Owner: Desktop Engineering · Platform: Microsoft Intune · Review Cycle: 6 months
All corporate endpoints are enrolled in and managed by Microsoft Intune. Intune provides MDM (Mobile Device Management) and MAM (Mobile Application Management) capabilities, backed by Microsoft Entra ID for identity. The estate is co-managed with Microsoft Defender for Endpoint (MDE) for security telemetry and response.
| Device Type | Enrolment Method | Pre-requisite |
|---|---|---|
| Corporate Windows PC | Windows Autopilot (user-driven) | Device pre-registered in Autopilot |
| Corporate Windows PC (reimaged) | Intune bulk enrolment token | IT-initiated |
| MacBook (corporate) | ADE (Apple DEP) via Intune | Device in Apple Business Manager |
| iOS / iPadOS (corporate) | ADE / Supervised | Apple Business Manager |
| Android (corporate) | Android Enterprise — Fully Managed | Zero-touch enrolment |
| BYOD (personal device) | Intune Company Portal — MAM-WE | User self-service |
All enrolled corporate devices are evaluated against a compliance policy. Non-compliant devices are blocked from corporate resources via Entra ID Conditional Access.
| Setting | Required Value |
|---|---|
| Minimum OS version | 22H2 (Build 22621) |
| Bitlocker | Required — enabled |
| Secure Boot | Required — enabled |
| TPM | Required — version 2.0 |
| Antivirus | Required — MDE active |
| Firewall | Required — enabled |
| Defender real-time protection | Required |
| Device risk level (MDE) | Maximum: Medium |
| Intune MDM Agent | Required — enrolled |
| Sign-in risk (Entra IDPR) | Maximum: Low |
| Setting | Required Value |
|---|---|
| Minimum macOS version | 14.0 (Sonoma) |
| FileVault | Required — enabled |
| Firewall | Required — enabled |
| Password required | Required, min 12 chars, complexity enabled |
| MDE risk level | Maximum: Medium |
Configuration profiles are deployed via Intune and enforce security settings on all managed devices. Key profiles:
| Profile Name | Scope | Policy Highlights |
|---|---|---|
Win-CIS-L1-Security |
All Windows | CIS Benchmark Level 1 — 150+ settings |
Win-BitLocker-Policy |
All Windows | XTS-AES 256, TPM+PIN on shared devices |
Win-Defender-AV |
All Windows | Real-time protection, cloud-delivered protection, tamper protection on |
Win-Windows-Update |
All Windows | Windows Update for Business — deferral: 7 days quality, 14 days feature |
Win-Edge-Security |
All Windows | Edge managed profile, SmartScreen, password manager policy |
macOS-FileVault |
All macOS | FileVault enabled, key escrowed to Intune |
macOS-CIS-L1 |
All macOS | CIS macOS Level 1 baseline |
iOS-Corp-Email |
iOS supervised | MDE app, email profile, web content filter |
New corporate laptops ship directly from Dell (or HPE) to end-users using Windows Autopilot User-Driven mode. The provisioning flow:
Device ships from OEM (hardware hash pre-registered via OEM)
│
▼
User receives device, powers on
│
▼
OOBE: User enters corporate email address
│
▼
Entra ID authentication (MFA required)
│
▼
Autopilot profile downloaded from Intune
│
▼
Device renamed (CORP-{site}-{asset tag})
│
▼
Intune enrollment begins
├── Compliance policy evaluated
├── Configuration profiles applied
├── Required apps deployed
└── Conditional Access activated
│
▼
User presented with desktop (~45 minutes total)
Device naming convention: CORP-{SITE}-{ASSET} e.g. CORP-HQ-12345
| Update Type | Deferral Period | Deployment Ring |
|---|---|---|
| Quality (security) | 0 days (Pilot), 7 days (Broad) | Pilot → Broad |
| Feature (major) | 14 days (Pilot), 30 days (Broad) | Pilot → Broad |
Pilot ring: 5% of devices (selected volunteers and IT staff).
Broad ring: remaining 95% of devices.
Patch compliance target: 95% of devices patched within 14 days of release. Reported monthly to the CISO.
Driver updates via Windows Update for Business — approved driver updates are deployed 30 days after Microsoft release. BIOS/firmware updates for Dell devices via Dell Command Update (deployed as a Win32 app via Intune).
| Phase | Tool | Notes |
|---|---|---|
| Packaging | Microsoft Intune Win32 / MSIX | See App Delivery page |
| Deployment | Intune App Assignments | Required (mandatory) or Available (optional via Company Portal) |
| Inventory | Intune Device Inventory + Defender | Installed app list per device |
| Removal | Intune uninstall assignment | Initiated on licence recall or software retirement |
https://intune.microsoft.com (SSO via Entra ID)