1. Nerdio Manager for Enterprise
  2. Knowledge Base
  3. Unified Endpoint Management

Unified Endpoint Management: Enable and Configure Intune

Avatar
Nerdio Support

Unified Endpoint Management: Enable and Configure Intune

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Using Microsoft Intune, you can manage your organization’s devices -mobiles, laptops, tablets, Cloud PCs, and Azure Virtual Desktops.

This feature allows for the management of Intune-enrolled endpoints, including AVD hosts, Windows 365 Cloud PCs, and physical devices.

Enable and Configure Intune

Intune must be enabled and configured before it can be used in Nerdio Manager.

Notes:

  • Intune integration can be limited by device type or AAD user group.

  • An Intune license must be present in the Entra ID tenant where Nerdio Manager is installed.

  • If Cloud PC is selected, a Windows 365 license must be present in the Entra ID tenant where Nerdio Manager is installed.

  • The user must be an Administrator in order for the process to complete successfully.

To enable and configure Intune:

  1. Navigate to SettingsAzure environment.

  2. In the Intune (Unified Endpoint Management) tile, check the status.

  3. Select the current status, either Disabled or Enabled, to manage the Intune settings.

  4. Enter the following information:

    • Current Status: Toggle this option On to enable Intune. Toggle this option Off to disable Intune.

    • Configurable Features: Select all the desired configurable features and their related permissions.

      Note: See Unified Endpoint Management: Intune Integration - Granular Permissions for a deep dive into the features and permissions.

    • Device Visibility Scope Limitations

      • Device platform: From the drop-down list, select the device platforms.

        Note: By default, only Windows devices are included. Device management can also include Android, iOS/iPadOS, and macOS devices.

      • Device type scope: Optionally, from the drop-down list, select the device type(s) to manage.

        Note: By default, all Intune devices are included. Optionally, device management can be limited to AVD hosts, Windows 365 Cloud PC, and/or physical devices.

      • Limit by Entra ID group: Optionally, from the drop-down list, select one or more Entra ID groups to restrict management to include only devices for the users defined within the selected groups.

        Note: This option works in combination with the selected Device type scope.

      • Include devices that have no primary user: Select this option to include any devices that have not been assigned to a user.

        Note: This option is limited by the selected Device type scope, but ignores any selected Limit by Entra ID group rules.

  5. Once you have entered all the desired information, select Save.

Link an Intune Service Account

Intune (Unified Endpoint Management) has the following modes-- Application context only and Application & user context. By default, this feature operates using the Application context only mode. The majority of features are supported in this mode. However, some operations, which can only be performed in Application & user context mode such as the viewing of Bitlocker keys, are not available.

Optionally, you may link an Intune service account that has been granted Intune Administrator permissions in AAD to change to Application & user context mode.

Tip: It is recommended that Application & user context mode be enabled.

To link an Intune service account:

  1. Navigate to SettingsAzure environment.

  2. In the Intune (Unified Endpoint Management) tile, select Link Intune service account.

  3. Select Login to be redirected to a login page.

  4. Log in as a user with an active Intune Administrator role to be used for Intune.

    Note: This user must have any role assignment in Nerdio Manager RBAC roles. See Role-based Access Control (RBAC) in Nerdio Manager for details.

Intune Management Permissions

The following permissions will be added for the Nerdio Manager application, if not already in place:

  • BitlockerKey.Read.All (delegated)

  • BitlockerKey.ReadBasic.All (delegated)

  • CloudPC.ReadWrite.All (application)

  • Device.Read.All (application)

  • DeviceManagementApps.ReadWrite.All (application)

  • DeviceManagementConfiguration.ReadWrite.All (application)

  • DeviceManagementManagedDevices.PrivilegedOperations.All (application)

  • DeviceManagementManagedDevices.ReadWrite.All (application)

  • DeviceManagementRBAC.ReadWrite.All (application)

  • DeviceManagementServiceConfig.ReadWrite.All (application)

  • Group.ReadWrite.All (application)

  • GroupMember.ReadWrite.All (application)

  • Policy.Read.All (application)

Enable Windows Update for Business Reports

Nerdio Manager allows you to integrate Windows Update for Business (WUfB) reports.

To enable WUfB reports:

  1. In the Azure portal, manually create a Log Analytics Workspace (LAW) and enable the WUfB reports workbook.

    Notes:

    • See this Microsoft article for detailed instructions.

    • This could take up to 24 hours to be enabled.

  2. Optionally, you may want to create the update rings from the Intune Portal. (Nerdio Manager to provide this capability from within the application in a future release.)

  3. In Nerdio Manager,navigate to SettingsAzure environment.

  4. In the Intune (Unified Endpoint Management) tile, locate the Windows Update for Business reports parameter and select disabled.

  5. Enter the following information:

    • Windows update for business reports: Toggle on this option.

    • Log Analytics Workspace: From the drop-down list, select an existing LAW to use. Alternatively, type the name of a new LAW to create and use.

    • Select one of the following:

      • Automatically assign the Intune policy enable WUfB Reports on all managed endpoints: Select this option to assign this policy to all endpoints.

      • Use an existing configuration profile: Select this option to use an existing configuration profile.

      • I'll enable WUfB Reports on endpoint myself: Select this option to assign the policy to the endpoints yourself.

        Note: WUfB Reports can be enabled manually, by script, or by deploying an Intune policy. See this Microsoft article for detailed information.

  6. Once you have entered all the desired information, select Save.

    The Windows Update for Business reports is now enabled.

Configure Automatic Policy and Profile Backups

Nerdio Manager allows you configure automatic policy an profile backups. This ensures a backup of a policy or profile is taken whenever it is edited, either in the Nerdio console or from the native Intune console. See Unified Endpoint Management: Policies and Profiles Backup Management for details.

Additional Information

For Active Directory Domain Services (ADDS) and Entra Domain Services scenarios, the ADDS service account must be configured with local administrative permissions for the devices in scope. To enable the domain service account feature in the product, please add the app service setting Features:UamServiceAccounts. For more details on this setting, see Advanced App Service Configurations.

Limitations:

  • Service accounts do not support Entra ID Join scenarios. This setting is bypassed in Entra ID Joined deployments.

  • Service accounts must be excluded from multi-factor authentication policies. However, it is recommended that a conditional access policy is applied to the account to allow use on trusted networks only.

Related Topics

Unified Endpoint Management: Manage Devices

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Related articles

Comments (0 comments)

Article is closed for comments.