline page for conflict-resolution guidance.
Verify compliance interplay. Device restriction and hardening profiles feed into your compliance policy. Confirm the compliance report reflects the expected state on pilot devices before the grace period expires.
Do
Import mode-specific profiles into separate named profiles that make the mode obvious in the UI
Review every setting against your environment before the first assignment
Pilot on real hardware in each mode before broad deployment — emulators do not surface hardware-specific failures like Play Integrity mismatches
Store the baseline JSON files in source control so you can track what version is deployed
Pair the baseline profiles with a compliance policy that gates resource access on the same hardening settings
Don't
Assign both the work-profile and fully managed restriction profiles to the same group — one will be Not applicable and create confusion in reporting
Deploy the always-on VPN profile without load-testing the VPN infrastructure at the scale of your Android fleet
Set factory reset protection to a personal Google account — use a shared service account tied to a role, not a named employee
Skip the pilot ring because "it's just restrictions" — several baseline settings can break legitimate LOB app behavior on specific Android OEMs
Insights
Android's management mode split is the hardest thing to get right before import. Every support ticket that says "the restriction isn't working" traces back to a profile assigned to the wrong mode. Name your profiles so the mode is unmistakable — BL-Android-FullyManaged-Restrictions, not Android Baseline.
Play Integrity is your enforcement backbone, not a recommendation. The baseline enforces attestation at the strong integrity level for fully managed devices. Devices that fail attestation — typically uncertified or rooted — will hit noncompliance before any restriction even matters.
OEM fragmentation is real and the pilot ring exists to find it. Samsung, Google Pixel, and Zebra devices all implement the same EMM APIs with slightly different behaviors. A setting that works on a Pixel may silently not apply on a Zebra TC-series. Test on representative hardware, not just whatever's on your desk.
The work-profile container and the personal profile are managed independently. Restrictions scoped to the work container do not affect the personal side at all — intentional by design for BYOD, but it surprises engineers who expect the restriction to bleed through.
Graph import lets you version-control your baseline. Treat the JSON files the same way you treat Terraform configs — commit them, diff changes between versions, and require a review before merging updates that will touch production assignments.
How to propose changes to the Android baseline and keep it field-tested.
The Android baseline is a living document maintained by engineers who run production Android Enterprise fleets, not a copy of the Microsoft documentation. It starts opinionated and minimal — just the settings that tighten every managed Android device without silently no-opping in a work profile or breaking the Samsung, Pixel, and Zebra hardware your fleet actually runs. If you've tuned a compliance policy in production, found a restriction that works correctly across management modes, or discovered a setting gap that the current baseline misses, the community wants the contribution. This page explains how to submit a change that will pass review and actually ship.
Before going further, see the Feedback page for how to send a proposed change. The Android-specific notes below cover what makes Android contributions different from iOS or Windows: you must document which management mode the setting applies to, test on more than one OEM, and account for the sharp edge that many device-restriction keys silently do nothing in a work profile even when Intune accepts them without error.
Min test matrixWork Profile + Fully Managed, Samsung Knox + Pixel, Android 13 and 14
GotchaMany restriction keys are COPE/COBO-only and silently no-op in work profile — test both modes
The Baseline's Guiding Principle
The Android baseline is deliberately opinionated but minimal. A setting earns inclusion only when it meets three tests:
Real security or management value. The setting measurably reduces attack surface, enforces a compliance-relevant posture, or prevents a common misconfiguration — not just "the CIS Android benchmark mentions it."
Broad compatibility across management modes. If a restriction only applies to fully managed devices, it must be clearly scoped to that mode and not deployed to work-profile devices where it will either be ignored or — worse — behave unexpectedly. Settings that apply universally are preferred for the core baseline. Mode-specific settings belong in the clearly labeled mode-specific profiles.
OEM-aware behavior. Android fragmentation is real. A setting that enforces correctly on Pixel must also be documented for Samsung Knox behavior. If Samsung Knox Service Plugin (KSP) or an OEMConfig schema is required to reliably enforce a setting on Samsung hardware, say so. Zebra MX/OEMConfig requirements must likewise be noted for frontline/dedicated device contributors.
Additive first
If a setting is high-value but too aggressive for a universal baseline — for example, blocking USB data transfer on work-profile devices where it breaks docking-station workflows — propose it as an optional hardening add-on rather than pushing it into the core. See the baseline settings overview for the existing add-on pattern.
Preparing Your Contribution
Step 1Export the profile JSONDevices > Android > Configuration > select profile > Export. Strip tenant-specific fields (group GUIDs, scope tag IDs, tenant ID) before committing.
Step 2Document the setting referenceFor each setting, record the exact policy name as it appears in Intune, the management mode(s) it applies to, and the Android Enterprise API level or OEMConfig key it maps to.
Step 3Validate across the test matrixMinimum: work profile and fully managed (or dedicated) mode, on at least a Pixel device and one Samsung Knox device, on Android 13 or 14.
Step 4Open a pull requestSubmit the exported JSON diff plus the documentation; link the Android Enterprise API reference or OEMConfig schema for each key.
What to Include in the Pull Request
The profile export
Navigate to Devices > Android > Configuration, select your profile, and use the Export button to download the JSON. The exported file includes all configured settings with their Intune representation. Before committing, strip any tenant-specific fields: assignment group GUIDs, scope tag IDs, and the tenant ID from any OData metadata. If the setting lives in a compliance policy rather than a configuration profile, export the compliance policy from Devices > Compliance > select policy > Export. The baseline import page explains the JSON format and any field normalization expected on the receiving end.
The setting reference
For every setting you add or change, document:
Management mode scope. Be explicit: does this apply to Android Enterprise Work Profile (BYOD), Fully Managed (COBO), Corporate-Owned Work Profile (COPE), or Dedicated (COSU/kiosk)? Many keys in the Intune UI accept a value for all modes but only enforce in a subset. If the UI allows it for work profile but enforcement is undefined or no-op at the Android Enterprise API level, document that plainly.
Android Enterprise API reference. Link to the relevant DevicePolicyManager method or managed configuration key. For OEMConfig contributions, reference the specific OEMConfig schema version and the schema key path (e.g., Samsung KSP schema, Zebra MX schema).
OEM behavior notes. Note whether Samsung Knox enforces the setting differently than AOSP/Pixel — Knox often enforces more aggressively, or provides a UI override path that AOSP does not. Note if Zebra OEMConfig is required for a frontline enforcement scenario that the standard Android Enterprise API doesn't cover.
Android version floor. If the setting requires a minimum Android version (common with Android 12+ privacy controls and Android 13+ notification permissions), document it. Don't assume Android 10 baseline parity.
The rationale document
One paragraph minimum, covering:
What the setting does. Plain English — not a copy-paste from the Intune UI tooltip.
Why it belongs in the baseline. Cite the threat model, the compliance framework (CIS Android, NIST), or the operational problem it solves.
What you tested it against. List the management mode, OEM hardware, Android version, and the apps you validated against — particularly Microsoft Authenticator, Outlook, Teams, and Company Portal, which are the most common breakage points for Android Enterprise restrictions.
Known caveats. Does the setting behave differently between Samsung Knox and Pixel? Does it conflict with app protection policies? Does it interact with Android Enterprise's work profile container boundary in a surprising way?
The Test Matrix
Test scenario
Required
Notes
Android Enterprise Work Profile, Pixel, Android 13 or 14
✅
AOSP reference behavior; what setting enforcement looks like without Knox modifications
Android Enterprise Work Profile, Samsung Knox, Android 13 or 14
✅
Knox frequently modifies enforcement; must confirm the setting doesn't behave unexpectedly
Fully Managed (COBO) or Dedicated, any supported OEM
✅
Required if your change touches fully-managed-only settings; confirm it no-ops cleanly in work profile
Microsoft Authenticator + Outlook + Teams
✅
Most commonly broken by work-profile passcode and app protection policy interactions
Android 12
❌
Useful for privacy-control changes introduced in Android 12; document if behavior differs
Zebra OEMConfig
❌
Required only if your change involves frontline/dedicated device settings that need Zebra MX enforcement
Corporate-Owned Work Profile (COPE)
❌
Cover if your change behaves differently in COPE vs standard work profile — the device-level and profile-level restriction scopes differ
Settings That Will Not Be Merged
Propose these
Restriction settings with documented Android Enterprise API support that enforce correctly in both work profile and fully managed modes
Passcode/compliance settings with clear OEM parity documentation (Samsung Knox vs Pixel behavior)
Corrections where a current baseline value silently no-ops in work profile and needs a mode-specific scope or removal
New OEMConfig additions for Samsung KSP or Zebra MX, clearly labeled as OEM-specific add-ons
Compliance policy updates that add a meaningful attestation requirement (Play Integrity API, hardware attestation)
Don't propose these
Device-level restrictions that apply only to fully managed/COBO without clearly scoping them out of work-profile assignment
Settings sourced from COPE or kiosk use cases that would break standard employee work-profile devices if mistakenly assigned
OEMConfig schemas that require a specific OEM app or Knox license tier without documenting that dependency prominently
Restrictions that block USB on work-profile devices in the core baseline — too many enterprise docking and charging scenarios break
Play Store restrictions so aggressive they prevent Company Portal or Authenticator updates in the work profile
The silent no-op problem
Android Enterprise's work profile boundary means many device-level restrictions — screen capture, USB data transfer, camera at the device level — are not enforced in work profile; only the profile-level equivalents apply.
Intune will accept the policy and report "Success" even when the underlying Android Enterprise API silently ignores the key in work profile mode. Always verify enforcement in the device's actual behavior, not just Intune's reporting.
If you discover a setting that reports success but does not enforce, document that finding explicitly in your PR — it may be worth flagging in the baseline overview even if you're not changing the setting value.
Insights
Management mode is the most common PR gap. Submissions that don't specify which mode(s) a setting applies to almost always get sent back. Android's three-way split — work profile, fully managed, dedicated — means "Android" is not a sufficient scope. Be explicit in every table row and in the rationale document.
Samsung Knox enforcement is stricter than AOSP, and that can surprise users. A passcode complexity setting that gives a gentle prompt on Pixel may hard-enforce and lock a Samsung device immediately. Test the user experience on Knox hardware before proposing changes to passcode or lock-screen policies.
Play Integrity API attestation replaces SafetyNet — update compliance policy references accordingly. Submissions still referencing SafetyNet attestation will be flagged; the current baseline uses the Play Integrity API (MEETS_DEVICE_INTEGRITY and MEETS_STRONG_INTEGRITY) vocabulary.
App protection policies interact with device restrictions in non-obvious ways. A restriction that blocks copy-paste at the device level may conflict with an app protection policy that allows managed-app-to-managed-app copy-paste. Document the interaction if your change touches clipboard or data transfer controls.
Removal proposals need a concrete incident. If you're proposing to drop a setting because it breaks something, name the device model, Android version, OEM, the app affected, and what the failure mode is. "Breaks work profile behavior" without a reproducible case will not move a maintainer.
Check the full settings overview before proposing. A gap you want to fill may already exist as an optional OEM add-on, or may have been deliberately excluded because it silently no-ops in work profile. Read the existing rationale notes before writing a new submission from scratch.
Zebra and other frontline OEMs are underrepresented in the baseline. If you manage a Zebra or Honeywell fleet and have validated OEMConfig settings that harden dedicated devices without breaking scanner workflows, those contributions are especially welcome — frontline Android is the least-covered area of the current baseline.
The full Android baseline at a glance — every profile, mapped to its mode.
The Android baseline is not a single profile dropped on every device — it is a set of profiles that vary by management mode. A restriction meaningful on a fully managed corporate device (blocking camera, disabling USB file transfer) has no effect, or a different scope, on a work-profile BYOD device where the OS already enforces data separation. This reference page maps every profile in the baseline to the modes it targets, so you know exactly what gets applied and why.
Each profile group below corresponds to a deep-dive page. Confirm which profiles belong to your deployment, then follow the links for the per-profile rationale, setting-by-setting breakdown, and compatibility notes. If you have not yet imported the baseline, start at Importing the Android Baseline first.
Applies toAndroid Enterprise — Work Profile, Fully Managed, Dedicated, COPE
Targets personally owned devices enrolled with a work profile — the OS enforces a hard container boundary and the baseline never touches the personal side. Key settings: a minimum-6 work profile passcode (device PIN remains the user's choice), block copy/paste and screen capture within the work profile, prevent work apps sharing to personal, and block personal Google account addition inside the work container. See Work Profile Baseline for the full setting-by-setting breakdown.
COPE inherits this profile
Corporate-owned personally-enabled (COPE) devices run both a work profile and a managed personal side. The work profile baseline profile is also assigned to COPE — the fully managed profile covers the device layer on top.
Fully Managed and Dedicated Baseline
Targets corporate-owned devices — fully managed (single user) and dedicated (kiosk/shared). The entire OS is under MDM control with no personal side, so restrictions are far broader. The baseline sets: minimum-6 device PIN with max failed attempts before wipe; hard camera block at the device level; USB file transfer blocked (MTP exfiltration vector); managed factory reset bypass of consumer FRP; automatic system update within a maintenance window; safe-boot disabled; and tethering and Wi-Fi configuration changes restricted. For the full setting reference see Fully Managed and Dedicated Baseline.
Mode mismatch = silent no-op
A device restriction profile built for fully managed will report Not applicable on a work-profile device without any error.
Assign to dynamic Entra groups filtered on enrollmentProfileName or managementType to prevent cross-mode assignment.
Validate in Devices > Android > Configuration profiles > profile > Device install status — check for Not applicable counts immediately after assignment.
Hardening Baseline (All Modes)
A cross-mode hardening profile that applies to all corporate Android — with a meaningful subset also applying on work-profile BYOD. Covers: enforce Google Play Protect scanning and block apps that fail (the Android equivalent of real-time AV); block sideloading from unknown sources; disable developer options and ADB; restrict Google account additions on fully managed devices; and require a passing Verified Boot state via compliance policy. Deep dive: Android Hardening Baseline.
Hardening + compliance = full picture
The hardening profile sets policy; the device restrictions profile enforces UI controls. Build both — restrictions without attestation-based compliance still leave a gap.
Insights
The biggest source of "why isn't this applying?" tickets is a profile assigned to the wrong enrollment type. Build separate Entra dynamic groups per Android Enterprise mode and assign each baseline profile exclusively to its group. A managementType filter prevents cross-mode drift as your fleet grows.
Work-profile devices have two passcodes, and users find that confusing. The work-profile passcode the baseline mandates is separate from the device passcode. Document this in enrollment comms or you will field a wave of "my phone has two PINs" helpdesk calls.
Play Protect is the easiest security control to verify. It shows a clear compliance state in both the device blade and Managed Google Play. Enable it in the hardening baseline, reference it in compliance — free, effective, and auditor-friendly.
USB file transfer blocking is routinely missed in initial builds. Engineers focus on passcode and camera; meanwhile users connect to a laptop and copy data off via MTP. Two toggles, no end-user disruption for typical workflows — include it from day one.
COPE needs the most testing time. Two management layers, two passcode policies, and OEM-specific quirks in how the work profile boundary renders. Budget a two-week pilot before broad rollout.
The sensible default policy set for BYOD work-profile and COPE devices.
The Android work profile gives you a meaningful security boundary on a device you don't own — a separate encrypted container for corporate apps and data, isolated from the personal side. The baseline for work profiles isn't about locking down the whole phone; it's about enforcing just enough in the work container to satisfy compliance without turning a BYOD device into a surveillance tool. Get that balance wrong in either direction and you either face a breach or lose enrollment adoption.
This page covers the policy set IntuneNerds recommends for work profile BYOD and COPE (corporate-owned, personally enabled) devices. COPE uses the same Android Enterprise work profile construct but sits on a fully managed device, so many of these settings apply to both — differences are called out where they matter.
Applies toAndroid Enterprise work profile (BYOD & COPE)
RequiresManaged Google Play connected; Intune license assigned to user
GotchaYou cannot see, wipe, or restrict the personal profile — and you shouldn't try
What the Work Profile Can and Cannot Enforce
Being precise about scope here matters, because the support tickets always start with "why can't we block X on personal side?" The answer is: that's by design and by Android Enterprise contract with the user.
Capability
Work Profile (BYOD)
COPE Work Profile
Work app policy and restrictions
✅ Full control
✅ Full control
Work passcode (work challenge)
✅ Separate PIN/biometric for work profile
✅
Cross-profile copy/paste block
✅ Configurable
✅ Configurable
Cross-profile contact search
✅ Configurable
✅ Configurable
Screen capture in work apps
✅ Blockable
✅ Blockable
Personal app restrictions
❌ No visibility, no control
Limited (block app installs from unknown sources)
Personal browser policy
❌
❌
Device-wide VPN enforcement
❌ Work apps only via per-app VPN
❌ Same restriction
Wipe entire device
❌ Can only remove work profile
✅ Full wipe available
Camera restriction
Work apps only
Work apps only (not personal camera)
You cannot touch the personal profile on BYOD
Any attempt to create a device restriction that reaches into the personal side will either fail silently or not apply — Android Enterprise enforces the boundary at the OS level.
Users see Intune's permissions scope during enrollment; over-reaching is a rejection reason and a legal liability in many jurisdictions.
Core Baseline Settings
Work Challenge (Work Passcode)
The work profile has its own authentication challenge independent of the device PIN. Configure this under Devices > Android > Configuration profiles > Device restrictions > Work profile password. Recommended baseline:
Set work profile password type to At least numeric complex. This requires a numeric passcode with no repeating or sequential sequences — adequate for a work container unlock without demanding users memorize a full alphanumeric password on a phone.
Minimum password length: 6. Eight is defensible if your security standard requires it, but six is the practical floor for user adoption.
Maximum minutes of inactivity before work profile lock: 5. This is the work-profile-only timeout, separate from the device timeout. Five minutes is a sensible default; reduce to 2 for high-sensitivity deployments.
Number of sign-in failures before wiping work profile: 10. Set this — without it, brute-force is unconstrained against the container.
Require work profile password: Require. Without this the entire challenge is optional.
Work challenge vs device lock policy
On BYOD the device passcode policy is separate and weaker than the work challenge — you can require a stronger PIN in the work container while leaving the device-level PIN at the user's preference. This is intentional; the work container protects corporate data regardless of what the user does to their personal unlock.
Cross-Profile Data Controls
These settings govern whether data can move between the work and personal sides. The baseline recommendation is conservative but not maximally restrictive:
Copy and paste between work and personal profiles: Block. This is the single most-debated BYOD restriction. Block it. Users can complain, but clipboard leakage is a real data-exfil vector and this is the easiest one to close. See the cross-profile experience settings deep-dive for the nuance on Google Chrome and how some apps handle this.
Data sharing between work and personal profiles: Block apps in personal profile from handling work profile notifications and data. This prevents intent-sharing (e.g., a work email attachment opening in a personal PDF viewer).
Work profile contacts in personal profile caller ID: Allow. Block this only if your legal team flags caller-ID leakage as a risk. Most organizations accept it — the UX hit (unknown numbers on incoming calls from colleagues) is too high.
Search work contacts from personal profile: Allow. Same rationale. Blocking it means personal dialer can't resolve work contacts; most users find that unacceptable and it doesn't prevent data exfil in any meaningful way.
Screen Capture and Remote Access
Screen capture: Block. Prevents screenshots and screen recording within work-profile apps. This also blocks Google Assistant from reading work-app content. Recommended baseline position for any regulated or sensitive data environment.
Display work profile notifications while device is locked: Do not show notification content. Notification preview on a locked screen is a shoulder-surfing vector. Show the count but not the body.
App Protection Policy Alignment
Device restriction profiles govern what the work profile can do at the OS level. App Protection Policies (APP) govern what individual apps can do with corporate data — including apps inside the work profile. These two layers are complementary, not redundant.
The baseline posture: apply an APP to all managed work-profile apps targeting Microsoft Entra accounts, with Restrict cut, copy, and paste between other apps set to Policy managed apps. This catches clipboard leakage even when the device-level cross-profile block isn't enabled (e.g., COPE devices where you may relax the cross-profile restriction for usability reasons).
Step 4Conditional AccessRequire compliant device before granting Exchange/SharePoint access
Passcode and Lock Policy Interaction
The passcode and lock policy page covers the device-level PIN policy. On BYOD work profile, configure only work-challenge settings in the device restriction profile. Do not configure a device-level PIN policy via Intune for BYOD — that policy would apply to the personal side of the phone, which is outside your MDM authority and will generate user pushback. The compliance policy can still require a device passcode as a compliance condition (the user sets it, Intune verifies it), which is the correct BYOD-respecting approach.
What You Should Not Put in the Baseline
Do
Enforce a work challenge with minimum complexity
Block clipboard and intent sharing across the work/personal boundary
Restrict screen capture in work profile apps
Require the work profile be encrypted (it always is by Android Enterprise; verify via compliance)
Layer App Protection Policies on top of device restrictions
Verify SafetyNet/Play Integrity attestation via the compliance policy
Don't
Try to restrict personal-side apps, browser, or camera via device restrictions — it won't work and erodes user trust
Apply a device-level PIN policy via MDM to BYOD — use compliance to require one, not configuration to force the value
Block "allow apps from unknown sources" on BYOD personal side — no effect and legally questionable in some regions
Use work profile restrictions that require the device to be fully managed (e.g., system app management) on a BYOD work profile enrollment
Deploy the same restriction profile to BYOD and fully managed devices — the available keys differ and you'll get confusing non-applicability reports
Insights
Cross-profile clipboard is the hill worth dying on. Blocking it causes the most helpdesk tickets, but a user pasting from Outlook into WhatsApp is exactly the exfil scenario you're mitigating. Hold the line, then give users workarounds like OneDrive sharing.
Work challenge complexity is separate from device complexity — and that's a feature. On BYOD you can require a strong work-container PIN without mandating the same for the personal device. Users who resent MDM will accept this bargain; demanding they change their personal PIN will get devices unenrolled.
Screen capture blocks affect accessibility tools. Android's TalkBack and some MDM-adjacent support tools use the screenshot APIs. Test with your accessibility-using population before enforcing broadly.
COPE work profile unlocks more, but the posture should stay conservative. On COPE you can block unknown sources on the personal side and wipe the whole device remotely, but the work-profile-scoped restrictions are identical. Don't conflate "we own the device" with "we can configure the personal profile freely."
App Protection Policies are not optional just because you have device restrictions. Restrictions enforce OS-level boundaries. APP enforces within the Microsoft app layer and catches edge cases like apps that don't use the Android Enterprise clipboard APIs correctly.
The harder lockdown for corporate-owned fully managed and dedicated devices.
Fully managed and dedicated devices sit at the far end of the Android Enterprise control spectrum. Because your organization owns the hardware outright, Intune can reach every layer of the OS — system apps, radio interfaces, the lock screen, Google account access, and Factory Reset Protection. The work-profile model deliberately stops short of these controls to protect personal data; fully managed and dedicated do not. This page documents the baseline restriction set for fully managed enrollment and dedicated-device enrollment, and explains why each control belongs in a corporate-owned policy.
One baseline does not fit both fully managed (employee-owned context, corporate device, full work use) and dedicated (single-purpose kiosk or field device) without adjustment. The core restriction and passcode profiles are identical; the kiosk-alignment settings diverge. The guidance below calls out where the two modes split.
Applies toAndroid Enterprise — Fully Managed (COBO) and Dedicated
RequiresManaged Google Play connected; corporate-owned enrollment profile
GotchaSettings scoped to "Fully Managed, Dedicated, Corporate-Owned Work Profile" appear in the same profile type — double-check the Device Owner vs Work Profile columns before saving
Device Restrictions — What the Baseline Sets
The fully managed restriction profile covers a wider surface than the work-profile equivalent. Settings are applied at the device level, not just the work container.
Category
Setting
Baseline value
Why it matters
General
Factory reset
Block
Prevents users bypassing management by resetting from Settings
General
Safe boot
Block
Safe boot can allow bypassing device admin policies
General
Status bar
Block (dedicated)
Removes notification shade on kiosk-mode devices
General
Developer settings
Block
Closes ADB-based policy bypass
General
Adding/removing accounts
Block
Prevents personal Google account injection
Password
Required password type
Numeric complex or alphanumeric
Eliminates sequential/repeat PINs
Password
Minimum length
6 characters
Aligns to NIST and Play Integrity requirements
Password
Maximum minutes of inactivity before screen locks
5 minutes
Covers unattended corporate devices
Password
Number of sign-in failures before wiping device
10
Balanced — enough for legitimate mistakes
Keyguard
Keyguard features
Unredacted notifications, trust agents, fingerprint unlock disabled on keyguard
Notifications on lock screen expose data; biometrics alone are not sufficient for MDM compliance without a PIN fallback
System apps
System apps on dedicated devices
Blocked unless explicitly allowed
Dedicated devices should present only the apps the role needs
Connectivity
USB file transfer
Block
Closes a common data-exfiltration path
Connectivity
Wi-Fi changes
Block
Fully managed devices should use MDM-provisioned Wi-Fi
Connectivity
Bluetooth
Allow (review per role)
Required for many frontline peripherals; restrict for high-security roles
Dedicated vs fully managed — check the column
Several settings under Devices > Configuration profiles for the "Fully Managed, Dedicated, Corporate-Owned Work Profile" profile type show separate Device Owner and Work Profile columns. A setting ticked only under Work Profile does nothing on a fully managed device with no work container.
Status bar and keyguard camera/notification controls that make sense on a dedicated kiosk are often too aggressive for employee-carried fully managed devices — scope them to separate profiles assigned to separate groups.
Play Protect and Google Account Controls
Fully managed devices give Intune control over Google's own security layer. The baseline locks these down via the Google Accounts and Play Protect Controls profile.
Play Protect scan. Set to Enable and report on threats. Play Protect is the first line against sideloaded malware; it should never be disabled on a corporate device.
Google account changes. Block users from adding or removing Google accounts. A personal Google account in a fully managed device bypasses the managed-app boundary entirely.
Google Play services. Block disabling. Play Services is the enforcement substrate for the EMM API; disabling it effectively un-manages the device.
Managed Google Play account only. Enable. This ensures only the managed enterprise account (not a personal one) is associated with the device, which gates app installation to Managed Google Play only.
Factory Reset Protection
Factory Reset Protection (FRP) is Android's built-in anti-theft mechanism — after a factory reset, the device demands the last signed-in Google account credentials before it can be used. On unmanaged consumer devices this is helpful. On corporate hardware it becomes a support nightmare unless you configure it deliberately.
The baseline sets an FRP exemption so IT-authorized accounts can unlock a recovered or returned device. See the Factory Reset Protection (FRP) page for the configuration detail. Key points for fully managed devices:
Set an allowed account for FRP bypass. In the device restrictions profile under General > Factory Reset Protection emails, add a dedicated service account that your IT team controls. Without this, any factory-reset device becomes a brick until the previous user signs in.
Block user-initiated factory reset (covered above) to prevent the FRP state from being triggered accidentally.
For Zero-Touch and KME provisioned devices, the provisioning flow bypasses FRP automatically — but only if the device is still bound to your organization. A device that escapes your tenant's enrollment loses that bypass.
FRP and your decommission flow
Before retiring a device, always wipe it from Intune (Devices > [device] > Wipe). A full wipe triggered by MDM clears the managed account association and leaves the device clean for redeployment. A user-initiated factory reset from Settings does not.
System App and Radio Controls
Fully managed devices allow you to block or enable specific system applications — the pre-installed OEM apps that ship on every device but are not distributed through Managed Google Play. The baseline for dedicated devices takes a restrictive posture: system apps are blocked by default, and you add only what the use case requires.
Radio controls restrict what interfaces a user can toggle:
USB file transfer — blocked at baseline. If a role requires USB data transfer (e.g., device charging only), document the exception.
Wi-Fi direct — blocked. Peer-to-peer Wi-Fi Direct bypasses network monitoring.
NFC beam — blocked for most roles. Enable only where NFC is a legitimate workflow (e.g., badge or payment terminals).
Outgoing calls and SMS — evaluate per role. Frontline voice devices need calls; a dedicated inventory scanner does not.
Dedicated Device and Kiosk Alignment
Dedicated devices running in kiosk mode need additional hardening that the standard restriction profile does not fully cover. These settings live in a separate configuration area and align to the Kiosk Mode and Managed Home Screen setup.
Step 1Restriction profileApply the fully managed baseline restrictions above; block status bar, developer settings, and account changes
Step 2Passcode profileSet strong passcode or, for anonymous kiosk devices, configure auto-sign-in with Managed Home Screen PIN
Step 3Kiosk configurationAssign a device-mode profile (single-app or multi-app) via the Managed Home Screen app configuration
Step 4System update policySet to Automatic (install silently in a maintenance window) — dedicated devices should never prompt users to update
Kiosk and password policy clash
If you configure Managed Home Screen for auto-sign-in (no user PIN), the device-level passcode policy must either be set to Device default or explicitly exempt, or the device will enforce a lock screen that breaks the kiosk flow.
Do not apply an employee-facing fully managed restriction profile to dedicated kiosk devices — status bar blocking and missing system apps will confuse troubleshooting when something breaks on the floor.
What the Work Profile Baseline Cannot Do
If you are evaluating whether COPE (corporate-owned work profile) would be sufficient, this comparison is the decision point. The fully managed enrollment mode is required for the following controls that the work-profile model cannot deliver:
Control
Work Profile (COPE)
Fully Managed / Dedicated
Block factory reset from Settings
❌
✅
Configure FRP exemption account
❌
✅
Block adding personal Google accounts
❌ (personal space)
✅
Manage system apps
❌
✅
Block USB file transfer (device-wide)
❌
✅
Control status bar / notifications
❌
✅
Kiosk / Managed Home Screen
❌
✅
Wipe entire device
Work profile only
✅ Full wipe
Insights
Keep two separate profiles: one for fully managed employees, one for dedicated kiosks. The temptation to merge them into a single "corporate" profile always produces breakage — the kiosk status bar block confuses field engineers troubleshooting a fully managed laptop replacement, and the employee-level notification settings make kiosks chattier than they should be.
FRP is the most common decommission failure. Every return-to-stock or re-enrollment failure that comes in the form of "device is asking for a Google account after reset" is an unconfigured FRP. Set the exemption account before your first pilot device goes live.
Play Protect enforcement is your baseline integrity check. If Play Protect is disabled on a fully managed device, every other restriction in this profile can be bypassed by a sideloaded package. Treat a Play Protect-disabled device as unmanaged.
Safe boot is a policy bypass, not a troubleshooting tool. Engineers will ask to leave it enabled so they can troubleshoot, but safe boot effectively suspends the device admin. Disable it in policy and use MDM diagnostics for root-cause analysis instead.
Developer mode off is non-negotiable for corporate-owned hardware. ADB access with USB debugging on is a full policy bypass on most Android versions. No exceptions in the fully managed baseline; if a developer needs ADB access, they use a personally managed device with a documented exception.
System update policy on dedicated devices should be Automatic, never user-prompted. A kiosk device sitting in a break room asking "Update now or later?" breaks the kiosk experience and will sit unpatched indefinitely when users dismiss the prompt.
Lock, message, and locate a missing fully managed or dedicated Android device.
Android Lost Mode gives you a meaningful response when a company-owned device goes missing: the screen locks with a custom message and an emergency callback number, and you can pull a GPS location on demand. It is the Android parity to iOS Lost Mode — same concept, same Intune device blade, same audit-logged privacy model. The critical constraint: Lost Mode is only available on company-owned devices (fully managed COBO and dedicated/COSU). Work-profile BYOD devices get none of this. If your fleet mixes ownership models, understand that limitation before you build a lost-device runbook around it.
Unlike iOS, Android Lost Mode is an Intune remote action rather than a persistent MDM state enforced by the OS. The device receives the command over the Play EMM API, which means it needs a live data connection to respond. A device that is offline simply queues the action and executes when it reconnects — useful context when a user reports a phone stolen but the last check-in was 12 hours ago.
Applies toAndroid Enterprise — Fully Managed (COBO) and Dedicated (COSU)
Console pathDevices > Android > [device] > Lost mode
RequiresCompany-owned enrollment; device online for immediate effect
GotchaWork Profile (BYOD) and corporate-owned work profile devices are NOT supported
What Lost Mode Actually Does
When you enable Lost Mode, three things happen simultaneously:
The device screen is locked and a custom message you authored is shown on the lock screen — typically the help-desk number and a line like "This device is company property. If found, call…"
An emergency phone number you supply is displayed and dialable directly from the lock screen, without unlocking. The user (or finder) can call that number without any credentials.
The device becomes locatable via the Locate device action on the same blade — returning a GPS coordinate stamped with a timestamp. That location lookup is audit-logged in Intune.
Lost Mode does not wipe data, encrypt previously unencrypted data, or prevent a factory reset from recovery mode. Android Enterprise fully managed devices are already encrypted by default, so the encryption prerequisite is met automatically. If you need data destruction, follow with a remote wipe action.
Enabling Lost Mode Step by Step
Step 1Open the device bladeDevices > Android > All devices > [device name]
Step 2Trigger Lost modeSelect Lost mode from the remote actions menu; type the lock message and callback number
Step 3Locate the deviceOnce Lost mode is enabled, use Locate device to pull a GPS coordinate
Step 4Disable when recoveredReturn to the device blade and select Disable Lost mode to restore normal operation
Navigate to the device. Go to Devices > Android > All devices and open the device record. Confirm the ownership type shows Corporate — if it reads Personal the Lost mode action will be unavailable.
Select Lost mode. In the Overview pane, choose … (ellipsis) > Lost mode, or find it in the device action menu. A dialog appears asking for two fields: the message to display on the lock screen, and the phone number to surface for the finder. Both fields are required.
Compose a useful message. Keep it short — the lock screen has limited real estate. Include your organization name, a "call if found" instruction, and the callback number you are about to enter. Example: Company property of Contoso. If found, please call our IT desk.
Enter the callback number. This must be a real, staffed number. On a dedicated kiosk-style device found in public, the person who finds it needs an actionable way to return it. A general IT desk number works; a personal cell phone works better if you have field staff.
Submit and confirm. The action is queued immediately. If the device is online it will apply within seconds to a couple of minutes via the Play EMM push channel. Check Device actions (also on the device blade) to see the pending/succeeded/failed status.
Locate the device. Once Lost mode status shows Enabled, the Locate device action becomes available. Select it and confirm the privacy acknowledgment — Intune surfaces a prompt noting that location lookup is audit-logged. The returned coordinate includes latitude, longitude, and a timestamp. Accuracy depends on the device's last GPS/Wi-Fi fix; indoor or powered-off devices may return a stale location.
Disable when the device is recovered. Return to the device blade and choose Disable Lost mode. The screen unlocks and the device returns to its normal managed state. Always disable rather than wiping if there is any chance the device will be returned — wipe is irreversible.
Play Sound
Intune also surfaces a Play sound action on Android Enterprise fully managed devices. It blasts an audible alert at max volume for five minutes regardless of silent/DND mode — useful when the device is nearby but obscured under seat cushions or in a desk drawer.
Scope: What's Supported and What Isn't
Enrollment type
Lost Mode
Locate device
Play sound
Fully managed (COBO)
✅
✅
✅
Dedicated (COSU / kiosk)
✅
✅
✅
Corporate-owned work profile (COPE)
❌
❌
❌
Work profile / BYOD
❌
❌
❌
Android device administrator (legacy)
❌
❌
❌
COPE (corporate-owned work profile) is the notable gap engineers frequently hit. If your organization enrolled a device as COPE — common for corporate phones issued to named users where a personal workspace is allowed — those devices do not support Lost Mode. For those scenarios, your fallback is Conditional Access blocking on the noncompliance signal, session revocation in Entra, and a queued remote wipe. See the broader Lost Mode and remote actions reference for the full remote-action matrix across enrollment types.
Location Privacy and Audit Logging
Intune requires a click-through acknowledgment before returning GPS coordinates, mirroring the same model as iOS Lost Mode location lookups. Every Locate device action is recorded in the Intune audit log under Intune Audit logs in the portal. The log entry captures the admin UPN, the device identifier, and the timestamp. This is important for legal and HR proceedings — you have a defensible record that location was checked only after a lost-device report was filed.
Do not use Locate device for routine employee monitoring
Locate device is an on-demand action tied to a specific incident, not a continuous tracking feed.
Routine location surveillance via Intune is not the right tool — it requires employee consent frameworks and dedicated MDM telemetry products.
Each lookup is audit-logged with the admin identity. Unexplained clusters of location queries on non-lost devices will be visible in your audit trail.
Requirements and Prerequisites
Supervision/corporate ownership. The device must be enrolled as corporate-owned through Android Enterprise. This is established at enrollment time — you cannot retroactively convert a BYOD work-profile device.
Device online. Lost Mode is delivered via the Play EMM push channel. An offline device will queue the action but will not lock until it reconnects. If the device is powered off or in airplane mode, expect a delay of minutes to hours depending on when it gets connectivity.
APNs/FCM reachability. The Android device uses Firebase Cloud Messaging (FCM) for push-based command delivery. Corporate network egress policies that block FCM endpoints (fcm.googleapis.com) will delay or break remote actions. This is a common issue on heavily filtered corporate Wi-Fi; usually not a problem on cellular.
Intune license assigned. The managing admin needs appropriate Intune RBAC permissions — specifically the Remote tasks permission under the device category. By default, the Intune Service Administrator role covers this.
Insights
Test Lost Mode before an incident. Run it on a spare or staging device so you know the timing, the message format, and how to disable it. An incident is the wrong moment to discover the action takes three minutes to apply.
The callback number matters. A generic IT ticketing email does nothing for a finder. A staffed phone number — or at minimum a voicemail with a clear callback process — is what actually gets devices returned.
Offline devices are common in real lost-device scenarios. Someone who finds or steals a phone often powers it off or puts it in a faraday bag. The GPS coordinate you get may be the last-known location before power-off, not the current location. Treat it as a starting point, not a live ping.
Dedicated kiosk devices need Lost Mode most. A tablet strapped to a point-of-sale stand or mounted in a vehicle has real theft risk and no user whose identity gates access to it. Lost Mode + Locate is your only remote response before a full wipe.
Disable before wipe if recovery is possible. Wipe destroys data and the device re-enrolls from scratch. If there is any chance of physical recovery — police report filed, finder cooperating — leave the device in Lost Mode and attempt pickup before committing to a wipe.
Check the device actions tab, not just the overview. The device blade overview reflects current state, but the Device actions tab shows the full action history with timestamps and success/failure codes. This is the audit trail your security team will ask for.
The full remote-action toolkit for a missing Android device.
When an Android device goes missing, Intune gives you a meaningful set of remote actions — but exactly what's available depends on how the device was enrolled. A fully managed corporate device gives you almost every lever. A BYOD work-profile device gives you control over the work container, and nothing else. Knowing the difference before you need it is the difference between a controlled incident and a frantic support call at midnight.
This page walks through every remote action Intune offers for Android, the mode-by-mode capability reality, how Google Find My Device compares to Intune's own locate action, and the BYOD privacy boundary you must not cross.
RequiresIntune Device Enrollment Manager or appropriate RBAC role
GotchaWork Profile (BYOD) remote actions affect the work profile only — not the personal side of the device
The Remote Actions Menu
Navigate to Devices > Android, select the device, then look at the action bar across the top of the device overview. The actions that appear are filtered by enrollment mode — you will not see options the device cannot honor. Key actions and what they actually do:
Remote Lock. Sends a lock command immediately. On Android Enterprise fully managed and dedicated devices this locks the screen with the existing PIN/password in place. On work-profile devices it locks the work profile only — the personal side stays accessible to the user. Queued if the device is offline; executes on next check-in.
Reset Passcode. Behavior is highly mode-dependent (see table below). On fully managed Android Enterprise devices running Android 8+, Intune can clear the PIN so the user can set a new one on next unlock. On work-profile BYOD devices, only the work challenge PIN can be reset, never the device PIN — that's a hard OS boundary.
Locate Device. Requests the device's last-known GPS coordinates and displays them on a map inside the Intune console. Available on Android Enterprise dedicated and fully managed devices. Not available on BYOD work-profile devices — the OS deliberately withholds personal location data from the MDM layer.
Wipe. Factory resets the device to out-of-box state. Available on fully managed, dedicated, and corporate-owned work-profile (COPE) devices. On BYOD work-profile this option is replaced by Retire — wipe of the personal device is never permitted.
Retire. Removes the work profile (and all corporate apps and data within it) from a BYOD device. The personal side, personal apps, and personal photos are untouched. This is the correct action for a departing employee's personal device.
Sync. Forces an immediate check-in. Useful before other actions — if a device hasn't checked in recently, queued actions may be stale. See Sync and Check-In Issues for what to do when sync doesn't help.
Mode-by-Mode Capability Table
Enrollment Mode
Remote Lock
Reset Passcode
Locate
Wipe
Retire
Fully Managed (COBO)
✅ Full device
✅ Device PIN
✅
✅
✅ (same as wipe)
Dedicated (COSU / kiosk)
✅ Full device
✅ Device PIN
✅
✅
✅
Corporate-Owned Work Profile (COPE)
✅ Full device
✅ Device PIN
✅
✅
✅ Work profile only
BYOD Work Profile
✅ Work profile only
✅ Work challenge only
❌
❌
✅ Work profile only
Android Device Administrator (legacy)
✅ Full device
✅ (varies by OEM)
❌
✅
✅
Work Profile is not a full-device MDM
You cannot wipe a BYOD device through Intune. Ever. The OS enforces this, not a policy setting.
You cannot locate a BYOD device. Even if the user consents, the MDM API does not expose personal location.
Attempting to use Retire on a BYOD device removes the work profile — the user's personal data is never touched.
Queued vs. Immediate Actions
Intune remote actions are not real-time push commands — they are queued instructions that execute when the device next polls the Intune service. The default check-in interval for Android Enterprise is approximately 8 hours; the device checks in more frequently in the first 24 hours after enrollment. When you issue an action, the console shows it as Pending until the device checks in and reports back.
For a stolen device that is powered on and connected, this is usually fast — Google Cloud Messaging (FCM) delivers a push notification to trigger an immediate check-in. For a device that is off, in airplane mode, or on a blocked network, actions queue until connectivity is restored. This is why Lost Mode (available on COPE and fully managed devices) is useful — it activates a persistent screen lock with a contact message that survives reboots, rather than depending on a single queued command landing.
Google Find My Device vs. Intune Locate
These are distinct systems that complement each other rather than duplicate each other.
Capability
Intune Locate Device
Google Find My Device
Available on BYOD
❌
✅ (user-controlled)
Requires user Google account
❌
✅
IT-initiated without user
✅ (corp-owned only)
❌ (user must initiate)
Audit trail in Intune
✅
❌
Works when device offline
❌ (shows last known)
✅ (via nearby Android devices, Android 9+)
Play sound action
❌
✅
Train users on Google Find My Device for BYOD
For BYOD work-profile users, the only locate option is Google Find My Device — which they control themselves at android.com/find. Include this in your onboarding guidance so users know it exists before they need it.
Performing a Remote Wipe (Corporate Device)
Step 1Confirm ownershipVerify the device is corporate-owned in Intune before issuing a wipe — BYOD wipe will fail or retire instead
Step 3Issue WipeClick Wipe, choose whether to retain enrollment state, confirm with the device serial
Step 4Monitor statusWatch the action status in Device Actions; it moves from Pending → Complete when the device confirms
Decide on "Wipe device, but keep enrollment state and associated user account." If you want the device to auto-re-enroll via Android Zero-Touch or Knox Mobile Enrollment after the wipe, leave this checked. If the device is being decommissioned, leave it unchecked.
Watch for Factory Reset Protection (FRP). If the device wasn't enrolled via Zero-Touch or KME, a wipe can leave FRP active, requiring the original Google account credentials on first boot. See the next page on Factory Reset Protection and Recovery before issuing a wipe on any device not managed through a provisioning method that handles FRP.
BYOD Privacy Boundary — The Non-Negotiables
When a user enrolls their personal device into a work profile, Android OS enforces a hard separation. The MDM (Intune) has authority over the work profile only. This is not a configuration choice — it is the Android architecture. Your legal, HR, and IT teams should all understand that Intune cannot: read personal app data, see personal files or photos, access call logs, retrieve personal location, or wipe the personal partition. This is exactly why the work profile model exists — it gives organizations control without crossing into personal data.
Do
Use Retire for departing employees on BYOD — it's the correct action
Document which enrolled devices are corporate-owned vs BYOD in your asset system
Test remote lock and wipe in a lab on each enrollment mode before a real incident
Enable Lost Mode on COPE and fully managed devices as a policy default
Communicate Google Find My Device instructions to all BYOD users at onboarding
Don't
Expect Locate to work on BYOD — it won't, by design
Confuse Retire with a full wipe — personal data survives Retire on work-profile devices
Ignore FCM / GCM connectivity issues — if push notifications are blocked by a proxy, queued actions may sit for hours
Assume Android DA (legacy) has the same capabilities as Android Enterprise
Insights
FCM reachability is your real-time dependency. If corporate Wi-Fi blocks Google Firebase Cloud Messaging endpoints, remote actions will queue indefinitely until the device hits a network that allows it. Test FCM reachability as part of your network egress review.
The Retire action is reversible (partially). After Retire on a BYOD device, the user can re-enroll the work profile — personal data was never touched. Wipe on a corporate device is not reversible.
Reset Passcode on Android 14+ may behave differently. Google tightened passcode reset APIs in recent Android versions; some OEMs implement them inconsistently. Always test on your specific device fleet before relying on it in an incident response runbook.
Device Actions log is your audit trail. Every remote action — who initiated it, when, and the result — appears under the device's Device Actions tab. Export this for any security incident documentation.
Sync before acting. If the last check-in was more than a few hours ago, issue a Sync first and wait for it to complete before issuing lock or wipe — stale state can cause the console to show incorrect pending counts.
Keep stolen devices useless and returned devices recoverable — the FRP balance.
Factory Reset Protection is Google's built-in theft deterrent: after a factory reset, Android requires the previous Google account credentials before the device can be set up again. For consumers that's a feature. For corporate IT it's a double-edged sword — it locks stolen devices away from bad actors, but it also bricks returned hardware that nobody thought to configure for corporate recovery. Every Android enterprise deployment needs a deliberate FRP strategy before the first device ships, not after the first device comes back from an employee who left.
The stakes are concrete. An unconfigured FRP scenario means a returned Fully Managed device becomes unrecoverable without the departing user's personal Google credentials — or a Samsung Knox bypass that only works if KME was set up in advance. Getting this right is a one-time config with permanent operational payoff.
RequiresManaged Google Play + Android Enterprise binding; Samsung KME optional
GotchaFRP activates on manual factory reset even if device was enrolled — no MDM wipe protection
How FRP Works on Corporate Devices
When a device is factory reset through the hardware buttons (volume + power, or Settings > General management > Reset) rather than via the Intune Wipe action, Google's FRP kicks in during the subsequent Setup Wizard. The device demands sign-in with the Google account that was active when FRP was last configured. On a consumer device that's the user's personal Gmail. On a corporate Android Enterprise device, the relevant Google account is the one tied to your Managed Google Play binding — which is why you must configure a corporate bypass account before devices leave the building.
The Intune Wipe remote action bypasses FRP cleanly when sent from the console — it re-initializes the device in a way that clears the FRP lock. Manual resets do not. That distinction matters enormously at offboarding and when a device comes back from repair.
Configuring the Corporate FRP Bypass Account
Android Enterprise lets you designate up to ten Google accounts that can bypass FRP after a factory reset. Configure this in your enrollment profile or device restrictions profile so it's in place before devices enroll.
Step 1Create a dedicated FRP bypass accountUse a shared Google account (e.g., frp-bypass@yourdomain.com) — not a personal or admin account
Step 2Add it to device restrictionsDevices > Configuration > Create > Android Enterprise > Fully Managed > Device restrictions > General > Factory Reset Protection Google account IDs
Step 3Get the account ID stringNavigate to accounts.google.com/SignOutOptions while logged in — the numeric account ID appears in the URL or use the Admin SDK
Step 4Assign and verifyAssign the profile to all Fully Managed device groups; verify with a test reset on a spare device
Navigate to the restriction profile. In the Intune admin center go to Devices > Configuration > Create > New policy. Platform: Android Enterprise. Profile type: Device restrictions. Select the Fully Managed, Dedicated, and Corporate-Owned Work Profile template.
Find the FRP setting. Under General, locate Factory Reset Protection Google account IDs. Enter the numeric Google account ID (not the email address — Google requires the underlying account ID, a long integer). You can retrieve this from https://accounts.google.com/SignOutOptions when logged in as the bypass account, or via the Admin Directory API.
Save and assign. Assign to your All Fully Managed Devices dynamic group. The setting lands at next check-in; it does not require re-enrollment.
Document the bypass credentials. Store the account password in your password manager or IT vault. This is an operational emergency credential — treat it like a LAPS password.
Use a shared account, not a named admin
If you tie FRP bypass to a named IT admin's Google account, you lose it the day they leave. Create a purpose-built shared Google account owned by the team, with MFA, stored in your vault.
Samsung Knox and KME FRP Bypass
Samsung adds a second recovery path through Knox Mobile Enrollment. If your Samsung devices were registered in Zero-Touch or KME before deployment, Samsung's KME can bypass FRP automatically during Setup Wizard — the device re-enrolls without needing a Google account at all. This is the gold standard for Samsung-heavy fleets.
Scenario
FRP bypass method
Pre-setup required
All Android brands
Corporate Google account ID in device restrictions
Profile deployed before reset
Samsung — KME enrolled
KME auto-bypass at Setup Wizard
Device registered in KME before shipping
Samsung — Knox Manage
Knox license FRP bypass
Knox license applied
Zero-Touch enrolled device
Zero-Touch provisioner handles setup; FRP cleared
Zero-Touch registration in place
No configuration in place
Manual: requires departing user's Google credentials
❌ No recovery path
The unconfigured FRP failure mode
Employee resets device manually before returning it — FRP activates, locks to their managed Google account.
Managed Google Play account was tied to their corporate identity — IT does not have that credential.
Device is now a brick. Recovery requires contacting Google with proof of purchase, a process that takes days.
The only fix is to deploy the FRP bypass account before this happens, or use the Stolen-Device Playbook wipe path from the console.
Recover-Returned-Hardware Playbook
When a device comes back from an employee — via offboarding, upgrade, or repair — follow this sequence before attempting re-enrollment:
Check device state in Intune. Go to Devices > Android, find the device, confirm its last check-in. If it checked in within the last 24 hours, the device is still managed and you can send a Wipe action from the console to cleanly factory reset without triggering FRP.
Send a Wipe from console if device is reachable. Under the device's Overview, select Wipe. Leave Wipe device, but keep enrollment state and associated user account unchecked if you want a clean slate. This bypasses FRP.
If device was already manually reset, use the FRP bypass account. Power on the device, proceed through Setup Wizard until it asks for the previous Google account. Sign in with your designated bypass account. The device will proceed past FRP and can be re-enrolled.
Re-enroll the device. For Fully Managed devices with Zero-Touch or KME, the enrollment profile triggers automatically. For manual enrollment, use the QR code or token provisioning method from your enrollment profile.
Retire the old device record. After re-enrollment creates a new device object, retire or delete the stale record from Devices > Android to keep your inventory clean.
FRP and the Wipe vs. Retire Decision
Device is online, employee is leaving, you control the resetWipe from Intune consoleBypasses FRP cleanly; device is ready for re-enrollment
Device returned already factory-reset by the userFRP bypass account at Setup WizardRequires the bypass account configured in advance
Samsung device enrolled in KME, any reset scenarioKME auto-bypassSetup Wizard auto-provisions; no Google credential needed
Device lost or stolen, never coming backWipe + Retire in IntuneQueues wipe if device comes online; retire removes from inventory
Auditing FRP Configuration Health
There is no single Intune report labeled "FRP bypass configured." The practical audit is to verify your device restriction profile is assigned to all Fully Managed device groups and check that the Factory Reset Protection Google account IDs setting shows as Succeeded in per-device configuration status. Pull a Device configuration report from Devices > Configuration > your profile > Device status and filter for any Error or Conflict states — those devices are unprotected.
For Samsung KME, confirm device registration in the FRP configuration reference and in the KME portal directly. KME bypass only works if the device's IMEI or serial was registered before it shipped.
Do
Create a dedicated shared Google account for FRP bypass, stored in your password vault
Register Samsung devices in KME before shipping — it's a permanent safety net
Always use the Intune Wipe action at offboarding rather than instructing users to reset manually
Test FRP bypass with a spare device before a wide rollout
Include the bypass account ID in your device restriction profile assigned to all Fully Managed groups
Don't
Tie the FRP bypass account to a named admin — it disappears when they leave
Assume enrolled devices are FRP-safe without testing a manual-reset scenario
Instruct employees to factory reset their own devices at offboarding
Skip KME registration thinking you'll add it later — you can't register a device that's already in a user's hands
Ignore FRP config on dedicated/kiosk devices — they return for refresh just as often as user-assigned ones
Insights
The FRP brick is always an offboarding problem, never a deployment problem. Every organization that hits it had working enrollment — they just never tested the return path. Test the reset-and-recover cycle in your pilot before going wide.
Google account IDs are not email addresses. The device restrictions field takes the numeric ID (e.g., 123456789012345678), not the email. Entering the email silently fails — FRP is not bypassed and there's no error until a device is actually reset.
The console Wipe action is your best FRP bypass. It's always available while the device has any connectivity, it's clean, and it leaves the device in a state ready for re-enrollment. Build your offboarding SOP around IT-initiated wipe, not user-initiated reset.
KME is a one-time investment with permanent return. Registering Samsung devices in KME at procurement adds maybe five minutes of work and eliminates an entire category of operational headaches for the life of that device.
COPE and Work Profile devices behave differently. FRP on a COPE device protects the entire device, same as Fully Managed. Personal-use-enabled Work Profile devices enrolled via BYOD typically don't have a corporate FRP bypass — the personal Google account holds FRP and that's intentional. Don't try to manage it.
Repair depots are a hidden FRP risk vector. A device sent out for screen repair can be factory reset by the repair shop. If KME or a bypass account isn't in place, it comes back bricked from an IT perspective. Include FRP bypass documentation in your hardware repair vendor agreement.
The runbook when a corporate Android device is reported lost or stolen.
A stolen Android device is a race between your response speed and the attacker's. On Android Enterprise, Intune gives you real tools — Lost Mode for COPE/COBO devices, selective wipe for BYOD work profiles, Factory Reset Protection (FRP) as a last line of defense — but none of them matter if you don't run the playbook in the right order. This page is that playbook: actions in sequence, with the reasoning behind each step.
The first priority is always identity containment. Even if you never recover the hardware, revoking credentials stops data exfiltration cold. Encryption and FRP then keep the disk unreadable and the device unregistrable. Wipe comes after — not before — you've confirmed encryption and documented the incident for legal or insurance purposes.
Tokens and refresh tokens live on the device. Until you revoke them, an attacker can access M365, SharePoint, Teams, and any app that trusts an Entra-issued token — even without the device passcode, if the device isn't encrypted.
Revoke all active sessions in Entra. Navigate to Microsoft Entra admin center > Users > find the user > Revoke sessions. This signs the user out of all active browser and app sessions immediately.
Disable the Entra user account if the device is confirmed stolen (not just misplaced). Users > user > Edit properties > set Account enabled to No. This prevents new token issuance entirely.
Check Conditional Access implications. If you have a CA policy requiring a compliant device, the device will already fail compliance once it goes offline and misses its check-in window. Verify your Conditional Access policy covers Android and that the compliance grace period isn't so long it gives an attacker a window.
Reset the user's password if corporate credentials are also stored on the device (e.g. for COPE devices where users may have cached passwords in a browser).
Revocation is not instant everywhere
Entra session revocation propagates within minutes to most Microsoft services, but some third-party apps using long-lived tokens may not re-check immediately. Disabling the account is the more complete hammer if the device is confirmed stolen.
Step 2 — Locate and Lock the Device
Check last check-in and location. In Devices > Android > select the device > Overview. Note the last check-in time and, if location collection is enabled, the last known GPS coordinates. This feeds the police report.
Enable Lost Mode (company-owned devices only). For COBO and COPE devices, navigate to Devices > device > Lost mode. Enter a message, phone number, and footnote displayed on the lock screen. The device is immediately locked and all local user interaction is disabled. See the dedicated Lost Mode page for prerequisites and behavior details.
Use the Locate device action (available while Lost Mode is active on company-owned devices) to pull a fresh GPS fix if the device comes online. This is a one-shot action per activation.
For BYOD work profile devices, Lost Mode is not available. You have no visibility into device location — your only lever is the work profile. Proceed to Step 3.
Lost Mode requires the device to be online
The Lost Mode command is queued if the device is offline — it executes on next check-in.
If the SIM has been removed or mobile data disabled, the device may never check in again unless connected to Wi-Fi.
Airplane mode defeats all remote actions until connectivity is restored.
Step 3 — Wipe or Retire
Understand what each action does on Android Enterprise before you pull the trigger. The wrong choice is unrecoverable.
Action
COBO / Fully Managed
COPE
BYOD (Work Profile)
Wipe
Factory reset — entire device wiped, FRP triggers based on policy
Factory reset — entire device wiped
Same as Retire for work profile; full device wipe if admin-allowed
Retire
Removes MDM, leaves personal data (not applicable to dedicated/COBO)
Removes MDM profile, personal partition preserved
Deletes work profile only — personal data untouched ✅
Delete (Intune record)
Removes Intune record; does not wipe device ❌ use only after wipe
Same ❌
Same ❌
Confirm encryption status before wiping. Go to Devices > device > Hardware and verify encryption is reported as enabled. If the device was unencrypted, the disk contents may already be accessible — document this for the data breach assessment.
For COBO / COPE stolen devices: issue a Wipe. Navigate to Devices > device > Wipe. Enable Wipe device, but keep enrollment state and associated user account only if you plan to re-enroll the device post-recovery (rare in a theft). For a stolen device, leave this unchecked for a clean factory reset.
For BYOD work profile: issue a Retire.Devices > device > Retire. This performs a selective wipe — the work profile (apps, data, contacts, mail) is deleted, personal data is not touched. This is the correct and legally appropriate action for employee-owned hardware.
Consider Factory Reset Protection behavior. Before wiping, review your FRP policy. See Factory Reset Protection and Recovery for how to ensure a stolen device cannot be re-activated without corporate credentials — intentionally bricking it as a stolen-device control.
FRP as a stolen-device deterrent
If your FRP policy requires a corporate Google account to activate after reset, the stolen device becomes a brick to the thief. Configure this before the incident — you cannot change FRP policy after the fact on a device you've lost physical access to.
Step 4 — Documentation and Close-Out
Record all actions with timestamps. Export the Intune device audit log: Tenant administration > Audit logs, filter by device name or serial. Screenshot and preserve the encryption status, last check-in, and all remote actions issued. This is your legal and insurance artifact.
File the police report. Provide device serial number, IMEI (visible in Devices > device > Hardware), last known location if available, and the timeline of MDM actions.
Notify your security/privacy team if the device held any data classified above your data-at-rest encryption threshold as sufficient protection, or if encryption was not confirmed.
Delete the Intune record only after the wipe completes (status shows in the device overview). Deleting the record first removes your ability to issue further remote actions.
Re-enable the user account (if it was disabled) and issue a new device once the incident is closed.
BYOD vs Company-Owned: Key Differences
Device is company-owned (COBO or COPE)Full wipe + Lost ModeLock with Lost Mode first, then wipe; FRP should block re-activation
Device is employee-owned (BYOD, work profile)Selective wipe (Retire)Work profile deleted, personal data preserved; no Lost Mode available
Encryption was not confirmed before lossEscalate to security team immediatelyTreat as a potential data breach regardless of wipe status
Do
Revoke Entra sessions and disable the account before anything else
Confirm encryption status and record it before wiping
Use Retire (selective wipe) for BYOD devices — full wipe is disproportionate and legally risky
Document the IMEI and serial number for the police report
Pre-configure FRP policy before devices leave the building
Delete the Intune record only after a wipe is confirmed complete
Don't
Wipe before revoking credentials — identity containment comes first
Delete the Intune device record prematurely — it kills your remote-action ability
Assume a queued wipe has executed — check device status to confirm
Ignore a BYOD stolen report just because you "only" have work profile data on it
Re-enable the user account before the incident is fully assessed
Insights
Encryption is the real control — remote wipe is the cleanup. If the device was encrypted with a strong passcode and FRP is configured correctly, the hardware is useless to the thief before you issue a single command. Wipe is administrative closure, not data protection.
Tokens outlive the device. An unlocked device in an attacker's hands for thirty seconds is enough to extract app tokens. Revoke Entra sessions before you do anything else — this is the highest-leverage action in the first five minutes.
Lost Mode is company-owned only. The moment you hear "BYOD," remove Lost Mode from your mental playbook. You get Retire and that's it — which is correct, because you have no business locking a personal phone.
The wipe queue is invisible to the attacker — until it fires. A device can be wiped the moment it reconnects to any network, even if the SIM was swapped. Keep the Intune record alive and the wipe queued.
FRP configuration is a pre-crime control. You cannot retroactively add FRP protection to a stolen device. If your COBO fleet doesn't have FRP configured to require a corporate account, a thief can factory-reset and sell the hardware. Fix this now, not during the next incident.
