Intune management for UK manufacturers: what good actually looks like

The pattern we see in audits is consistent. Office laptops are partially enrolled, often through a quick win after a cyber insurance question. Shop-floor devices, shared tablets in the warehouse, scanning handhelds, kiosks and line-side PCs are usually outside Intune entirely, managed by hand or by whichever supplier installed them. Phones are a mix, with a few directors enrolled and everyone else on personal devices with company email leaking through.

Behind that is a real constraint. Manufacturing IT teams are small. One internal manager, maybe one engineer, often a managed service partner doing the day-to-day. There is no team of endpoint engineers waiting to write 200 Intune policies. So the rollout stalls at the easy bits, and the awkward ones, the shared device on bay 4 that nobody owns, get left.

Good Intune rollouts on a plant share four traits. First, they treat shared devices as a first-class category, not an afterthought. A line-side PC used by every shift gets shared device mode, kiosk policies, automatic sign-out and an app set scoped to what production actually needs. It does not get a personal Office profile and three browsers.

Second, they integrate with Autopilot for any new laptop, so the IT manager stops building machines on a workbench in the corner of the office. A replacement laptop for an estimator can be drop-shipped to a home address and be production-ready in under an hour, with the right apps, VPN profile and security baseline.

Third, they use compliance policies as the gate to company data, not as a reporting exercise. A device that drifts out of compliance, an out-of-date OS, missing disk encryption, a disabled antivirus, loses access to email and SharePoint until it's fixed. Conditional Access in Entra ID is the other half of this and the two should be designed together.

Fourth, they handle BYOD (Bring Your Own Device) on personal phones with MAM rather than full enrolment. Staff get Outlook and Teams on their own phones without IT taking control of the device, and the company data can be wiped if the person leaves. This single decision removes most of the political friction around mobile.

Intune is for IT devices, the laptops, tablets, phones and shared PCs that run on your corporate network. It is not for the kit that actually controls production. PLCs, HMIs, SCADA panels and the engineering workstations that program them should sit on a segmented OT network and be managed by the people who understand the safety implications of pushing an update to them.

A good Intune deployment in manufacturing actually makes the OT/IT segmentation cleaner, not messier. Once corporate devices are reliably compliant and identifiable, network rules between the IT VLAN and the OT VLAN get easier to write and defend. Auditors and insurers start asking for evidence of this split, and Intune is a useful part of the answer for the IT side.

Intune licences cost in the region of £6 per user per month standalone, or are included free in Microsoft 365 Business Premium (around £18.10 per user per month) and the E3/E5 enterprise plans. For most UK manufacturers under 300 staff, Business Premium is the right answer and it brings Defender for Business, Azure AD Premium P1 and a lot of the security tooling alongside Intune.

The real cost of getting Intune right is not the licence. It is the time to design policies that fit the way the plant runs, to enrol the existing devices without breaking them, and to write a small set of runbooks so the help desk can act on alerts. Budget for that work explicitly, two to four weeks of focused engineering time for most SME manufacturers, and the rollout pays back inside a year on reduced downtime, faster onboarding and a much shorter cyber insurance questionnaire.

If you're scoping Intune work with a partner, the questions that separate the good ones from the rest are practical. How will they handle shared devices on the production floor, specifically. How do they plan to enrol existing laptops without resetting them. What's their pattern for Autopilot with a remote workforce. How do they wire Intune compliance into Conditional Access. What does their handover and runbook look like once it's live, and who actually runs it day to day.

If the answers come back as slide-deck promises rather than concrete patterns the engineer has done before, keep looking. Intune is mature enough now that a partner who works in manufacturing should have opinionated, repeatable answers to all of this.

Tell us how many sites, how many shop-floor devices and which Microsoft 365 plan you're on. We'll introduce you to a UK partner who already supports manufacturers and won't treat your plant like an office.