Microsoft Intune ships with most Microsoft 365 Business Premium and E3/E5 licences, which means an enormous number of SMEs are already paying for it without using it properly. The ones that do use it well have a noticeably calmer security story: devices that self-configure on day one, settings that travel with the user, and a place to actually enforce the security standards that Cyber Essentials expects. The ones that turn it on badly end up with users locked out at 09:00 on a Monday and a service desk that dreads the word "Intune".
What Intune is actually for
Intune is Microsoft 365’s cloud-native mobile device management (MDM) and mobile application management (MAM) platform. It is the place where an SME’s standard build lives — the Win32 and Microsoft Store apps a workstation should have, the policies a device must comply with, the certificate and Wi-Fi profiles users should pick up automatically. Done well, you can wipe, redeploy or lock a device from a single console; done badly, you can do exactly that to a user at the worst moment.
The five configuration areas to set up first
- Windows device configuration — BitLocker, Windows Hello for Business, firewall, SmartScreen, account and lock-screen policies. One profile, applied to all corporate Windows devices.
- Compliance policies — the rules a device must meet to access corporate data. Use this to gate Exchange and SharePoint access from non-managed devices.
- App deployment — the standard Office, Edge, Teams and line-of-business apps. Required apps deployed automatically; optional apps available in the Company Portal.
- Autopilot — for new device provisioning. The user receives a laptop, signs in, and emerges minutes later with a fully configured standard build.
- Conditional access — the bridge between Intune and Microsoft Entra ID. Compliance status from Intune drives access decisions in real time.
Where SMEs typically go wrong
The two failure modes we see most often are opposite ends of the same spectrum. At one end, an over-keen IT team turns on every knob on day one and locks half the company out — restricted store access, mandatory reboots during the working day, passwordless sign-in rolled out before the helpdesk is ready. At the other end, Intune is enrolled but never enforced, so devices show "compliant" by default and the platform never actually protects anything. The right answer sits in the middle and is rolled out in deliberate phases.
A realistic 6-week rollout
- Week 1 — discovery and policy design. Audit the existing estate, agree the compliance baseline, document the standard build.
- Week 2 — pilot tenants. Build the configuration profiles in a ring, test on a small group of friendly devices, iterate on what breaks.
- Week 3 — pilot users. Enrol twenty or thirty real users from a friendly department. Measure time to set up a new laptop; measure helpdesk tickets.
- Week 4 — staged rollout, department by department. Communicate the change in advance, with clear fall-back to the old support path.
- Week 5 — tightening. Move from audit to enforce on the policies that proved safe. Expand to BYOD if required.
- Week 6 — operational handover. Document the runbooks, hand them to the service desk, and schedule a tune-up review in three months.
The ROI of doing it properly
Intune done well pays back in three places you can measure. First, time to set up a new laptop drops from half a day of engineer time to zero — Autopilot ships the standard build direct to the user. Second, security incidents drop, because the standard build includes the policies that block the common attacks. Third, Cyber Essentials and cyber-insurance questionnaires go from a half-day scramble to a green tick on the form. For an SME that has already paid for the licence through Business Premium, those are the gains that justify the project.
We deploy Intune for SMEs across Hertfordshire, Bedfordshire and London, typically sized to deliver measurable payback within the first quarter. If you have Intune licences but no clear policy, talk to us about a focused deployment engagement.


