Microsoft Intune admin center

Core

📊 Dashboard

💻 Devices

📦 Apps

Endpoint Security

🔐 Conditional Access

⚙️ Configuration profiles

🛡️ App protection policies

Manage

🔄 Update rings

🖊️ Enrollment restrictions

📈 Reports

👤 Users

👥 Groups

🎓 Lab Instructions & Progress

You can keep this open while working

Scenario: You are an IT admin at Contoso. Your goal is to deploy Microsoft Teams to all Windows devices, enforce BitLocker compliance, lock down access for noncompliant devices using Conditional Access, push a security configuration profile, and protect corporate data on mobile devices with an App Protection Policy. Finally, sync your test device and confirm everything applied correctly.

Your progress 0 / 14 steps complete

1

Deploy Microsoft Teams to all devices

Steps 1–3

Step 1 — Go to Apps in the left sidebar

Click 📦 Apps in the left navigation. The page title should change to "Apps ▸ All apps".

Step 2 — Open the Add app wizard and select Microsoft Teams

Click the + Add button (top right). The wizard opens.
• Step 1 (App type): Select Microsoft Store app (new) or Windows app (Win32) — either works.
• Step 2 (App info): Select the radio button next to Microsoft Teams.
Click Next to continue.

💡 If Next is greyed out, make sure you've selected an app type on Step 1 and selected Teams on Step 2.

Step 3 — Assign the app to All Intune Devices as Required

Still in the wizard on Step 3 (Assignments):
• Click the row for All Intune Devices to select it (row highlights blue).
• Select the Required radio button under Intent.
Click Next, then Add on the Review screen.

💡 The lab only accepts All Intune Devices + Required. "Test Devices" or "Available" will not complete this step.

2

Create a Windows Compliance Policy (BitLocker)

Steps 4–8

Step 4 — Navigate to Devices ▸ Compliance policies

Click 💻 Devices in the left sidebar. The page defaults to the Compliance policies tab — you should see it active. If not, click the Compliance policies tab yourself.

Step 5 — Start the wizard and choose Windows 10 and later

Click + Create policy. The wizard opens on Step 1 (Platform).
• Select the Windows 10 and later card.
Click Next.

💡 The lab requires Windows 10 and later. Selecting macOS or iOS will block progress.

Step 6 — Set Require BitLocker to Required

On Step 2 (Settings), find the Require BitLocker dropdown and change it from "Not configured" to Required. You can optionally also set Require device encryption and a Minimum OS version. Click Next.

Step 7 — Assign the policy to All Intune Devices

Step 3 (Actions) lets you set noncompliance actions — review and click Next. On Step 4 (Assignments), click the All Intune Devices row to select it (row turns blue). Click Next.

Step 8 — Review and create the compliance policy

Step 5 shows a summary. Confirm the settings look correct, then click Create. You'll be taken back to Compliance policies and the new policy will appear in the list.

3

Create a Conditional Access Policy

Step 9

Step 9 — Create a CA policy that blocks noncompliant devices

Click 🔐 Conditional Access in the sidebar, then + New policy.
• Step 1 (Name): Type any name, e.g. Require compliant device.
• Step 2 (Assignments): Leave defaults (All users, All cloud apps). Click Next.
• Step 3 (Conditions): No changes needed. Click Next.
• Step 4 (Grant): Select Require device to be marked as compliant. Click Next.
• Step 5 (Enable): Set to On to enforce immediately, or Report-only to test first. Click Create.

💡 Setting the policy to On is required to complete Step 14 (CA Enforced). You can always set it to Report-only first, then re-create with On selected.

4

Create a Configuration Profile

Step 10

Step 10 — Create a Settings Catalog profile for Windows

Click ⚙️ Configuration profiles in the sidebar, then + Create profile.
• Step 1 (Platform): Select Windows 10 and later. Click Next.
• Step 2 (Profile type): Select Settings catalog. Click Next.
• Step 3 (Settings): Enable at least one setting — e.g. set Defender Cloud-delivered protection to Enabled. Click Next.
• Step 4 (Assignments): Select All Intune Devices. Click Next.
• Step 5 (Review): Click Create.

5

Create an App Protection Policy (MAM)

Step 11

Step 11 — Create an App Protection Policy for iOS or Android

Click 🛡️ App protection policies in the sidebar, then + Create policy.
• Step 1 (Basics): Select iOS/iPadOS or Android. Click Next.
• Step 2 (Apps): Check at least one app (e.g. Microsoft Teams). Click Next.
• Step 3 (Data protection): Optionally set copy/paste to Block. Click Next.
• Step 4 (Access requirements): Optionally require a PIN. Click Next.
• Step 5 (Assignments): Select All users. Click Next.
• Step 6 (Review): Click Create.

💡 App Protection Policies protect corporate data in apps on personal phones — no device enrollment required. This is called MAM (Mobile Application Management).

6

Sync BlockShell-Laptop and verify results

Steps 12–14

Step 12 — Sync BlockShell-Laptop

Click 💻 Devices in the sidebar → click the All devices tab → click the BlockShell-Laptop row to open its detail view → click the ↻ Sync button. A toast notification will confirm the sync was requested.

💡 Sync simulates the device checking in with Intune and applying all deployed policies and apps.

Step 13 — Verify Compliant status and Teams Installed

After the sync completes, the device detail page should show:
• Compliance status: Compliant (green chip)
• Managed apps: Microsoft Teams — Installed (green chip)
Both will only appear if you completed Steps 1–8 correctly (app deployed as Required + compliance policy with BitLocker created and assigned to All Intune Devices).

Step 14 — Confirm Conditional Access is Enforced

This step completes automatically after the sync if your Conditional Access policy was created with the state set to On. Check the Dashboard — the Conditional Access KPI card should show Enabled in green. You can also navigate to 🔐 Conditional Access to confirm the policy status shows On.

💡 If this step isn't completing, go back to Conditional Access, check the policy state. If it says Report-only, you'll need to create a new policy with state set to On.

✅ Checkboxes tick automatically as you complete each step.

Create compliance policy

1 Platform 2 Settings 3 Actions 4 Assignments 5 Review

Choose the platform.

Add app

1 App type 2 App info 3 Assignments 4 Review

Choose the app type.

New Conditional Access policy

1 Name 2 Assignments 3 Conditions 4 Grant 5 Enable

Name your policy.

Create configuration profile

1 Platform 2 Profile type 3 Settings 4 Assignments 5 Review

Choose the platform.

Create app protection policy

1 Basics 2 Apps 3 Data protection 4 Access requirements 5 Assignments 6 Review

Choose the platform.

Device action