Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

Intune Best Guided Scenarios

Best guided scenarios of MS Intune

A guided scenario is a customized series of steps in the Microsoft Intune admin center that deploys one complete, end-to-end management use case, creating every required policy, application, group, and assignment in a single workflow.

Microsoft Intune guided scenarios are prebuilt workflows in the Intune admin center that configure a complete use case, such as securing Office mobile apps or deploying Microsoft Edge, in one pass. Each scenario checks admin permissions, requests a minimum set of inputs, and then creates all required policies, apps, groups, and assignments automatically.

Key Takeaways

  • Microsoft Intune ships five guided scenarios: Secure Office apps for mobile, Deploy Edge for mobile, Set up a test device to try out cloud management, Deploy Windows in cloud configuration, and Windows 365 Boot.
  • All guided scenarios are located in the Microsoft Intune admin center under Troubleshooting + support > Guided scenarios.
  • If a guided scenario fails during deployment, Intune reverts every change, so a failed run leaves no orphaned policies or groups in the tenant.
  • Resources created by a guided scenario are standard Intune resources; all future editing, monitoring, and retirement happens in the normal policy, app, and profile workloads.
  • Guided scenarios omit scoping features such as scope tags and exclusion groups, so review assignments before running one in a production tenant.

How Guided Scenarios Work

Every guided scenario follows the same four-stage flow: an introduction, a permissions check, a short configuration step, and a review-and-deploy summary. The introduction page explains the scenario’s purpose and prerequisites, then Intune verifies that your account holds the Intune role permissions the scenario requires. Once the checks pass, the scenario asks for a minimum set of inputs, typically a resource name prefix, a few settings, and the Microsoft Entra groups to target, while hiding uncommon or advanced options. A summary page then lists every setting and resource the scenario will create. Nothing is saved until you deploy, and if deployment hits an error, Intune reverts all changes (Microsoft Learn: Guided scenarios overview).

The Five Guided Scenarios in Intune

Microsoft Intune currently offers five guided scenarios, each targeting a distinct deployment goal.

Guided scenarioWhat it deploysPlatforms
Secure Office apps for mobileAn app protection policy that encrypts work files, requires an access PIN, blocks device backups, allows work files to be saved only to OneDrive and SharePoint, and blocks jailbroken or rooted devicesiOS/iPadOS, Android
Deploy Edge for mobileMicrosoft Edge app assignment with managed favorites, a homepage shortcut, and dual identity for separate work and personal browsingiOS/iPadOS, Android
Set up a test device to try out cloud managementSecurity groups and Intune-recommended settings for a supplied test user and Windows device, with Microsoft 365 Apps and optional Microsoft Defender for Endpoint and Windows AutopilotWindows
Deploy Windows in cloud configurationEnrollment, compliance, security baseline, and OneDrive Known Folder Move policies that turn a Windows device into a cloud-optimized endpointWindows
Windows 365 BootConfiguration that lets users sign in on a physical device and boot directly into their Windows 365 Cloud PCWindows 11 Pro or Enterprise

Two of the scenarios carry specifics worth knowing before you run them. Secure Office apps for mobile requires the user to reset their PIN after five failed attempts and blocks access to work files if the device stays offline for 720 minutes (Microsoft Learn: Secure Microsoft Office mobile apps). Deploy Edge for mobile can take up to 12 hours for the app configuration to reach the Microsoft Edge app on enrolled devices (Microsoft Learn: Deploy Microsoft Edge for mobile).

The test device scenario requires an Intune license for the test user, included in Microsoft 365 Business Premium, E3, and E5 (Microsoft Learn: Cloud-managed modern desktop). Windows 365 Boot requires Windows 365 Cloud PC licenses for the users involved.

What Guided Scenarios Can and Cannot Do

Guided scenarios create resources; they never edit, monitor, or retire them.

A guided scenario is not a separate management space. Intune does not save a ‘guided scenario’ resource type or track changes to the resources after deployment. Every policy, app, group, and assignment a scenario creates appears in its respective workload, where all options, including those the scenario omitted, remain editable. Guided scenarios also skip scoping features: scope tags, exclusion groups, and virtual group assignments are left out, and every created resource inherits the scope tags of the admin who ran the scenario.

Microsoft may update a guided scenario over time, but an update only affects new deployments; Intune never retroactively changes resources a scenario already generated. In short: a guided scenario builds the configuration once, and the standard Intune workloads own it from then on.

When to Use a Guided Scenario

Use a guided scenario when you need a proven end-to-end configuration quickly; use manual configuration when you need scoping control from the first policy.

Guided scenarios suit first deployments, pilots, and small IT teams that want Microsoft’s recommended settings without assembling five or six policies by hand. In larger production tenants with delegated administration, the missing scope tags and exclusion groups matter, so experienced admins often run the scenario in a test tenant first or adjust assignments immediately after deployment. Whichever path you choose, pair the resulting compliance and app protection policies with Microsoft Entra Conditional Access so that only compliant devices or protected apps reach corporate data.

How Encryption Consulting Helps

Encryption Consulting’s PKI Services design and implement Microsoft PKI that integrates with Intune, so the devices you enroll through guided scenarios can receive certificates for Wi-Fi, VPN, and passwordless sign-in with Windows Hello for Business. Our team handles CA architecture, SCEP and PKCS certificate deployment profiles, and certificate lifecycle automation across your Intune-managed fleet. Backed by ISO/IEC 27001:2022 and SOC 2 certified practices.

Frequently Asked Questions

What is a guided scenario in Microsoft Intune?

A guided scenario is a prebuilt workflow in the Microsoft Intune admin center that configures one complete use case from start to finish. It verifies your admin permissions, asks for a minimum set of inputs, and then automatically creates the policies, apps, groups, and assignments the scenario needs. Microsoft currently ships five guided scenarios, covering mobile app protection, Microsoft Edge deployment, cloud-managed test devices, Windows cloud configuration, and Windows 365 Boot.

Where do I find guided scenarios in the Intune admin center?

All guided scenarios are in the Microsoft Intune admin center under Troubleshooting + support and then Guided scenarios. Each scenario opens with an introduction page that explains its purpose, lists prerequisites, and checks that your account holds the Intune role permissions the scenario requires. If a permission check fails, the scenario will not let you proceed until the missing rights are granted.

Can I edit or delete the resources a guided scenario creates?

Yes, but not from the guided scenario itself. Every policy, app, group, and assignment a guided scenario creates is a standard Intune resource that appears in its normal workload, such as Compliance policies or App protection policies. All editing, monitoring, and retirement happens there. Guided scenarios cannot modify, monitor, or delete existing resources, and Intune does not track a guided scenario as a resource type after deployment.

Do Intune guided scenarios require extra licensing?

The guided scenarios feature is included with a Microsoft Intune Plan 1 license, which is part of suites such as Microsoft 365 E3, E5, and Business Premium. Individual scenarios can carry their own requirements. The cloud-managed test device scenario needs an Intune license for the test user, and Windows 365 Boot requires Windows 365 Cloud PC licenses for the users and devices involved.

What happens if a guided scenario fails during deployment?

Intune reverts every change the scenario made. Guided scenarios deploy as a single transaction, so a failure part-way through does not leave orphaned policies or half-assigned groups in your tenant. You can correct the issue, such as a missing permission or prerequisite, and run the scenario again. Successful deployments are permanent and must be managed through the standard Intune workloads afterward.

Put Certificates Behind Your Intune Deployment

Enrolled devices are only half the story; certificate-based authentication is what makes them trusted. Explore PKI-as-a-Service, or talk to an Encryption Consulting PKI advisor about integrating certificate deployment with your Intune tenant.