<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Device-Management on IT Made Simple</title><link>https://itmadesimple.co.nz/tags/device-management/</link><description>Recent content in Device-Management on IT Made Simple</description><generator>Hugo -- gohugo.io</generator><language>en</language><managingEditor>Thaddeus</managingEditor><webMaster>Thaddeus</webMaster><lastBuildDate>Tue, 23 Jun 2026 08:00:00 +1200</lastBuildDate><atom:link href="https://itmadesimple.co.nz/tags/device-management/index.xml" rel="self" type="application/rss+xml"/><item><title>Intune for Small Business: Managing Devices Without an IT Team</title><link>https://itmadesimple.co.nz/posts/intune-small-business/</link><pubDate>Tue, 23 Jun 2026 08:00:00 +1200</pubDate><author>Thaddeus</author><guid>https://itmadesimple.co.nz/posts/intune-small-business/</guid><description>You&amp;#39;re paying for Intune already if you have M365 Business Premium. Here&amp;#39;s how to actually use it to manage your computers without needing a dedicated IT person.</description><content:encoded><![CDATA[<p>If you&rsquo;re on M365 Business Premium, you&rsquo;re paying for Microsoft Intune every single month. And if you&rsquo;re not using it, you&rsquo;re leaving one of the most valuable tools in the M365 suite on the table.</p>
<p>Intune lets you manage every Windows computer in your business from a single web page. No server required. No on-site IT person required. Just a browser and a couple of hours to set it up.</p>
<p>I know what you&rsquo;re thinking: &ldquo;That sounds complicated.&rdquo; It&rsquo;s not. It&rsquo;s just unfamiliar. Let me walk you through it.</p>
<h3 id="what-intune-actually-does">What Intune Actually Does</h3>
<p>Think of Intune as a remote control for your computers. From the Intune admin centre, you can:</p>
<ul>
<li><strong>Enrol devices</strong> — connect them to your management system</li>
<li><strong>Push software</strong> — install applications automatically</li>
<li><strong>Enforce policies</strong> — require encryption, set password rules, control settings</li>
<li><strong>Manage updates</strong> — control when Windows Updates install (we covered this in <a href="https://itmadesimple.co.nz/posts/windows-updates-why-ignore/">a previous post</a>)</li>
<li><strong>Remote wipe</strong> — if a laptop gets stolen, erase it remotely</li>
<li><strong>See compliance</strong> — at a glance, which machines are up to date and which aren&rsquo;t</li>
</ul>
<p>For a small business without a dedicated IT person, this is transformative. Instead of walking around to each machine to check settings, you do it all from your desk.</p>
<h3 id="what-you-need">What You Need</h3>
<ul>
<li><strong>M365 Business Premium</strong> (includes Intune — ~NZ$36/user/month, excl. GST, annual billing)</li>
<li><strong>Windows 10/11 Pro</strong> on each device (Home edition doesn&rsquo;t support Intune enrolment)</li>
<li><strong>An Intune Administrator or Global Administrator</strong> role in M365</li>
<li><strong>About 2 hours</strong> for initial setup</li>
</ul>
<h3 id="step-1-enable-intune">Step 1: Enable Intune</h3>
<p>If you&rsquo;re on Business Premium, Intune is already included. You just need to start using it.</p>
<ol>
<li>Go to <a href="https://intune.microsoft.com">https://intune.microsoft.com</a></li>
<li>If it&rsquo;s your first time, it&rsquo;ll take a few minutes to provision</li>
<li>You&rsquo;ll see the admin dashboard — this is your new best friend</li>
</ol>
<h3 id="step-2-set-up-automatic-enrolment">Step 2: Set Up Automatic Enrolment</h3>
<p>This is the magic bit. Once configured, any user who signs into a Windows device with their M365 account automatically enrols it in Intune. No manual setup per machine.</p>
<ol>
<li>In Intune, go to <strong>Devices &gt; Enrolment</strong> (then the Windows tab)</li>
<li>Click <strong>Automatic Enrolment</strong></li>
<li>Set the scope to <strong>All</strong> (or a specific group if you want to test first)</li>
<li>Set the MDM user scope to <strong>All</strong></li>
</ol>
<p>That&rsquo;s it. From now on, when someone joins a Windows PC to your Entra ID and signs in, it enrols automatically. Note: the device must be Entra ID joined — simply signing into an app with a work account registers the device but doesn&rsquo;t fully enrol it for MDM.</p>
<h3 id="step-3-create-a-compliance-policy">Step 3: Create a Compliance Policy</h3>
<p>A compliance policy defines what &ldquo;healthy&rdquo; looks like for your devices. If a device doesn&rsquo;t meet the policy, it shows as non-compliant and you can restrict its access to company data.</p>
<ol>
<li>Go to <strong>Devices &gt; Compliance &gt; Policies &gt; + Create policy</strong></li>
<li>Choose <strong>Windows 10 and later</strong></li>
<li>Configure the basics:</li>
</ol>
<table>
	<thead>
			<tr>
					<th>Setting</th>
					<th>Recommended Value</th>
			</tr>
	</thead>
	<tbody>
			<tr>
					<td>Require BitLocker</td>
					<td>Yes</td>
			</tr>
			<tr>
					<td>Require Secure Boot</td>
					<td>Yes</td>
			</tr>
			<tr>
					<td>Require code integrity</td>
					<td>Yes</td>
			</tr>
			<tr>
					<td>Minimum OS version</td>
					<td>Your current version</td>
			</tr>
			<tr>
					<td>Password complexity</td>
					<td>Require digits and lowercase letters</td>
			</tr>
			<tr>
					<td>Password minimum length</td>
					<td>8</td>
			</tr>
			<tr>
					<td>Require antivirus</td>
					<td>Yes (Windows Defender)</td>
			</tr>
	</tbody>
</table>
<ol start="4">
<li>Click <strong>Create</strong></li>
</ol>
<p>Now any device that doesn&rsquo;t meet these requirements shows as non-compliant in your dashboard.</p>
<h3 id="step-4-deploy-your-first-app">Step 4: Deploy Your First App</h3>
<p>Let&rsquo;s install something. 7-Zip is a good test — it&rsquo;s free, small, and useful. It&rsquo;s available in the Microsoft Store, so this is the easy path:</p>
<ol>
<li>Go to <strong>Apps &gt; All apps &gt; Add</strong></li>
<li>Select <strong>Microsoft Store app (new)</strong></li>
<li>Search for &ldquo;7-Zip&rdquo;, select it</li>
<li>Assign to a group (start with a test group)</li>
<li>The app will install automatically on enrolled devices</li>
</ol>
<p>For apps that aren&rsquo;t in the Store, you&rsquo;ll need the Win32 wrapping method:</p>
<ol>
<li>Go to <strong>Apps &gt; All apps &gt; Add</strong></li>
<li>Select <strong>Windows app (Win32)</strong></li>
<li>Wrap the installer (.msi or .exe) into the .intunewin format using Microsoft&rsquo;s Win32 Content Prep Tool, then upload it</li>
<li>Set the install command and uninstall command</li>
<li>Assign to a group</li>
</ol>
<p>Yes, Win32 wrapping is the fiddliest part of Intune. Always check the Store first.</p>
<h3 id="step-5-set-up-a-configuration-profile">Step 5: Set Up a Configuration Profile</h3>
<p>Configuration profiles let you control device settings. Here are the ones I&rsquo;d set up first:</p>
<p><strong>Wi-Fi profile:</strong> Push your office Wi-Fi settings so devices connect automatically.</p>
<ol>
<li>Go to <strong>Devices &gt; Configuration profiles &gt; Create profile</strong></li>
<li>Platform: <strong>Windows 10 and later</strong></li>
<li>Profile type: <strong>Templates &gt; Wi-Fi</strong></li>
<li>Enter your SSID, security type, and password</li>
<li>Assign to your device group</li>
</ol>
<p><strong>BitLocker profile:</strong> Ensure all drives are encrypted.</p>
<ol>
<li>Go to <strong>Endpoint security &gt; Disk encryption &gt; Create policy</strong></li>
<li>Platform: <strong>Windows 10 and later</strong>, Profile: <strong>BitLocker</strong></li>
<li>Enable BitLocker, set encryption method</li>
<li>Assign to your device group</li>
</ol>
<blockquote>
<p><strong>Note:</strong> The older path <strong>Templates &gt; Endpoint protection</strong> still works, but Microsoft now steers toward Endpoint security &gt; Disk encryption.</p>
</blockquote>
<h3 id="what-this-looks-like-day-to-day">What This Looks Like Day-to-Day</h3>
<p>Once set up, your workflow is:</p>
<ol>
<li><strong>New employee starts</strong> — they get a Windows PC, sign in with their M365 account, and Intune automatically enrolls it, installs your apps, and applies your policies. Done.</li>
<li><strong>Someone loses a laptop</strong> — you go to Intune, find the device, and click <strong>Wipe</strong>. You&rsquo;ll be prompted for a 6-digit Recovery PIN. The laptop is erased the next time it connects to the internet.</li>
<li><strong>A compliance issue pops up</strong> — you see it in the dashboard, and you know exactly which machine and what&rsquo;s wrong.</li>
<li><strong>You need to deploy new software</strong> — add it in Intune, assign it, and it installs automatically.</li>
</ol>
<p>No driving to the office after hours. No walking around to each machine. No &ldquo;I&rsquo;ll do it Monday.&rdquo;</p>
<h3 id="the-honest-limitations">The Honest Limitations</h3>
<p>Intune isn&rsquo;t perfect. A few things to know:</p>
<ul>
<li><strong>It needs internet connectivity.</strong> Devices check in with Intune periodically — they don&rsquo;t need to be online 24/7, but they do need to connect now and then to receive policies and report status.</li>
<li><strong>Mac and iOS management is possible</strong> but the experience isn&rsquo;t as polished as Windows.</li>
<li><strong>The reporting is basic.</strong> It tells you if something&rsquo;s compliant, but it won&rsquo;t give you deep diagnostics.</li>
<li><strong>There&rsquo;s a learning curve.</strong> The first few hours are confusing. It gets easier.</li>
<li><strong>Windows Home edition doesn&rsquo;t work.</strong> You need Pro. If you&rsquo;ve got Home edition machines, that&rsquo;s a problem.</li>
</ul>
<h3 id="the-bottom-line">The Bottom Line</h3>
<p>If you&rsquo;re paying for M365 Business Premium and not using Intune, you&rsquo;re wasting money. It&rsquo;s not enterprise-only software — it&rsquo;s designed for exactly your situation: a small business that needs to manage devices without a dedicated IT team.</p>
<p>Set it up once, and it pays for itself in time saved every single week.</p>
<hr>
<p><em>I&rsquo;ve put together a complete Intune enrollment walkthrough on Patreon — with screenshots for every step, recommended compliance policies for small business, and a device enrollment checklist you can follow for each new machine. <a href="https://www.patreon.com/c/ITMadeSimple">Get it here</a>.</em></p>
]]></content:encoded></item></channel></rss>