1.8 Microsoft Intune
Intune is a unified endpoint management (UEM) platform for Windows, macOS, iOS, Android, and Linux. It is not a security tool in the traditional sense, but device compliance state is a critical security signal consumed by conditional access and Defender for Endpoint. If conditional access is the gate, Intune is what determines whether a device is allowed through.
The conditional access policy "require compliant device" is one of the most effective security controls available. Intune is what defines and enforces compliance. Without Intune, conditional access cannot assess device state.
Device Enrolment. Onboards devices into management. Corporate-owned devices can be fully managed. Personal devices can use app-level management (MAM) without full device control — important for BYOD environments where employees resist full MDM.
Compliance Policies. Define what constitutes a compliant device: OS version, encryption enabled, PIN or password required, Defender for Endpoint onboarded, no jailbreak or root. The compliance state is consumed by conditional access — the policy “only allow access from compliant devices” is one of the most effective security controls available.
Configuration Profiles. Push security configurations to devices: BitLocker encryption, Windows Firewall rules, ASR rules, Credential Guard, screen lock timeout. These profiles enforce the baseline security configuration that the organisation requires.
Application Management. Control which apps are installed, enforce app protection policies on managed apps (prevent copy and paste to personal apps, require encryption), and manage app deployment.
Remote Actions. Wipe, retire, restart, lock, rotate BitLocker keys, collect diagnostics. Used during incident response to contain compromised devices.
Endpoint Security Policies. Centralised management of Defender for Endpoint settings, ASR rules, disk encryption, firewall, and account protection — configurable from the Intune admin centre.
How it connects
Device compliance state feeds into Entra ID conditional access. Defender for Endpoint onboarding can be managed through Intune. Remote wipe and lock actions are used during IR containment. Device configuration profiles enforce ASR rules managed by Defender for Endpoint. Device inventory and health data are available in Defender XDR device pages.
Key takeaways
- Intune is not a security tool per se, but device compliance is a critical security signal
- Compliance policies define what a "secure device" looks like — conditional access enforces it
- Remote wipe and lock are containment actions used during incident response
- Defender for Endpoint onboarding is managed through Intune
Licensing
Intune P1 provides core device management, compliance, and configuration (included in M365 E3 and Business Premium). Intune P2 and the Intune Suite add advanced endpoint analytics, remote help, privilege management, and firmware management (available as add-ons).
Check your understanding
1. A conditional access policy requires a "compliant device." Where is device compliance defined and enforced?
2. During an active incident, you need to cut a compromised laptop's network access while keeping the management channel alive. Which action do you use?