Enable and configure Intune

Avatar
Nerdio Product Support

Enable and configure Intune

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Using Microsoft Intune, you can manage your organization’s devices -mobiles, laptops, tablets, Cloud PCs, and Azure Virtual Desktops.

This feature allows for the management of Intune-enrolled endpoints, including AVD hosts, Windows 365 Cloud PCs, and physical devices.

Operation modes and permissions

When you set up Nerdio Manager's Intune integration, you'll grant it a set of permissions to carry out the functions you select. The scope of these permissions depends on the operation mode you choose. You can configure Nerdio Manager's Intune integration to work in one of three modes, listed below. Your organizational security policies may determine which of the following is preferable for your tenant - for example, if your organization imposes restrictions on application-level permissions or on the number of users to which it grants admin rights:

  • Application context (default): Nerdio Manager obtains application-level permissions to perform the functions you select. No permissions need to be granted to individual users, and the majority of features are supported in this mode. However, a small number of operations, such as the viewing of Bitlocker keys, can't be performed in this mode.

  • User context: Nerdio Manager obtains the necessary delegated access permissions to perform the functions you select on behalf of the signed in admin user. You can switch to this mode during initial configuration, or at any time from the Intune integration settings.

  • Application & user context: Nerdio Manager operates primarily in application context, but uses the delegated access permissions associated with a linked Intune service account to perform operations that are supported only in user context. To set this mode, first configure the integration to run in application context, then Link an Intune service account to add support for features that require delegated access permissions.

    Note: If Intune is already running, you can determine its current operation mode as follows:

    1. In Nerdio Manager, navigate to SettingsEnvironment.

    2. In the Integrations tile, select and expand Intune.

    3. Scroll down to the Mode field. The value displayed in this field is the current operation mode.

Enable Intune, choose operation mode, and configure features

You need to enable and configure Intune before you can use it in Nerdio Manager.

Notes:

  • Intune integration can be limited by device type or Entra ID user group.

  • An Intune license must be present in the Entra ID tenant where Nerdio Manager is installed.

  • If Cloud PC is selected, a Windows 365 license must be present in the Entra ID tenant where Nerdio Manager is installed.

  • The user must be an Administrator in order for the process to complete successfully.

To enable and configure Intune:

  1. In Nerdio Manager, navigate to SettingsEnvironment.

  2. In the Integrations tile, select and expand Intune.

  3. The Current status field shows whether Intune is Disabled or Enabled for the tenant. To change this status or to configure Intune settings, select Configure.

  4. To enable Intune, toggle the Current Status option On. To disable Intune, toggle this option Off.

  5. The User Operating Mode toggle determines the scope of permissions granted to the Nerdio Manager Intune integration. (See Operation modes and permissions above.)

    • Leave this option turned Off to implement Intune in application context and grant Nerdio Manager application-level permissions to perform the functions you select.

    • Turn this option On to implement Intune in user context and grant the necessary delegated access permissions on behalf of the signed in admin user.

      Note: The User Operation Mode setting determines the set of features you can configure in the next step.

  6. Select the Intune features you want to enable. When you complete configuration, Nerdio Manager will request the appropriate application-level and/or delegated permissions.

    • If Intune will operate in application context (User Operating Mode turned Off), select the features you want to enable under the Configurable Features heading.

    • If Intune will operate in user context (User Operating Mode turned On),

      • Select the application-level features you want to enable under the Nerdio managed application features heading.

      • Select the user-level features you want to enable under the Delegated user features heading.

      Note: See Intune: Granular permissions for a deep dive into the features and permissions.

  7. Select the device type(s) and platform(s) you want to manage under the Device Visibility Scope Limitations heading: 

    • Device platform: From the drop-down list, select the device platform(s) you want to manage.

      Note: By default, only Windows devices are included. You can also manage Android, iOS/iPadOS, and macOS devices.

    • Device type scope: Optionally, from the drop-down list, select the device type(s) you want to manage.

      Note: By default, all Intune devices are included. Optionally, device management can be limited to AVD hosts, Windows 365 Cloud PC, and/or physical devices.

    • Limit by Entra ID group: Optionally, from the drop-down list, select one or more Entra ID groups to restrict management to include only devices for the users defined within the selected groups.

      Note: This option works in combination with the selected Device type scope.

    • Include devices that have no primary user: Select this option to include any devices that have not been assigned to a user.

      Note: This option is limited by the selected Device type scope, but ignores any selected Limit by Entra ID group rules.

  8. Once you have entered all the desired information, select Save.

Link an Intune service account

If your Intune integration is configured to operate in application context and you want to enable operations that require delegated access permissions, such as viewing Bitlocker keys, you can link an Intune service account that has been granted Intune Administrator permissions in Entra ID to change to Application & user context mode.

Note: Settings relating to linked Intune service accounts take effect only when Intune is configured to operate in application context. If you link a service account while Intune is operating in user context (or switch to user context after linking a service account), the configured operation mode will determine the Intune integration's access permissions, and the linked account will have no effect.

To link an Intune service account:

  1. Navigate to Settings.

  2. Select Environment, and then select the Integrations tab. Navigate to the Intune section, select the down arrow to expand the section, and then select Link Intune Service Account.

  3. In the Link User Account dialog box, select Login to be redirected to a login page.

  4. Log in as a user with an active Intune Administrator role to be used for Intune.

    Note: This user must have any role assignment in Nerdio Manager RBAC roles. See Role-based access control (RBAC) in Nerdio Manager for details.

Intune management permissions

Depending on the features you select, configuring the Intune integration will add some or all of the following permissions for the Nerdio Manager application and/or the signed-in admin user, if they are not already in place:

  • BitlockerKey.Read.All (delegated)

  • BitlockerKey.ReadBasic.All (delegated)

  • CloudPC.ReadWrite.All (delegated or application, depending on operation mode)

  • Device.Read.All (delegated or application)

  • DeviceManagementApps.ReadWrite.All (delegated or application)

  • DeviceManagementConfiguration.ReadWrite.All (delegated or application)

  • DeviceManagementManagedDevices.PrivilegedOperations.All (delegated or application)

  • DeviceManagementManagedDevices.ReadWrite.All (delegated or application)

  • DeviceManagementRBAC.ReadWrite.All (delegated or application)

  • DeviceManagementServiceConfig.ReadWrite.All (delegated or application)

  • Group.ReadWrite.All (delegated or application)

  • GroupMember.ReadWrite.All (delegated or application)

  • Policy.Read.All (delegated or application)

Note: See Intune: Granular permissions for more information on these permissions and their corresponding features.

Enable Windows update for business reports

Nerdio Manager allows you to integrate Windows Update for Business (WUfB) reports.

To enable WUfB reports:

  1. In the Azure portal, manually create a Log Analytics Workspace (LAW) and enable the WUfB reports workbook.

    Notes:

    • See this Microsoft article for detailed instructions.

    • This could take up to 24 hours to be enabled.

  2. Optionally, you may want to create the update rings from the Intune Portal. (Nerdio Manager to provide this capability from within the application in a future release.)

  3. In Nerdio Manager,navigate to SettingsAzure environment.

  4. In the Intune (Unified Endpoint Management) tile, locate the Windows Update for Business reports parameter and select disabled.

  5. Enter the following information:

    • Windows update for business reports: Toggle on this option.

    • Log Analytics Workspace: From the drop-down list, select an existing LAW to use. Alternatively, type the name of a new LAW to create and use.

    • Select one of the following:

      • Automatically assign the Intune policy enable WUfB Reports on all managed endpoints: Select this option to assign this policy to all endpoints.

      • Use an existing configuration profile: Select this option to use an existing configuration profile.

      • I'll enable WUfB Reports on endpoint myself: Select this option to assign the policy to the endpoints yourself.

        Note: WUfB Reports can be enabled manually, by script, or by deploying an Intune policy. See this Microsoft article for detailed information.

  6. Once you have entered all the desired information, select Save.

    The Windows Update for Business reports is now enabled.

Configure automatic policy and profile backups

Nerdio Manager allows you configure automatic policy an profile backups. This ensures a backup of a policy or profile is taken whenever it is edited, either in the Nerdio console or from the native Intune console. See Intune: Policies and profiles backup management for details.

Configure policy approval requests

The policy approvals workflow is a Nerdio Manager feature that allows you to designate approvers to review any policy change requests before they're implemented in Intune. This ensures that all policy changes are reviewed by at least one other user before being deployed to users or endpoints, minimizing the risks associated with the policy management lifecycle.

To enable policy approval requests:

  1. In Nerdio Manager, navigate to SettingsEnvironment, and then select the Integrations tab.

  2. Expand the Intune section and scroll down to Policy approval requests.

  3. Select the cog icon to open the configuration menu.

  4. Toggle the switch to Enabled, then select Save.
    While policy approval requests are enabled, changes to Intune policies will no longer be applied immediately but will instead be queued for approval in the Approvals dashboard under EndpointsApprovals.

    Notes:

    • The ability to view and approve policy change requests is governed by RBAC, as follows:

      • By default, users assigned the built-in Admin role can approve policy change requests, while users assigned the built-in Reviewer role have read-only access to change requests awaiting approval.

      • You can also enable users to view or manage policy change requests by adding the Intune permissions Read Approvals or Manage Approvals to a new or existing custom role.

      • Users who have the Manage Policies permission but don't have the Read Approvals or Manage Approvals permission are able to view the Approvals dashboard but will see only their own approval requests.

    • To ensure the robustness of the approval process, users with approval permissions cannot approve their own changes. Therefore, when enabling this feature, you need to make sure you have a sufficiently sized pool of approvers to provide timely review.

Enable Intune insights and configure thresholds

Nerdio Manager Intune insights is a comprehensive endpoint analytics tool that provides data-driven insights, allowing you to proactively address device performance issues, improve user experience, and optimize device configurations. For details, see Insights: Intune.

To use Intune insights:

  1. Enable Intune insights in your environment.

  2. Configure Intune insights thresholds to be able to:

    • Define acceptable performance levels: Set limits for key metrics (e.g., compliance status, patch status, app health) to quickly identify devices that fall below your standards.

    • Enable proactive monitoring: Get alerted when issues arise before they escalate.

    • Improve visibility: Highlight problem areas in dashboards using red, amber, or green (RAG) status indicators, making it easier to assess overall device health at a glance.

    • Optimize remediation efforts: Prioritize troubleshooting based on severity, ensuring critical issues receive attention first.

To enable Intune insights:

  1. In Nerdio Manager, navigate to SettingsEnvironment, and then select the Integrations tab.

  2. In the Intune section, select the down arrow to expand the section, and scroll down to Intune Insights.

  3. Select the toggle to enable Intune Insights.

  4. You can now configure thresholds for your Intune insights.

To configure Intune insights thresholds:

  1. Navigate to SettingsEnvironment, select the Integrations tab, and in the Intune section, select the down arrow to expand the section, and scroll down to Intune Insights. Select the cog icon.

  2. In the Intune insights thresholds dialog box, define thresholds for the following aspects:

    • Tenant: Missing security patch or unsupported OS

    • Tenant: Intune certificate thresholds (for example, Apple VPP, Enrollment, and Push)

    • Compliance policies

    • Configuration profiles

    • Managed apps

  3. Select Save.

Manage Intune Insights

Nerdio Manager allows you to view the status of Intune insights and to perform a manual synchronization.

To view Intune insights status:

  1. Navigate to SettingsEnvironment, select the Integrations tab, and in the Intune section, select the down arrow to expand the section, and scroll down to Intune Insights. Select the status icon.

  2. The Intune insights status is displayed.

  3. Select the status icon again to close the dialog box.

To synchronize Intune insights:

  1. Navigate to SettingsEnvironment, select the Integrations tab, and in the Intune section, select the down arrow to expand the section, and scroll down to Intune Insights. Select the sync icon.

  2. In the Intune Insights Sync dialog box, select Sync

Additional information

For Active Directory Domain Services (ADDS) and Entra Domain Services scenarios, the ADDS service account must be configured with local administrative permissions for the devices in scope. To enable the domain service account feature in the product, please add the app service setting Features:UamServiceAccounts. For more details on this setting, see Advanced App Service configurations.

Limitations:

  • Service accounts do not support Entra ID Join scenarios. This setting is bypassed in Entra ID Joined deployments.

  • Service accounts must be excluded from multi-factor authentication policies. However, it is recommended that a conditional access policy is applied to the account to allow use on trusted networks only.

Related Topics

Intune: Manage devices

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Article is closed for comments.