Set Up Intune for UK Small Businesses

Microsoft Intune is the device management platform included in Microsoft 365 Business Premium. For small businesses in the UK, it is often underused - licences are already paid for but nobody has got around to setting it up. This guide walks through the full setup process for a typical SMB with 10 to 100 devices, all running Windows 10 or 11.

The end result is every device enrolled in Intune, BitLocker enabled, compliance policies in place, and apps deploying automatically. Once running it needs very little ongoing maintenance.

ℹ️

Licence requirement

Full Intune MDM is included in Microsoft 365 Business Premium. If you are on Business Standard or below, you will need to add an Intune licence separately. Check licence assignments before starting.

Step 1: Configure MDM Scope in Entra ID

📋 Entra ID Setup

Before any device can enrol, Intune needs to be enabled as the MDM authority. This is often already on but worth checking.

entra.microsoft.com› Devices› Device Settings› Mobile Device Management

Set MDM user scope to All. This allows any licensed user to enrol their device. Set MAM user scope to All as well, which covers app protection on unmanaged personal devices.

Step 2: Set Enrolment Restrictions

intune.microsoft.com› Devices› Enrolment› Enrolment Restrictions

🔒

Enrolment Restrictions

Recommended settings for UK SMBs

Platforms allowed

Windows, iOS, Android

Maximum devices per user

Personally owned Windows devices

Block

Step 3: Create a Compliance Policy

⚙️ Compliance

Compliance policies define what a healthy device looks like. Pair with Conditional Access to block non-compliant devices from M365 apps.

✅

Windows Compliance Policy

Baseline for corporate Windows devices

Require BitLocker

Required

Require Secure Boot

Required

Minimum OS version

10.0.19041

Microsoft Defender Antimalware

Required

Real-time protection

Required

Actions for non-compliance

Mark non-compliant after 8h

Step 4: Enrol Your Devices

💻 Enrolment

For existing Entra ID joined devices, enrolment is usually automatic once MDM scope is set to All. If not, run this on the device as admin:

PowerShell

# Force MDM enrolment on an existing Entra ID joined device
Start-Process "deviceenroller.exe" -ArgumentList "/o /d /c" -Wait
Start-Sleep -Seconds 30
Start-Process "deviceenroller.exe" -ArgumentList "/o" -Wait

For new devices, use Windows Autopilot so they enrol and configure automatically out of the box. See the Autopilot setup guide for the full process.

Step 5: Deploy Core Policies and Apps

With devices enrolled, push the essential configuration through Intune. At minimum for a UK SMB:

Microsoft 365 Apps - use the built-in app type so Office installs silently on all devices
BitLocker policy - endpoint security policy for silent encryption with key escrow to Entra ID
Windows Update rings - control when quality and feature updates install across your fleet
Defender configuration - ASR rules, real-time protection, and cloud-delivered protection
Microsoft LAPS - rotate local admin passwords on every device, stored in Entra ID

Verify Enrolment

intune.microsoft.com› Devices› All Devices

Enrolled devices appear here within 15 minutes. Check the Compliance column - devices reach Compliant status after BitLocker and Defender policies apply, usually within one or two sync cycles.

✅

Check your Secure Score after setup

A basic Intune setup with BitLocker, Defender, and compliance policies typically adds 10 to 15 points to your Microsoft Secure Score compared to a default unmanaged tenant.

How to Set Up Microsoft Intune for a Small Business in the UK

Step 1: Configure MDM Scope in Entra ID

Step 2: Set Enrolment Restrictions

Step 3: Create a Compliance Policy

Step 4: Enrol Your Devices

Step 5: Deploy Core Policies and Apps

Verify Enrolment

Get M365 tips in your inbox