cloudconsulting.agustin

Intune Zero Trust Hardening + Troubleshooting + PowerShell

🔐

1. Enforce Device Compliance and Conditional Access

Ensure only compliant devices access corporate resources; compliance is the device signal in Zero Trust.

Intune Portal - Enforce compliance

  1. Microsoft Intune > Devices > Compliance policies > + Create policy (choose platform).
  2. Set checks: encryption, minimum OS, jailbreak/root detection, password complexity; Assign groups; Create.
  3. Monitor: Devices > Monitor > Compliance.
Intune: Device compliance (official) Intune: Create a compliance policy

Entra Portal - Conditional Access

  1. Microsoft Entra ID > Security > Conditional Access > + New policy; target pilot group.
  2. Cloud apps or actions: select apps; Conditions: platforms as needed.
  3. Grant: Require device to be marked as compliant; enable report-only for pilot; Create.
Entra: Conditional Access overview
🔒

2. Require Strong Authentication (MFA + Passwordless)

Reduce identity risk by combining MFA and passwordless methods.

Intune Portal - Windows Hello for Business

  1. Intune > Endpoint security > Authentication method deployment (or Profiles) > Create profile (Windows Hello for Business).
  2. Configure PIN complexity, biometrics, trust model; assign; monitor onboarding.
Intune: Windows Hello for Business

Entra Portal - MFA and Passwordless

  1. Entra ID > Security > Authentication methods: enable Authenticator, FIDO2, Windows Hello.
  2. Conditional Access: require MFA for high-risk scenarios; Identity Protection: configure risk policies.
Entra: Authentication docs
🔰

3. Enforce Device Encryption and Disk Protection

Protect data at rest across device types to limit exposure if devices are lost or compromised.

Intune Portal - Enable encryption

  1. Intune > Endpoint security > Disk encryption > + Create policy (BitLocker for Windows).
  2. Configure XTS-AES, TPM settings and recovery key escrow; Assign; Monitor.
Intune: Encrypt devices

Entra Portal - Use encryption signal

  1. Entra ID > Devices > Device settings: confirm Azure AD join settings.
  2. Conditional Access: require device compliance (encryption) before access.
Entra: Device identity docs
🧰

4. Apply Least‑Privilege Administrative Roles and Privileged Access Management

Limit and protect administrative identities; reduce blast radius of compromised accounts.

Intune Portal - RBAC and scoped roles

  1. Intune > Tenant administration > Roles > All roles: assign built-in or custom roles, scope to groups and use scope tags.
Intune: RBAC overview

Entra Portal - PIM and Just-in-Time

  1. Entra ID > Identity Governance > Privileged Identity Management (PIM): convert permanent to eligible, require MFA, enable time-bound activation.
Entra: PIM docs
🤖

5. Use Endpoint Detection and Response + Microsoft Defender Integration

Detect, investigate and respond to threats across endpoints; telemetry is central to Zero Trust.

Intune Portal - Onboard EDR and Defender

  1. Intune > Endpoint security > Antivirus/EDR: create policies and onboarding packages; assign to device groups; monitor status.
Intune: Use Defender with Intune

Entra Portal - Use EDR signals

  1. Integrate Defender for Endpoint so device risk signals flow to Intune/Entra; use Conditional Access policies based on device risk.
Defender for Endpoint overview
📦

6. Harden App Access with App Protection Policies and App Configuration

Protect corporate data inside apps (BYOD) and prevent leakage.

Intune Portal - App protection policies

  1. Intune > Apps > App protection policies > + Create policy: configure data relocation, restrict cut/copy, require PIN, managed browser rules; target apps and groups.
Intune: App protection policies

Entra Portal - App registration and SSO

  1. Entra ID > Enterprise applications > select app > Single sign-on; configure SAML/OIDC and user assignments.
Entra: Enterprise applications
🔁

7. Keep OS and Apps Up to Date; Automate Patch Management

Reduce attack surface by timely patching.

Intune Portal - Update rings and feature updates

  1. Intune > Devices > Windows > Update rings for Windows 10 and later > + Create profile; configure deferrals, deadlines and assign.
Intune: Windows Update for Business

Entra Portal - Use update signals

  1. Use Conditional Access to require device compliance (which includes update status) before access.
Entra: Conditional Access overview
🔎

8. Monitor and Audit Device Health and Compliance

Continuous verification and audit evidence are required by Zero Trust.

Intune Portal - Logs and reports

  1. Intune > Tenant administration > Audit logs; Devices > Monitor > Compliance policy; Reports > Device compliance; export for audit.
Intune: Audit logs

Entra Portal - Sign-in and risk logs

  1. Entra ID > Monitoring > Sign-ins; Identity Protection > Risk detections; route logs to Log Analytics/Sentinel.
Entra: Sign-in logs
🧭

9. Enforce Network Controls and Secure Perimeterless Access

Constrain resource access by network context, app and device posture.

Intune Portal - Network and VPN profiles

  1. Intune > Devices > Configuration profiles > + Create profile: create VPN (Always On/conditional tunnel), Wi‑Fi and firewall profiles and deploy.
Intune: Configure device profiles

Entra Portal - Conditional Access network conditions

  1. Entra ID > Conditional Access > Conditions > Locations: define named locations (trusted IPs) and apply controls.
Entra: Location condition
🤖

10. Establish Secure Enrollment, Device Identity, and Lifecycle Controls

Trust device identity from enrollment through deprovisioning; ensure secure onboarding and offboarding.

Intune Portal - Enrollment and lifecycle

  1. Intune > Devices > Enroll devices: Enrollment restrictions; Automatic enrollment (MDM user scope); Windows Autopilot profiles; Deprovision devices (Wipe/Retire).
Intune: Windows enrollment methods Windows Autopilot

Entra Portal - Device identity and join type

  1. Entra ID > Devices > Device settings: control who can join devices; use Device categories and Conditional Access to require join types.
Entra: Device identity docs
🛠

11. Top 10 Intune Device Troubleshooting Examples

Common device issues and triage steps with authoritative docs or reputable community posts.
  1. Device fails to enroll - Triage: verify Autopilot/MDM user scope, Azure AD join, Intune license, enrollment restrictions; collect enrollment logs (dsregcmd, MDM diagnostics).
    Microsoft: Troubleshoot Intune enrollment Tech Community: Troubleshoot Windows enrollment
  2. Device not showing in Intune / stale inventory - Triage: force sync (Company Portal), confirm auto-enroll, check Azure AD device object and device cleanup policies.
    Microsoft: Troubleshoot device connectivity & sync Tech Community: Intune device cleanup
  3. Compliance policy shows noncompliant - Triage: examine failing rule (encryption, OS version, jailbreak), force sync, remediate and re-evaluate.
    Microsoft: Troubleshoot compliance policies Petri: Compliance policy guide
  4. Conditional Access blocks expected access - Triage: check Entra sign-in logs for CA evaluation, verify policy in report-only, validate device signals and locations.
    Microsoft: Troubleshoot Conditional Access Microsoft: Sign-in logs
  5. App deployment fails or stuck installing - Triage: check app install status in Intune, inspect Intune Management Extension logs on device, confirm package requirements and dependencies.
    Microsoft: Troubleshoot app installation Tech Community: Managed installer troubleshooting
  6. Windows Update / Feature update failures - Triage: review Update rings, WindowsUpdate.log, ensure diagnostic and update telemetry reaches Intune; use update troubleshooting guides.
    Microsoft: Troubleshoot Windows Update for Business Tech Community: Feature update troubleshooting
  7. BitLocker or disk encryption issues - Triage: confirm BitLocker policy applied, validate TPM and recovery key escrow on Intune, collect client BitLocker events.
    Microsoft: BitLocker with Intune Tech Community: BitLocker troubleshooting
  8. Company Portal sign-in or SSO problems - Triage: clear cached accounts, check SSO configuration, review Entra sign-in logs and CA evaluation, ensure auth methods registered.
    Microsoft: Troubleshoot Company Portal Tech Community: Sign-in loop
  9. Defender for Endpoint not reporting / onboarding failures - Triage: confirm integration, validate onboarding package/method, check device visibility in Defender portal and onboarding logs.
    Microsoft: Onboard Defender for Endpoint Tech Community: Onboarding methods
  10. Device remote actions fail (wipe/retire/remote lock) - Triage: ensure device check-in and connectivity, review action status in Intune, inspect Intune management logs and gateway connectivity.
    Microsoft: Troubleshoot device actions Tech Community: Remote wipe guidance
💻

12. Top 10 PowerShell Commands Every Intune Device Administrator Needs

Examples use Microsoft Graph PowerShell SDK (Get-/Invoke-Mg*). Replace <device-id> as needed and test in a pilot tenant.
  1. Connect to Graph
    Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All","Device.Read.All"
    Microsoft Graph PowerShell docs
  2. List managed devices
    Get-MgDeviceManagementManagedDevice | Select-Object id,deviceName,operatingSystem,complianceState,userPrincipalName
    managedDevice resource (Graph)
  3. Get device details by ID
    $d = Get-MgDeviceManagementManagedDevice -ManagedDeviceId <device-id> ; $d | Format-List *
    Get managed device (Graph)
  4. Initiate remote sync
    Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId <device-id>
    Sync device (Graph)
  5. Trigger remote wipe
    Invoke-MgDeviceManagementManagedDeviceWipe -ManagedDeviceId <device-id> -KeepEnrollmentData $false -KeepUserData $false
    Wipe device (Graph)
  6. Retrieve BitLocker recovery keys
    Get-MgDeviceManagementManagedDevice -ManagedDeviceId <device-id> | Select-Object -ExpandProperty BitlockerKeys
    BitLocker recovery key (Graph)
  7. Export noncompliant devices
    Get-MgDeviceManagementManagedDevice | Where-Object {$_.complianceState -ne "compliant"} | Export-Csv noncompliant-devices.csv -NoTypeInformation
    managedDevice queries (Graph)
  8. Upload / assign a remediation script (Intune Management Extension)
    # Use Graph API deviceManagement/deviceManagementScripts endpoints to create and assign scripts via Graph
    Intune Management Extension scripts
  9. Get Intune role assignments (RBAC)
    Get-MgRoleManagementDirectoryRoleDefinition | Where-Object {$_.displayName -like "*Intune*"}
Get-MgRoleManagementDirectoryRoleAssignment
    Role management (Graph)
  10. Query Autopilot device identities
    Get-MgDeviceManagementWindowsAutopilotDeviceIdentity | Select-Object id,displayName,serialNumber,registrationState
    Autopilot device identity (Graph)
Notes: replace <device-id> with the managed device id; use least-privilege principals when scripting; test in a pilot tenant before production.
Tip: Pilot changes on a small group, collect logs (Intune, Entra sign-ins, Defender), and keep audit-ready exports of assignments and policy settings.
Microsoft Graph Intune overview

 This article was originally published on 2025-NOV-01 and last reviewed on 2025-NOV-17.