<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Intune on IT Made Simple</title><link>https://itmadesimple.co.nz/tags/intune/</link><description>Recent content in Intune on IT Made Simple</description><generator>Hugo -- gohugo.io</generator><language>en</language><managingEditor>Thaddeus</managingEditor><webMaster>Thaddeus</webMaster><lastBuildDate>Tue, 23 Jun 2026 08:00:00 +1200</lastBuildDate><atom:link href="https://itmadesimple.co.nz/tags/intune/index.xml" rel="self" type="application/rss+xml"/><item><title>Intune for Small Business: Managing Devices Without an IT Team</title><link>https://itmadesimple.co.nz/posts/intune-small-business/</link><pubDate>Tue, 23 Jun 2026 08:00:00 +1200</pubDate><author>Thaddeus</author><guid>https://itmadesimple.co.nz/posts/intune-small-business/</guid><description>You&amp;#39;re paying for Intune already if you have M365 Business Premium. Here&amp;#39;s how to actually use it to manage your computers without needing a dedicated IT person.</description><content:encoded><![CDATA[<p>If you&rsquo;re on M365 Business Premium, you&rsquo;re paying for Microsoft Intune every single month. And if you&rsquo;re not using it, you&rsquo;re leaving one of the most valuable tools in the M365 suite on the table.</p>
<p>Intune lets you manage every Windows computer in your business from a single web page. No server required. No on-site IT person required. Just a browser and a couple of hours to set it up.</p>
<p>I know what you&rsquo;re thinking: &ldquo;That sounds complicated.&rdquo; It&rsquo;s not. It&rsquo;s just unfamiliar. Let me walk you through it.</p>
<h3 id="what-intune-actually-does">What Intune Actually Does</h3>
<p>Think of Intune as a remote control for your computers. From the Intune admin centre, you can:</p>
<ul>
<li><strong>Enrol devices</strong> — connect them to your management system</li>
<li><strong>Push software</strong> — install applications automatically</li>
<li><strong>Enforce policies</strong> — require encryption, set password rules, control settings</li>
<li><strong>Manage updates</strong> — control when Windows Updates install (we covered this in <a href="https://itmadesimple.co.nz/posts/windows-updates-why-ignore/">a previous post</a>)</li>
<li><strong>Remote wipe</strong> — if a laptop gets stolen, erase it remotely</li>
<li><strong>See compliance</strong> — at a glance, which machines are up to date and which aren&rsquo;t</li>
</ul>
<p>For a small business without a dedicated IT person, this is transformative. Instead of walking around to each machine to check settings, you do it all from your desk.</p>
<h3 id="what-you-need">What You Need</h3>
<ul>
<li><strong>M365 Business Premium</strong> (includes Intune — ~NZ$36/user/month, excl. GST, annual billing)</li>
<li><strong>Windows 10/11 Pro</strong> on each device (Home edition doesn&rsquo;t support Intune enrolment)</li>
<li><strong>An Intune Administrator or Global Administrator</strong> role in M365</li>
<li><strong>About 2 hours</strong> for initial setup</li>
</ul>
<h3 id="step-1-enable-intune">Step 1: Enable Intune</h3>
<p>If you&rsquo;re on Business Premium, Intune is already included. You just need to start using it.</p>
<ol>
<li>Go to <a href="https://intune.microsoft.com">https://intune.microsoft.com</a></li>
<li>If it&rsquo;s your first time, it&rsquo;ll take a few minutes to provision</li>
<li>You&rsquo;ll see the admin dashboard — this is your new best friend</li>
</ol>
<h3 id="step-2-set-up-automatic-enrolment">Step 2: Set Up Automatic Enrolment</h3>
<p>This is the magic bit. Once configured, any user who signs into a Windows device with their M365 account automatically enrols it in Intune. No manual setup per machine.</p>
<ol>
<li>In Intune, go to <strong>Devices &gt; Enrolment</strong> (then the Windows tab)</li>
<li>Click <strong>Automatic Enrolment</strong></li>
<li>Set the scope to <strong>All</strong> (or a specific group if you want to test first)</li>
<li>Set the MDM user scope to <strong>All</strong></li>
</ol>
<p>That&rsquo;s it. From now on, when someone joins a Windows PC to your Entra ID and signs in, it enrols automatically. Note: the device must be Entra ID joined — simply signing into an app with a work account registers the device but doesn&rsquo;t fully enrol it for MDM.</p>
<h3 id="step-3-create-a-compliance-policy">Step 3: Create a Compliance Policy</h3>
<p>A compliance policy defines what &ldquo;healthy&rdquo; looks like for your devices. If a device doesn&rsquo;t meet the policy, it shows as non-compliant and you can restrict its access to company data.</p>
<ol>
<li>Go to <strong>Devices &gt; Compliance &gt; Policies &gt; + Create policy</strong></li>
<li>Choose <strong>Windows 10 and later</strong></li>
<li>Configure the basics:</li>
</ol>
<table>
	<thead>
			<tr>
					<th>Setting</th>
					<th>Recommended Value</th>
			</tr>
	</thead>
	<tbody>
			<tr>
					<td>Require BitLocker</td>
					<td>Yes</td>
			</tr>
			<tr>
					<td>Require Secure Boot</td>
					<td>Yes</td>
			</tr>
			<tr>
					<td>Require code integrity</td>
					<td>Yes</td>
			</tr>
			<tr>
					<td>Minimum OS version</td>
					<td>Your current version</td>
			</tr>
			<tr>
					<td>Password complexity</td>
					<td>Require digits and lowercase letters</td>
			</tr>
			<tr>
					<td>Password minimum length</td>
					<td>8</td>
			</tr>
			<tr>
					<td>Require antivirus</td>
					<td>Yes (Windows Defender)</td>
			</tr>
	</tbody>
</table>
<ol start="4">
<li>Click <strong>Create</strong></li>
</ol>
<p>Now any device that doesn&rsquo;t meet these requirements shows as non-compliant in your dashboard.</p>
<h3 id="step-4-deploy-your-first-app">Step 4: Deploy Your First App</h3>
<p>Let&rsquo;s install something. 7-Zip is a good test — it&rsquo;s free, small, and useful. It&rsquo;s available in the Microsoft Store, so this is the easy path:</p>
<ol>
<li>Go to <strong>Apps &gt; All apps &gt; Add</strong></li>
<li>Select <strong>Microsoft Store app (new)</strong></li>
<li>Search for &ldquo;7-Zip&rdquo;, select it</li>
<li>Assign to a group (start with a test group)</li>
<li>The app will install automatically on enrolled devices</li>
</ol>
<p>For apps that aren&rsquo;t in the Store, you&rsquo;ll need the Win32 wrapping method:</p>
<ol>
<li>Go to <strong>Apps &gt; All apps &gt; Add</strong></li>
<li>Select <strong>Windows app (Win32)</strong></li>
<li>Wrap the installer (.msi or .exe) into the .intunewin format using Microsoft&rsquo;s Win32 Content Prep Tool, then upload it</li>
<li>Set the install command and uninstall command</li>
<li>Assign to a group</li>
</ol>
<p>Yes, Win32 wrapping is the fiddliest part of Intune. Always check the Store first.</p>
<h3 id="step-5-set-up-a-configuration-profile">Step 5: Set Up a Configuration Profile</h3>
<p>Configuration profiles let you control device settings. Here are the ones I&rsquo;d set up first:</p>
<p><strong>Wi-Fi profile:</strong> Push your office Wi-Fi settings so devices connect automatically.</p>
<ol>
<li>Go to <strong>Devices &gt; Configuration profiles &gt; Create profile</strong></li>
<li>Platform: <strong>Windows 10 and later</strong></li>
<li>Profile type: <strong>Templates &gt; Wi-Fi</strong></li>
<li>Enter your SSID, security type, and password</li>
<li>Assign to your device group</li>
</ol>
<p><strong>BitLocker profile:</strong> Ensure all drives are encrypted.</p>
<ol>
<li>Go to <strong>Endpoint security &gt; Disk encryption &gt; Create policy</strong></li>
<li>Platform: <strong>Windows 10 and later</strong>, Profile: <strong>BitLocker</strong></li>
<li>Enable BitLocker, set encryption method</li>
<li>Assign to your device group</li>
</ol>
<blockquote>
<p><strong>Note:</strong> The older path <strong>Templates &gt; Endpoint protection</strong> still works, but Microsoft now steers toward Endpoint security &gt; Disk encryption.</p>
</blockquote>
<h3 id="what-this-looks-like-day-to-day">What This Looks Like Day-to-Day</h3>
<p>Once set up, your workflow is:</p>
<ol>
<li><strong>New employee starts</strong> — they get a Windows PC, sign in with their M365 account, and Intune automatically enrolls it, installs your apps, and applies your policies. Done.</li>
<li><strong>Someone loses a laptop</strong> — you go to Intune, find the device, and click <strong>Wipe</strong>. You&rsquo;ll be prompted for a 6-digit Recovery PIN. The laptop is erased the next time it connects to the internet.</li>
<li><strong>A compliance issue pops up</strong> — you see it in the dashboard, and you know exactly which machine and what&rsquo;s wrong.</li>
<li><strong>You need to deploy new software</strong> — add it in Intune, assign it, and it installs automatically.</li>
</ol>
<p>No driving to the office after hours. No walking around to each machine. No &ldquo;I&rsquo;ll do it Monday.&rdquo;</p>
<h3 id="the-honest-limitations">The Honest Limitations</h3>
<p>Intune isn&rsquo;t perfect. A few things to know:</p>
<ul>
<li><strong>It needs internet connectivity.</strong> Devices check in with Intune periodically — they don&rsquo;t need to be online 24/7, but they do need to connect now and then to receive policies and report status.</li>
<li><strong>Mac and iOS management is possible</strong> but the experience isn&rsquo;t as polished as Windows.</li>
<li><strong>The reporting is basic.</strong> It tells you if something&rsquo;s compliant, but it won&rsquo;t give you deep diagnostics.</li>
<li><strong>There&rsquo;s a learning curve.</strong> The first few hours are confusing. It gets easier.</li>
<li><strong>Windows Home edition doesn&rsquo;t work.</strong> You need Pro. If you&rsquo;ve got Home edition machines, that&rsquo;s a problem.</li>
</ul>
<h3 id="the-bottom-line">The Bottom Line</h3>
<p>If you&rsquo;re paying for M365 Business Premium and not using Intune, you&rsquo;re wasting money. It&rsquo;s not enterprise-only software — it&rsquo;s designed for exactly your situation: a small business that needs to manage devices without a dedicated IT team.</p>
<p>Set it up once, and it pays for itself in time saved every single week.</p>
<hr>
<p><em>I&rsquo;ve put together a complete Intune enrollment walkthrough on Patreon — with screenshots for every step, recommended compliance policies for small business, and a device enrollment checklist you can follow for each new machine. <a href="https://www.patreon.com/c/ITMadeSimple">Get it here</a>.</em></p>
]]></content:encoded></item><item><title>Windows Updates: Why You Can't Just Ignore Them</title><link>https://itmadesimple.co.nz/posts/windows-updates-why-ignore/</link><pubDate>Thu, 18 Jun 2026 08:00:00 +1200</pubDate><author>Thaddeus</author><guid>https://itmadesimple.co.nz/posts/windows-updates-why-ignore/</guid><description>That &amp;#34;Update and restart&amp;#34; prompt is annoying. But ignoring it is how businesses get ransomware. Here&amp;#39;s what updates actually do and how to manage them without losing your mind.</description><content:encoded><![CDATA[<p>You&rsquo;re in the middle of something. A deadline, a customer on the phone, a report that was due yesterday. And there it is:</p>
<p><strong>&ldquo;Update and restart now.&rdquo;</strong></p>
<p>So you click &ldquo;Remind me tonight.&rdquo; Tonight comes. You click &ldquo;Remind me in 4 hours.&rdquo; You keep clicking it until it forces the restart at the worst possible time, and now you&rsquo;re annoyed at Microsoft.</p>
<p>I get it. I really do. But here&rsquo;s the thing — that prompt is trying to save your business.</p>
<h3 id="what-updates-actually-do">What Updates Actually Do</h3>
<p>There&rsquo;s a misconception that Windows Updates are just Microsoft adding features you don&rsquo;t want and changing things that work fine. Sometimes that&rsquo;s true — the occasional feature update does change the look and feel, and it&rsquo;s annoying.</p>
<p>But the critical updates? The ones that interrupt your work? Those are usually security patches (delivered as part of monthly cumulative updates).</p>
<p>Here&rsquo;s what that means in practice:</p>
<p>Microsoft&rsquo;s security team (and independent researchers) find vulnerabilities in Windows. These are flaws that a criminal could use to get into your computer. Some vulnerabilities require no interaction at all — in some cases, just being on the same network with an unpatched machine is enough. Others rely on phishing or user action.</p>
<p>Microsoft releases a patch to fix the vulnerability. That patch gets delivered via Windows Update.</p>
<p>If you install the patch, you&rsquo;re protected. If you don&rsquo;t, the door stays open. And criminals know exactly which doors are still open — the patches are public. When Microsoft releases a fix, attackers can reverse-engineer the patch to figure out exactly what to exploit on machines that haven&rsquo;t updated yet.</p>
<p><strong>Not updating is like locking your front door but leaving the key in it.</strong></p>
<h3 id="the-wannacry-problem">The WannaCry Problem</h3>
<p>In 2017, a vulnerability called EternalBlue was used to spread the WannaCry ransomware. It infected over 230,000 computers across 150 countries in a few days. Hospitals, businesses, government agencies — all hit.</p>
<p>Microsoft had released a patch for the vulnerability <strong>nearly two months before</strong> the attack.</p>
<p>Most of the businesses that got hit weren&rsquo;t running ancient unsupported Windows. Mostly Windows 7 and Server 2008 R2 systems — the same versions many businesses were still running. They just hadn&rsquo;t installed the update.</p>
<p>WannaCry didn&rsquo;t care that you were busy. It didn&rsquo;t care that the update prompt was annoying. It just encrypted everything and demanded $300 in Bitcoin.</p>
<p>The majority of successful ransomware attacks exploit known vulnerabilities with available patches. The gangs aren&rsquo;t using fancy zero-days — they&rsquo;re exploiting the updates people didn&rsquo;t install.</p>
<h3 id="but-updates-break-things">&ldquo;But Updates Break Things!&rdquo;</h3>
<p>This is the counter-argument, and it&rsquo;s not wrong. Sometimes updates do break things. A driver stops working. An app compatibility issue pops up. Something that worked yesterday doesn&rsquo;t work today.</p>
<p>This was more of a problem in the Windows 7/8 era. It still happens occasionally, but Microsoft has gotten significantly better at testing updates before broad release. The &ldquo;update broke my computer&rdquo; scenario is far less common than it used to be.</p>
<p>Here&rsquo;s how to manage the risk without leaving yourself exposed:</p>
<p><strong>Don&rsquo;t install updates on day one. But don&rsquo;t wait three months either.</strong></p>
<p>Let the early adopters find the problems. Wait a week or so after &ldquo;Patch Tuesday&rdquo; (the second Tuesday of each month — that&rsquo;s when Microsoft drops their big security updates). Then install.</p>
<p>You can configure this in Windows through <strong>Windows Update for Business</strong> or <strong>Intune</strong> (if you&rsquo;re on M365 Business Premium). Set a deferral period — give feature updates a longer deferral (30-60 days), but keep security updates shorter (7-14 days).</p>
<h3 id="how-to-set-up-a-basic-update-policy">How to Set Up a Basic Update Policy</h3>
<p>If you&rsquo;re running Windows 10/11 Pro (most business machines do), you can configure this without any extra tools:</p>
<ol>
<li>Open <strong>Settings &gt; Windows Update &gt; Advanced options</strong></li>
<li>Enable <strong>Receive updates for other Microsoft products</strong> (keeps Office updated too)</li>
<li>If available on your version of Windows, under <strong>Choose when updates are installed</strong>, set:
<ul>
<li><strong>Feature updates:</strong> defer by 30 days</li>
<li><strong>Quality updates:</strong> defer by 7 days</li>
</ul>
</li>
</ol>
<p>That&rsquo;s the &ldquo;set and forget&rdquo; level. You&rsquo;ll get security updates within a week of release (early adopters have found any problems by then) and feature updates within a month (plenty of time for news about any issues).</p>
<p>If you&rsquo;ve got M365 Business Premium and Intune, you can do this centrally for all machines — more on that below.</p>
<h3 id="if-youve-got-intune-m365-business-premium">If You&rsquo;ve Got Intune (M365 Business Premium)</h3>
<p>This is where it gets easier. When we covered <a href="https://itmadesimple.co.nz/posts/m365-licensing-which-plan/">M365 licensing</a>, I mentioned that Business Premium includes Intune. One of the best things about Intune is centrally managing Windows updates across all your devices.</p>
<p>You create <strong>update rings</strong> — groups of settings that control when and how updates install. You can set up:</p>
<ul>
<li><strong>A pilot ring:</strong> 5-10 machines get updates first. If something breaks, you catch it before it hits everyone.</li>
<li><strong>Everyone else:</strong> Gets updates 7-14 days after the pilot group.</li>
</ul>
<p>The pilot ring should include non-critical machines and tech-comfortable staff who&rsquo;ll actually report problems. Don&rsquo;t put your most important server in the pilot group.</p>
<p>I&rsquo;ve put together a complete walkthrough on Patreon for setting up Intune update rings — including recommended settings for small business, screenshots, and what to do if an update causes problems.</p>
<h3 id="other-things-updates-cover">Other Things Updates Cover</h3>
<p>It&rsquo;s not just security. Updates also include:</p>
<ul>
<li><strong>Bug fixes:</strong> That weird crash in Excel that happens every Tuesday? Might get fixed in a cumulative update.</li>
<li><strong>Driver updates:</strong> New hardware support and better performance on existing hardware (though these can occasionally cause issues, so some businesses manage them separately).</li>
<li><strong>.NET Framework updates:</strong> A lot of business software depends on this. Missing or mismatched .NET versions are a common cause of app issues.</li>
</ul>
<h3 id="the-bottom-line">The Bottom Line</h3>
<p>I know updates are annoying. I know they always seem to fire at the worst time. But the alternative — running unpatched Windows in a business environment — is genuinely dangerous.</p>
<p>Configure a deferral so you&rsquo;re not on day one. Test on a couple of machines first if you&rsquo;re in a managed environment. But actually install them. Every month. Without fail.</p>
<p>The ransomware gangs are counting on you putting it off. Don&rsquo;t make it easy for them.</p>
<hr>
<p><em>For M365 Business Premium users, I&rsquo;ve put together a step-by-step Intune update ring guide on Patreon — with recommended settings, pilot group setup, and rollback procedures if an update causes issues. <a href="https://www.patreon.com/c/ITMadeSimple">Check it out here</a>.</em></p>
]]></content:encoded></item></channel></rss>