Complete a documentation-first Intune lab demonstrating device enrollment, policy management, and troubleshooting workflows.
- Phase 1: Environment setup
- Phase 2: Create test users and groups in Entra ID
- Phase 3: Enroll Windows test device into Intune
- Phase 4: Apply compliance and configuration policies
- Phase 5: Document troubleshooting workflows
- Confirm Intune license assigned to test user
- Fix MDM enrollment (device was Entra joined but not MDM enrolled)
- Force a device sync
- Apply compliance policy (Defender requirements, NIST password)
- Apply configuration profile (Defender settings via Settings Catalog)
- Break → fix: BitLocker compliance error on VM → disabled requirement
- Update documentation with troubleshooting and lessons learned
- Add screenshots to repo
- Test automated VM deployment with Autounattend.xml (documented failures and solutions)
- Verify xorriso-based ISO creation works (VM installing unattended)
- Verify OOBE completes and MDM enrollment launches (works - only login required)
- Remove SetupAdmin account post-enrollment (Intune script tested and working)
- Create dynamic device group for automatic policy assignment
- Add SPICE guest tools to unattended install for clipboard sharing
- Create bash script for one-command ISO build (scripts/build-iso.sh)
- Create setup-intune.ps1 to configure Intune/Entra via Microsoft Graph PowerShell (untested)
- Create bash equivalent using curl + Microsoft Graph REST API (untested)
- Test setup-intune.sh against live tenant
- Investigate BitLocker on QEMU/KVM VMs with swtpm
- What compliance policies are most relevant for demonstrating real-world scenarios?
- What configuration profiles should be applied?
- What common troubleshooting scenarios should be documented?
- M365 Business Premium Trial: M365 Developer sandbox was unavailable
- Tenant name: lyonsitlab.onmicrosoft.com
- Local QEMU/KVM VM: Chosen over Azure VM for cost efficiency
- Zammad ticketing: Using homelab Zammad instance for change management
- M365 Developer Program sandbox qualification failed - used Business Premium trial instead
- Azure VM default pricing (~$170/mo D2) - switched to local VM approach
All phases complete. Device enrolled, policies applied, troubleshooting documented.
- Windows 11 VM enrolled in Intune via Entra ID join
- Compliance policy: Defender requirements, NIST password standards
- Configuration profile: Defender settings via Settings Catalog
- Dynamic device group: Intune-Managed-Devices (auto-assigns policies)
Autounattend.xmlwith VirtIO drivers and SPICE guest toolsscripts/build-iso.sh- one-command ISO build (platform-agnostic)scripts/Remove-SetupAdmin.ps1- Intune script to clean up temp admin (tested)scripts/setup-intune.sh- Graph API config script (untested)scripts/setup-intune.ps1- PowerShell config script (untested)- Troubleshooting docs with screenshots