Den Ultimative Guide: Sådan Opsætter du Microsoft Intune Korrekt (2026)
En komplet, rå teknisk step‑by‑step vejledning til en professionel endpoint‑platform
Introduktion
Microsoft Intune (Microsoft Endpoint Manager) er den centrale platform til styring af Windows‑arbejdsstationer, compliance, sikkerhedskonfigurationer og softwareudrulning.
Denne guide gennemgår den fulde, korrekte opsætning fra start til slut — designet som en baseline for moderne Microsoft 365‑miljøer i 2026.
Hvorfor en korrekt Intune‑opsætning er kritisk
En forkert eller mangelfuld Intune‑struktur fører typisk til:
- Forkert registrerede devices
- Konflikt mellem policies (GPO vs. Intune)
- Ufuldstændige sikkerhedskonfigurationer
- Manglende compliance‑opfyldelse
- Uforudsigelig softwaredeployment
En korrekt opsætning sikrer:
- Stabil onboarding
- Konsistent compliance
- Zero Trust‑klare endpoints
- Central styring af apps, updates og security baselines
Forberedelser: Det skal du have styr på FØR opsætning
📋 Kravafklaring
- Licens: Microsoft 365 Business Premium / E3 + Add‑Ons / E5
- Domæne: Verificeret i Entra ID
- Enhedsstrategi: BYOD, CYOD, COBO, eller CORP
- Join‑strategi: Entra Join, Hybrid‑Join, Workgroup → Entra Join
🔐 Sikkerhedsforberedelser
- Break‑glass administratorer
- MFA aktiv
- Conditional Access basic policies (blok legacy auth, kræv MFA)
- Identitetsbeskyttelse
Trin 1: Grundkonfiguration af Intune
1. Enroll‑metoder
Intune Admin Center → Devices → Enroll devices
Aktivér:
- Windows Enrollment
- Automatic Enrollment (MDM)
- MDM scope: All
- MAM scope: None (eller pilot hvis brugt)
2. Konfigurer Enrollment Restrictions
Devices → Enrollment → Enrollment device platform restrictions
Opret to policies:
- Standard policy
- Tillad: Windows, iOS, Android
- Blokér: macOS (valgfrit)
- Blocked policy
- Blokér alle uautoriserede enheder og OS‑versioner
3. Deployment Profiles (Windows Autopilot)
Devices → Windows → Windows enrollment → Deployment Profiles
- Opret Windows Autopilot Profile
- Join type: Entra Joined
- Deployment mode: User‑driven for normale brugere
- Skip:
- OneDrive restore → On
- OEM registration → On
- EULA → On
- Language → Off
- Privacy Settings → Skip
- ESP aktiv: Yes
Trin 2: Baselines & Configuration Profiles
1. Security Baseline (Microsoft Recommended)
Endpoint Security → Security Baselines
Aktivér:
- Windows 11 Security Baseline
- Microsoft Defender Baseline
- Edge Baseline (valgfrit)
2. Device Configuration Profiles
Devices → Configuration → Create Profile
Opret følgende standardprofiler:
A. Device Restrictions
- Disable Consumer Features
- Disable Windows tips
- Disable “Let apps run in background”
- Disable News & Interests
- Disable Widgets
- Remove Microsoft Store auto‑install apps
- Disable local admin for standard users
B. Identity Protection
- Credential Guard → Enabled
- LSASS Protection → Enabled
C. Endpoint Protection
- Defender Antivirus (cloud‑protection, MAPS, real‑time scanning)
- Attack Surface Reduction (ASR)
- Controlled Folder Access (optional)
D. Update Rings for Windows 11
Devices → Windows → Update rings
Anbefalet:
- Automatic install
- Allow 7‑day grace
- Auto reboot outside active hours
E. Feature Update Policy
Fastlå version (fx Windows 11 25H2) i 12 måneder.
Dette sikrer stabilitet.
Trin 3: Compliance Policies
Endpoint Security → Compliance policies
Opret → Windows compliance profile
Anbefalet baseline:
- Require BitLocker enabled
- Require Secure Boot
- Require TPM 2.0
- Require Antivirus → Microsoft Defender
- Require Firewall → Enabled
- Require device not jailbroken/rooted
- Require Code Integrity turned on
- Minimum OS version (fx 24H2 eller 25H2)
Konfigurer compliance markering:
- Non‑compliant → Mark as non‑compliant after 2 days
- Report non‑compliance → Entra ID → CA
Trin 4: Conditional Access Integration
Opret 3 CA policies:
1. Baseline MFA for all users
- Require MFA
- Exclude: Break glass accounts
2. Require compliant device
- Users: All
- Cloud apps: All
- Grant → Require device marked compliant
3. Block legacy authentication
- Client apps → Block "Other clients"
- Grant → Block
Trin 5: App Management (Win32, MSI, Store)
Upload Win32 apps
Apps → Windows apps → Add → Win32
Pak appen:
Upload .intunewin
Angiv:
- Install cmd:
setup.exe /silent
- Uninstall cmd:
uninstall.exe /silent
- Detection rules: Registry/File/Custom script
MSI apps
Upload direkte → MSI detection automatisk
Store apps
Tilføj via "Microsoft Store (new)"
Trin 6: Autopilot Device Registration
Manuelt upload:
- Kør på enhed:
- Upload i Intune: Devices → Windows → Windows enrollment → Devices → Import
OEM / Partner
Brug Deployment Service API eller OEM portal.
Trin 7: Endpoint Security
Endpoint Security → Firewall
- Aktivér Domain/Private/Public
- Definer inbound rules kun til nødvendige services
Endpoint Security → Attack Surface Reduction
ASR rules (Audit → Enforce):
- Block Office macros
- Block PSExec/WMI process creation
- Block executable content from email/webmail
- Block credential theft attempts
Endpoint Security → Disk Encryption
- BitLocker with XTS‑AES256
- Recovery key upload → Entra ID
- Startup authentication → TPM only (normal users)
Trin 8: Monitorering og Drift
Device Actions
Remote:
- Wipe
- Fresh Start
- Sync
- Restart
- Autopilot Reset
Monitoring
Reports → Devices → Hardware / Compliance / Configuration / Update status
Log‑indsamling
- Use Collect Diagnostics
- EndpointAnalytics aktiv
Almindelige fejl og løsninger
❌ Devices ikke compliant
→ ASR konflikter eller manglende BitLocker policy
→ Tjek eventlog: MDMDiagnosticReport.cab
❌ Autopilot "0x80180014"
→ MDM enrollment scope sat forkert
❌ Win32 app hænger i “Pending”
→ Detection rule forkert eller missing dependencies
❌ Policies konflikter
→ Konsolider Device Restrictions profiler
→ Brug Settings Catalog i stedet for ældre templates