If you want the clean version: license the user, scope MDM carefully, build one test policy set, enroll one device, then pilot before broad rollout.
Microsoft Intune docs · Set up Microsoft Intune
Best rollout path: test user → test device → pilot group → wider rollout.
What you need before you start
Make sure the client already has:
- a working Microsoft 365 tenant
- at least one Intune license assigned
- a test user account
- a test device ready to enroll
- admin access to Microsoft 365 admin center and Intune admin center
If the client is on Business Premium, Intune is usually already included.
If the tenant structure is still messy, clean up users and groups first. Intune setup is much easier when the basics are clean.
Setup order
Step 1, assign the Intune license
Where: Microsoft 365 admin center
Do this:
- open Users → Active users
- open the user
- open Licenses and apps
- turn on the license that includes Intune
- click Save changes
Start with:
- one test user
- then a small pilot group later
Step 2, open Intune and confirm the tenant is ready
URL: intune.microsoft.com
Check:
- Intune opens normally
- the tenant is active
- MDM authority is set to Microsoft Intune
If this is a brand new tenant, Intune may ask you to finish setup first.
Step 3, set MDM user scope the safe way
Where: Microsoft Entra admin center
Do this:
- open Mobility (MDM and MAM)
- open Microsoft Intune
- set MDM user scope
Best starting point:
- set it to Some
- include only your test group
Do not set this to All on day one unless you are very sure the tenant is ready.
Step 4, create a test group
Where: Microsoft Entra admin center
Do this:
- open Groups
- create a Security group
- use a clear name, like:
Intune-Test-UsersIntune-Test-Devices
- add your test user
Use this group for:
- enrollment targeting
- app targeting
- compliance policies
- configuration profiles
Step 5, review enrollment restrictions
Where: Intune admin center
Do this:
- open Devices → Enrollment → Enrollment device platform restrictions
- review what is allowed:
- Windows
- macOS
- iOS/iPadOS
- Android
If the client is mainly Windows, keep the first rollout focused on Windows.
Step 6, configure Windows automatic enrollment
Where: Entra admin center
Do this:
- open Mobility (MDM and MAM) → Microsoft Intune
- confirm automatic MDM enrollment is enabled for the users or group you want
For a clean rollout:
- start with the test group
- leave broad assignment for later
Step 7, create one basic compliance policy
Where: Intune admin center
Do this:
- open Devices → Compliance policies
- click Create policy
- choose platform, usually Windows 10 and later
Good starter settings:
- require BitLocker
- require secure boot
- require TPM
- require antivirus
- require device to be at or under machine risk score only if Defender is already in use
Assign it to your test users or devices first.
Step 8, create one basic configuration profile
Where: Intune admin center
Do this:
- open Devices → Configuration
- click Create
- choose platform
- start with one simple profile
Good first examples:
- BitLocker settings
- password policy
- device restrictions
- OneDrive Known Folder Move
- Windows Update ring
Keep the first profile small. One clean win is better than five half-tested profiles.
Step 9, add only the core apps
Where: Intune admin center
Do this:
- open Apps → All apps
- click Add
Common first apps:
- Microsoft 365 Apps
- Company Portal
- Edge
- Teams
- Defender, if used
Assign apps to the test group first.
Do not load every app right away. Start with the apps users actually need first.
Step 10, enroll one test device
Where: on the test Windows PC
Do this:
- open Settings
- go to Accounts → Access work or school
- click Connect
- join with the test user account
- allow the device to enroll
If using Autopilot, that is a separate path. Manual enrollment is fine for initial testing.
Step 11, check the device in Intune
Where: Intune admin center
Check:
- open Devices → All devices
- open the test device
Confirm you can see:
- device name
- primary user
- compliance state
- last check-in time
- assigned policies
- assigned apps
If it shows up but is not compliant yet, wait a few minutes and sync again.
Step 12, run a manual sync
From the device:
- open Settings → Accounts → Access work or school
- select the connected work account
- click Info
- click Sync
From Intune:
- open the device
- click Sync
This helps when policies or apps are slow to appear.
How to know it is working
Before adding real users, confirm:
- the test user can sign in
- the device enrolled successfully
- at least one policy applied
- at least one app installed
- the device reports Compliant if expected
- there are no obvious enrollment errors
If all of that looks good, move from test group to pilot group.
Roll out in phases
Use this order:
- test user and test device
- small pilot group
- rest of company
Do not roll out tenant-wide until the pilot is clean.
Quick checklist
- Intune license assigned
- test user created
- test group created
- MDM scope set
- platform enrollment reviewed
- compliance policy created
- configuration profile created
- core apps added
- one test device enrolled
- sync completed
- device checked in Intune
- pilot ready
Common mistakes
- targeting all users too early
- assigning too many apps on day one
- skipping the test device
- building too many policies before enrollment is stable
- trying Autopilot first before basic Intune enrollment works
What to do next
After the basic rollout works, the next good upgrades are:
- Autopilot
- Conditional Access
- Defender integration
- Windows Update rings
- more app deployment automation
If the goal is a clean client onboarding flow, get the basic Intune foundation stable first.