There is no shortage of Microsoft Intune documentation — but most engineers learn Intune in the wrong order, jumping straight into Compliance Policies before understanding how Device Enrollment works, or configuring Win32 apps before knowing what the Intune Management Extension actually does. A structured roadmap fixes that. This guide maps the full Intune learning path across 12 logical chapters, from the basics of what Intune is, all the way to troubleshooting and enterprise-grade security.
The Roadmap at a Glance
These 12 chapters cover the complete Microsoft Intune stack. Each chapter builds on the last — work through them in order and nothing will feel disconnected.
- Overview & Key Benefits
- Architecture
- Service Overview
- Components
- Users
- Groups & Roles
- Authentication Methods
- Licenses & Permissions
- Entra ID & Intune Integration
- Tenant Setup
- Admin Center Overview
- Roles & Admin Access
- First-Time Configuration
- Enrollment Methods
- Platform Support
- Enrollment Status Page (ESP)
- Device Enrollment Restrictions
- What is Autopilot?
- Deployment Process
- Hardware Hash & Import
- Autopilot Profiles
- Configuration Profiles
- Settings Catalog
- Administrative Templates
- Device Restrictions
- Compliance Policies
- Device Compliance Rules
- Remediation & Notifications
- Compliance Reports
- App Types in Intune
- Win32 / MSIX / Store Apps
- App Assignment & Deployment
- Monitoring & Reporting
- Security Policies
- Conditional Access Integration
- BitLocker & LAPS
- Endpoint Protection Policies
- Overview
- Threat Protection
- Vulnerability Management
- Alerts & Investigation
- Key Concepts
- Common Acronyms
- Important Keywords
- Definitions
- Common Issues
- Error Codes
- Log Files & Locations
- Troubleshooting Steps
Chapter 1 — Introduction to Microsoft Intune
Microsoft Intune is a cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAM) service from Microsoft. It lets you manage devices and apps from a single admin console — Intune Admin Center — without needing on-premises infrastructure.
The Intune architecture is simple: devices enrol into the Intune service (via the MDM channel or the Intune Management Extension for Windows), receive policies and apps, and report compliance back. The IME handles Win32 app deployment, PowerShell scripts, and proactive remediations on Windows. Everything else — compliance, configuration profiles, app protection — flows through the MDM stack.
Chapter 2 — Microsoft Entra ID (Basics for Intune)
Intune does not manage identities — Microsoft Entra ID does. Every device enrolled in Intune is either Entra-joined or Entra-registered. Every user assigned a policy or app must have an Intune licence assigned in Entra ID. You cannot understand Intune without understanding the basics of Entra ID first.
| Topic | What you need to know |
|---|---|
| Users & Groups | Intune assignments (policies, apps) target Entra ID users and groups. Dynamic groups are the most scalable assignment strategy. |
| Authentication | MFA, Windows Hello for Business, FIDO2, and passwordless are all Entra ID features — but they gate access to Intune-managed resources. |
| Licences | Each user needs an Intune licence (standalone or via M365 E3/E5, Business Premium). Assign in Entra ID admin centre or via group-based licensing. |
| Integration | Entra ID provides the device identity (Entra-joined / Hybrid-joined / Entra-registered) that Intune uses for compliance and Conditional Access. |
Chapter 3 — Getting Started with Intune
First-time setup in a fresh tenant covers four things: configure your MDM authority (set it to Intune, not SCCM), set up your custom domain, assign licences to users, and add your first admin roles. The Intune Admin Center is at intune.microsoft.com.
Chapter 4 — Device Enrollment
Device enrollment is how a device gets under Intune management. The method you use depends on the platform and ownership model.
| Method | Platform | Best for |
|---|---|---|
| Windows Autopilot | Windows | New corporate devices — zero-touch OOBE |
| Automatic MDM enrollment (via Entra join) | Windows | Entra-joined devices, bulk enrollment |
| Apple ADE (Automated Device Enrollment) | iOS/macOS | Corporate iPhones, iPads, Macs via Apple Business Manager |
| Android Enterprise | Android | Fully managed, work profile, or dedicated kiosk devices |
| BYOD (MAM-WE) | iOS/Android | Personal devices — app protection only, no device management |
The Enrollment Status Page (ESP) controls what a user sees during OOBE on a Windows device. It blocks the desktop until configured apps and policies have applied. Configure it in: Devices → Enroll devices → Windows enrollment → Enrollment Status Page.
Chapter 5 — Windows Autopilot
Autopilot is the zero-touch deployment method for Windows. A device ships directly from the OEM to the end user — the user powers it on, signs in, and Autopilot configures it automatically with the correct apps, policies, and settings. IT never touches the physical device.
The hardware hash (a unique device fingerprint) is how Intune identifies the device before it has an Azure AD identity. The hash is either uploaded via CSV, imported from the OEM, or collected with a PowerShell script on existing devices.
Chapter 6 — Device Configuration
Configuration profiles are the primary way Intune pushes settings to devices. There are three main types: Settings Catalog (the modern approach — searchable, growing policy set), Templates (legacy ADMX-based Administrative Templates, Endpoint Protection, etc.), and Custom profiles (OMA-URI for settings not yet in the catalog).
Chapter 7 — Compliance Management
A compliance policy defines what a healthy device looks like: is BitLocker on? Is the OS version above a minimum? Is the firewall active? Intune evaluates compliance on check-in and marks devices Compliant or Non-compliant. Conditional Access can then block non-compliant devices from accessing company resources.
The compliance evaluation flow: Policy assigned → Device checks in → Intune evaluates rules → Sets compliance state → Conditional Access enforces access control.
Chapter 8 — Application Management
Intune supports four main app types on Windows: Win32 (EXE/MSI packaged with IntuneWinAppUtil), Microsoft Store apps (WinGet-sourced), Line-of-Business (LOB) apps (uploaded MSI/MSIX), and Microsoft 365 Apps (Click-to-Run, managed natively). Win32 is the most capable and the most common for enterprise deployments.
Chapter 9 — Security Management
Security policies in Intune cover: BitLocker (drive encryption — configure via Endpoint Security → Disk Encryption), LAPS (local admin password solution — requires Windows 11 22H2+ and Entra join), Endpoint Protection (Defender settings, firewall rules, attack surface reduction), and Conditional Access (works in tandem with Entra ID).
Chapter 10 — Microsoft Defender for Endpoint
Defender for Endpoint (MDE) is the enterprise EDR platform. Intune is the primary onboarding method for Windows devices. Once onboarded, MDE provides: real-time threat detection, vulnerability management (Defender Vulnerability Management), automated investigation and response, and security posture scoring (Secure Score).
Chapter 11 — Important Terms
| Term | Definition |
|---|---|
| MDM | Mobile Device Management — full device management, typically for corporate-owned devices |
| MAM | Mobile Application Management — app-level policies without enrolling the device |
| IME | Intune Management Extension — the Win32 agent, runs as SYSTEM on Windows |
| OMA-URI | Open Mobile Alliance Uniform Resource Identifier — path format for custom MDM settings |
| ESP | Enrollment Status Page — OOBE screen that blocks desktop until provisioning completes |
| LAPS | Local Administrator Password Solution — auto-rotates local admin passwords, stored in Entra ID |
| AAD / Entra ID | Azure Active Directory, renamed to Microsoft Entra ID in 2023 |
| WUfB | Windows Update for Business — cloud update management integrated with Autopatch |
| Hybrid Join | Device joined to both on-premises Active Directory and Microsoft Entra ID |
| Tenant | Your organisation's dedicated instance of Microsoft Entra ID and associated services |
Chapter 12 — Intune Troubleshooting
The three places to look when something is wrong with Intune:
- IME logs —
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\— for Win32 apps, PowerShell scripts, remediations - Intune Admin Center → Devices → [Device] → Device configuration — policy assignment status, conflict detail
- Event Viewer → Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider — MDM channel events
Exam Relevance: MD-102
MD-102 Endpoint Administrator — what the exam tests by chapter:
- Ch 3–4: Deploy and manage devices (enrollment, restrictions, ESP)
- Ch 5: Windows Autopilot deployment profiles, self-deploying, pre-provisioning
- Ch 6: Configuration profiles, Settings Catalog, ADMX templates
- Ch 7: Compliance policies, Conditional Access integration
- Ch 8: Win32 apps, Store apps, LOB apps — assignment and detection
- Ch 9–10: BitLocker, LAPS, Defender for Endpoint onboarding
- Ch 12: Troubleshooting — IME logs, error codes, MDM diagnostics
Official References
- What is Microsoft Intune? — Microsoft Learn
- Microsoft Intune planning guide
- Windows enrollment methods — Microsoft Learn
- Win32 app management in Microsoft Intune
- Device compliance policies in Microsoft Intune
- Microsoft Defender for Endpoint with Intune
This guide was inspired by Anuradha Kumari's LinkedIn post on Microsoft Intune Complete Roadmap – From Beginner to Advanced (Chapter 0 Index) — excellent structured learning content for Intune and Azure professionals. Follow Anuradha on LinkedIn for more handwritten study notes at CloudEngineerHub.Com.