Unified Endpoint Management: Enable and Configure Intune

Unified Endpoint Management: Enable and Configure Intune

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). Using Microsoft Intune, you can manage your organization’s devices -mobiles, laptops, tablets, Cloud PCs, and Azure Virtual Desktops.

This feature allows for the management of Intune-enrolled endpoints, including AVD hosts, Windows 365 Cloud PCs, and physical devices.

Enable and Configure Intune

Intune must be enabled and configured before it can be used in Nerdio Manager.

Note: Intune integration can be limited by device type or AAD user group.

To enable and configure Intune:

  1. Navigate to SettingsAzure environment.

  2. In the Intune (Unified Endpoint Management) tile, check the status.

  3. Select the current status, either Disabled or Enabled, to manage the Intune settings.

  4. Enter the following information:

    • Current Status: Toggle this option On to enable Intune. Toggle this option Off to disable Intune.

    • Configurable Features: Select all the desired configurable features and their related permissions.

      Note: See Unified Endpoint Management: Intune Integration - Granular Permissions for a deep dive into the features and permissions.

    • Device Visibility Scope Limitations

      • Device type scope: Optionally, from the drop-down list, select the device type(s) to manage.

        Note: By default, all Intune devices are included. Optionally, device management can be limited to AVD hosts, Windows 365 Cloud PC, and/or physical devices.

      • Limit by Entra ID group: Optionally, from the drop-down list, select one or more Entra ID groups to restrict management to include only devices for the users defined within the selected groups.

        Note: This option works in combination with the selected Device type scope.

      • Include devices that have no primary user: Select this option to include any devices that have not been assigned to a user.

        Note: This option is limited by the selected Device type scope, but ignores any selected Limit by Entra ID group rules.

  5. Once you have entered all the desired information, select Save.

Link an Intune Service Account

Intune (Unified Endpoint Management) has the following modes-- Application context only and Application & user context. By default, this feature operates using the Application context only mode. The majority of features are supported in this mode. However, some operations, which can only be performed in Application & user context mode such as the viewing of Bitlocker keys, are not available.

Optionally, you may link an Intune service account that has been granted Intune Administrator permissions in AAD to change to Application & user context mode.

Tip: It is recommended that Application & user context mode be enabled.

To link an Intune service account:

  1. Navigate to SettingsAzure environment.

  2. In the Intune (Unified Endpoint Management) tile, select Link Intune service account.

  3. Select Login to be redirected to a login page.

  4. Log in as a user with an active Intune Administrator role to be used for Intune.

    Note: This user must have any role assignment in Nerdio Manager RBAC roles. See Role-based Access Control (RBAC) in Nerdio Manager for details.

Intune Management Permissions

The following permissions will be added for the Nerdio Manager application, if not already in place:

  • BitlockerKey.Read.All (delegated)

  • BitlockerKey.ReadBasic.All (delegated)

  • CloudPC.ReadWrite.All (application)

  • Device.Read.All (application)

  • DeviceManagementApps.ReadWrite.All (application)

  • DeviceManagementConfiguration.ReadWrite.All (application)

  • DeviceManagementManagedDevices.PrivilegedOperations.All (application)

  • DeviceManagementManagedDevices.ReadWrite.All (application)

  • DeviceManagementRBAC.ReadWrite.All (application)

  • DeviceManagementServiceConfig.ReadWrite.All (application)

  • Group.ReadWrite.All (application)

  • GroupMember.ReadWrite.All (application)

  • Policy.Read.All (application)

Enable Windows Update for Business Reports

Nerdio Manager allows you to integrate Windows Update for Business (WUfB) reports.

To enable WUfB reports:

  1. In the Azure portal, manually create a Log Analytics Workspace (LAW) and enable the WUfB reports workbook.


    • See this Microsoft article for detailed instructions.

    • This could take up to 24 hours to be enabled.

  2. Optionally, you may want to create the update rings from the Intune Portal. (Nerdio Manager to provide this capability from within the application in a future release.)

  3. In Nerdio Manager,navigate to SettingsAzure environment.

  4. In the Intune (Unified Endpoint Management) tile, locate the Windows Update for Business reports parameter and select disabled.

  5. Enter the following information:

    • Windows update for business reports: Toggle on this option.

    • Log Analytics Workspace: From the drop-down list, select an existing LAW to use. Alternatively, type the name of a new LAW to create and use.

    • Select one of the following:

      • Automatically assign the Intune policy enable WUfB Reports on all managed endpoints: Select this option to assign this policy to all endpoints.

      • Use an existing configuration profile: Select this option to use an existing configuration profile.

      • I'll enable WUfB Reports on endpoint myself: Select this option to assign the policy to the endpoints yourself.

        Note: WUfB Reports can be enabled manually, by script, or by deploying an Intune policy. See this Microsoft article for detailed information.

  6. Once you have entered all the desired information, select Save.

    The Windows Update for Business reports is now enabled.

Related Topics

Unified Endpoint Management: Manage Devices

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.