Knowledge Article View - Service Portal

* At this time not all enrollment options or functionality are available for Intune. See 'How do I enroll devices?' below for more information.

What is Intune?

Intune is a Mobile Device Management (MDM) system that enables Administrators to configure and manage devices remotely. Intune is currently available for Windows devices at Virginia Tech.

How does Intune Work?

Intune is a cloud-hosted management server. Devices are enrolled into Intune and then receive policies and other configurations as they come into scope to the devices.

After enrollment, devices check into Intune for policy changes at predetermined intervals which varies by operating system. New policies created after devices are enrolled are pushed out to devices as they become available, independent from the device’s normal check in period.

Communications between the server and the devices are encrypted and no personal information such as browsing history, file contents, or passwords are collected.

How do I enroll devices?

There are several methods of enrolling devices, depending on the operating system (also see the Intune enrollment and capabilities section below):

Windows
- Autopilot - Devices are guided through enrollment during the device setup out-of-box experience (OOBE). The device becomes joined to AzureAD and not On-Prem
- Azure AD-Join - Devices are enrolled by joining to AzureAD after the device has already been setup or configured.
- Hybrid-join enrollment – Domain-joined devices in a synced Organization Unit (OU) in the Central Services domain can be automatically enrolled via Group Policy Object (GPO).
- BYOD enrollment – Devices can be enrolled via the Company Portal app or via the “Access work or school” section of Settings in Windows 10. Management features are limited compared to hybrid enrollment.

Where can I find Technical Documentation, resources, training materials, etc.?

Technical Documentation and information for Intune can be found at:

Microsoft Intune Product Documentation - https://docs.microsoft.com/en-us/mem/intune/
What’s New In Microsoft Intune – Learn what’s new with Microsoft including notices, past releases and other information on how updates are released - https://docs.microsoft.com/en-us/mem/intune/fundamentals/whats-new
VT Slack – Located at #intune in Virginia Tech’s Slack instance
Intune User’s Group – A VT Google Group where announcements are made and discussions can be had. Contact a Service Administrator to be added to the group.

Is in-person or live remote training or assistance available?

Training is available subject to scheduling and availability. It is available for initial onboarding as well as follow up and can be customized based on need. You can request training from one of VT Intune’s Service Administrators by completing the IT Service Catalog item here.

The #intune slack channel or the Intune User’s Group is also a place where questions can be asked to other VT Intune users. Service administrators are also available for assistance with any issues or questions.

How can I start using Intune?

You can get started using Intune by requesting access through the Service Catalog by clicking here. Pricing and other information is available within the catalog item.

	Device join types		Comment
Intune enrollment method	Hybrid Joined (Windows)	Azure AD Registered (Windows)* * this enrollment method is currently not available
Requirements for enrollment method	Windows devices must be in a managed OU in Central Services Domain (CSD)	Enrolling user must be licensed
How devices are enrolled	In the department’s managed CSD OU, the department creates a child OU named ‘[OU]-Intune’. Windows device objects in that child OU will be synced to Azure AD.	The Microsoft Company Portal app is downloaded, installed, and used to enroll the device. The user authenticates with their credentials.
General capabilities (from Microsoft documentation)
User gets associated with device	✔	✔
Device can access resources protected by CA	✔	✔
Ability to configure the device setup experience	✘	✘
Ability to enroll devices without user interaction	✔*	✘	* user will get a 2-factor Duo prompt.
Ability to run PowerShell scripts (custom scripting)	✔	✔
Supports automatic enrollment after AD domain join	✔	✘
Supports automatic enrollment after Hybrid Azure AD Join	✔	✘
Customized reporting and device compliance reporting	✔	✔	Compliance reporting through Intune portal; customized reporting with Power BI (external to Intune)
Allow administrator to reset a device pin/passcode	✔✘	✔✘ *	* Only iOS/iPadOS enrolled via DEP/ASM, Android devices on version 6.x or earlier, and Android Enterprise devices enrolled as Device Owner.
Perform full wipe of device	✔	✔
Perform selective wipe of the organization’s intellectual property	✔	✔
Compartmentalize data	✘	✘
User portal for OS versions supported	✔	✔	Uses Company Portal, distributed or downloaded
Prevent user unenrolling device	✔	✔*	* A profile can be used to prevent unenrolling
Remove/uninstall apps remotely	✔	✔	*for Android must be Managed Play Store Apps
Application allow/block list	✔	✔
Windows-specific capabilities
Manage operating system patches on devices	✔	✔	Updates via assigning Windows update rings and schedule, not KB push / SUS management
Roll back packages and updates	✔✘	✔✘	Can roll back Feature or Quality for Update Rings
Force system restore / create restore points	✔✘	✔✘	Rebuild system only, not backup files, cannot create restore points. System restore points are an old style of backup. Intune offers wipe/restore options.
Check BIOS	✘	✘
Configure deployment/installation of native Windows files (.exe, .msi)	✔	✔	Deploying .exe requires wrapping installer in proprietary .intune file format.
Configure Bitlocker	✔	✔
Configure Applocker	✔	✔
Disable peer-to-peer distribution of updates	✔	✔
Wake on LAN	✘	✘
Bulk MDM enrollment	✔	✘