UEM: Enable and configure Intune
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Using Microsoft Intune, you can manage your organization’s devices -mobiles, laptops, tablets, Cloud PCs, and Azure Virtual Desktops.
This feature allows for the management of Intune-enrolled endpoints, including AVD hosts, Windows 365 Cloud PCs, and physical devices.
Enable and configure Intune
Intune must be enabled and configured before it can be used in Nerdio Manager.
Notes:
Intune integration can be limited by device type or AAD user group.
An Intune license must be present in the Entra ID tenant where Nerdio Manager is installed.
If Cloud PC is selected, a Windows 365 license must be present in the Entra ID tenant where Nerdio Manager is installed.
The user must be an Administrator in order for the process to complete successfully.
To enable and configure Intune:
In Nerdio Manager, navigate to Settings > Azure environment.
In the Intune (Unified Endpoint Management) tile, check the status.
Select the current status, either Disabled or Enabled, to manage the Intune settings.
-
Enter the following information:
Current Status: Toggle this option On to enable Intune. Toggle this option Off to disable Intune.
-
Configurable Features: Select all the desired configurable features and their related permissions.
Note: See UEM: Intune integration - granular permissions for a deep dive into the features and permissions.
-
Device Visibility Scope Limitations:
-
Device platform: From the drop-down list, select the device platforms.
Note: By default, only Windows devices are included. Device management can also include iOS/iPadOS and macOS devices.
-
Device type scope: Optionally, from the drop-down list, select the device type(s) to manage.
Note: By default, all Intune devices are included. Optionally, device management can be limited to AVD hosts, Windows 365 Cloud PC, and/or physical devices.
-
Limit by Entra ID group: Optionally, from the drop-down list, select one or more Entra ID groups to restrict management to include only devices for the users defined within the selected groups.
Note: This option works in combination with the selected Device type scope.
-
Include devices that have no primary user: Select this option to include any devices that have not been assigned to a user.
Note: This option is limited by the selected Device type scope, but ignores any selected Limit by Entra ID group rules.
-
Once you have entered all the desired information, select Save.
Link an Intune service account
Intune has the following modes-- Application context only and Application & user context. By default, this feature operates using the Application context only mode. The majority of features are supported in this mode. However, some operations, which can only be performed in Application & user context mode such as the viewing of Bitlocker keys, are not available.
Optionally, you may link an Intune service account that has been granted Intune Administrator permissions in AAD to change to Application & user context mode.
Tip: It is recommended that Application & user context mode be enabled.
To link an Intune service account:
Navigate to Settings.
-
Select from the following:
-
Classic UI: Select Integrations, and from the Intune tile, select Link Intune service account.
-
New UI: Select Environment, and then select the Integrations tab. Navigate to the Intune section, select the down arrow to expand the section, and then select Link Intune Service Account.
-
In the Link User Account dialog box, select Login to be redirected to a login page.
-
Log in as a user with an active Intune Administrator role to be used for Intune.
Note: This user must have any role assignment in Nerdio Manager RBAC roles. See Role-based Access Control (RBAC) in Nerdio Manager for details.
Intune management permissions
The following permissions will be added for the Nerdio Manager application, if not already in place:
BitlockerKey.Read.All (delegated)
BitlockerKey.ReadBasic.All (delegated)
CloudPC.ReadWrite.All (application)
Device.Read.All (application)
DeviceManagementApps.ReadWrite.All (application)
DeviceManagementConfiguration.ReadWrite.All (application)
DeviceManagementManagedDevices.PrivilegedOperations.All (application)
DeviceManagementManagedDevices.ReadWrite.All (application)
DeviceManagementRBAC.ReadWrite.All (application)
DeviceManagementServiceConfig.ReadWrite.All (application)
Group.ReadWrite.All (application)
GroupMember.ReadWrite.All (application)
Policy.Read.All (application)
Enable Windows update for business reports
Nerdio Manager allows you to integrate Windows Update for Business (WUfB) reports.
To enable WUfB reports:
-
In the Azure portal, manually create a Log Analytics Workspace (LAW) and enable the WUfB reports workbook.
Notes:
See this Microsoft article for detailed instructions.
This could take up to 24 hours to be enabled.
Optionally, you may want to create the update rings from the Intune Portal. (Nerdio Manager to provide this capability from within the application in a future release.)
In Nerdio Manager,navigate to Settings > Azure environment.
In the Intune (Unified Endpoint Management) tile, locate the Windows Update for Business reports parameter and select disabled.
-
Enter the following information:
Windows update for business reports: Toggle on this option.
Log Analytics Workspace: From the drop-down list, select an existing LAW to use. Alternatively, type the name of a new LAW to create and use.
-
Select one of the following:
Automatically assign the Intune policy enable WUfB Reports on all managed endpoints: Select this option to assign this policy to all endpoints.
Use an existing configuration profile: Select this option to use an existing configuration profile.
-
I'll enable WUfB Reports on endpoint myself: Select this option to assign the policy to the endpoints yourself.
Note: WUfB Reports can be enabled manually, by script, or by deploying an Intune policy. See this Microsoft article for detailed information.
-
Once you have entered all the desired information, select Save.
The Windows Update for Business reports is now enabled.
Configure automatic policy and profile backups
Nerdio Manager allows you configure automatic policy an profile backups. This ensures a backup of a policy or profile is taken whenever it is edited, either in the Nerdio console or from the native Intune console. See UEM: Policies and profiles backup management for details.
Enable Intune insights and configure thresholds
Nerdio Manager Intune insights is a comprehensive endpoint analytics tool that provides data-driven insights, allowing you to proactively address device performance issues, improve user experience, and optimize device configurations. For details, see Insights: Intune.
To use Intune insights:
Enable Intune insights in your environment.
-
Configure Intune insights thresholds to be able to:
Define acceptable performance levels: Set limits for key metrics (e.g., compliance status, patch status, app health) to quickly identify devices that fall below your standards.
Enable proactive monitoring: Get alerted when issues arise before they escalate.
Improve visibility: Highlight problem areas in dashboards using red, amber, or green (RAG) status indicators, making it easier to assess overall device health at a glance.
Optimize remediation efforts: Prioritize troubleshooting based on severity, ensuring critical issues receive attention first.
When using the new UI, see New UI: To enable Intune insights:
In Nerdio Manager, navigate to Settings > Integrations.
-
In the Intune tile, next to Intune Insights, select the current Disabled status.
In the Enable Intune insights dialog box, select Enable.
You can now configure thresholds for your Intune insights.
New UI: To enable Intune insights:
When using the classic UI, see To enable Intune insights:
In Nerdio Manager, navigate to Settings > Environment, and then select the Integrations tab.
In the Intune section, select the down arrow to expand the section, and scroll down to Intune Insights.
-
Select the toggle to enable Intune Insights.
You can now configure thresholds for your Intune insights.
To configure Intune insights thresholds:
-
Select from the following:
Classic UI: Navigate to Settings > Integrations, , and in the Intune tile, next to Intune Insights, select the cog
icon.
New UI: Navigate to Settings > Environment, select the Integrations tab, and in the Intune section, select the down arrow to expand the section, and scroll down to Intune Insights. Select the cog
icon.
-
In the Intune insights thresholds dialog box, define thresholds for the following aspects:
Tenant: Missing security patch or unsupported OS
Tenant: Intune certificate thresholds (for example, Apple VPP, Enrollment, and Push)
Compliance policies
Configuration profiles
Managed apps
Select Save.
Manage Intune Insights
Nerdio Manager allows you to view the status of Intune insights and to perform a manual synchronization.
To view Intune insights status:
-
Select from the following:
Classic UI: Navigate to Settings > Integrations, , and in the Intune tile, next to Intune Insights, select the status
icon.
New UI: Navigate to Settings > Environment, select the Integrations tab, and in the Intune section, select the down arrow to expand the section, and scroll down to Intune Insights. Select the status
icon.
The Intune insights status is displayed.
Select the status
icon again to close the dialog box.
To synchronize Intune insights:
-
Select from the following:
Classic UI: Navigate to Settings > Integrations, , and in the Intune tile, next to Intune Insights, select the status sync link.
New UI: Navigate to Settings > Environment, select the Integrations tab, and in the Intune section, select the down arrow to expand the section, and scroll down to Intune Insights. Select the sync
icon.
In the Intune Insights Sync dialog box, select Sync
Additional information
For Active Directory Domain Services (ADDS) and Entra Domain Services scenarios, the ADDS service account must be configured with local administrative permissions for the devices in scope. To enable the domain service account feature in the product, please add the app service setting Features:UamServiceAccounts. For more details on this setting, see Advanced App Service configurations.
Limitations:
Service accounts do not support Entra ID Join scenarios. This setting is bypassed in Entra ID Joined deployments.
Service accounts must be excluded from multi-factor authentication policies. However, it is recommended that a conditional access policy is applied to the account to allow use on trusted networks only.
Comments (0 comments)