Short answer: Intune doesn't get configured because it's nobody's specific job. It ships bundled into licensing most small businesses already pay for, so there's no purchase decision, no project kickoff, and no obvious owner — it just quietly sits there enabled, doing almost nothing, until something forces the issue.
How the gap actually forms
Nobody sets out to leave Intune unconfigured. It happens in stages, and by the time anyone notices, it looks less like a mistake and more like just how things are:
- It arrives bundled, not purchased. Business Premium, E3, and E5 all include Intune by default (see which plans actually include it). There's no line-item decision that forces someone to evaluate it, so it never gets scheduled as a project the way a new phone system or accounting software would.
- Whoever handles "IT" usually isn't an MDM specialist. For most small businesses, IT is one generalist person, or a part-time contractor, or the owner. Mobile device management is a genuinely deep, specific skill set — Conditional Access policy design in particular is easy to get wrong in ways that aren't obvious until they cause a problem.
- Default enrollment prompts get ignored. Without compliance policy actually enforcing anything, a device can sit "enrolled" in name only — checked in, but not actually meeting any real standard.
- It works well enough, until it doesn't. Laptops still turn on. Email still syncs. There's no visible symptom of an unconfigured environment — until a device is lost, an audit happens, or a security review asks a question nobody can answer.
"Enabled" and "configured" are different things
This is the distinction that trips people up, because both states look identical from the outside — a device shows up in the admin console either way.
- Enabled means the licensing includes Intune and the tenant technically has MDM authority. That's it.
- Configured means there are actual compliance policies devices have to meet, Conditional Access tying data access to that compliance, standardized enrollment so every device — Windows, iOS, Android, macOS — is set up the same way, and documentation so the setup doesn't live in one person's head.
A business can be fully licensed and 0% configured. That's the normal starting point, not the exception.
What the gap is quietly costing you
None of this shows up as an obvious problem day-to-day, which is exactly why it persists. But the exposure is real:
- No enforcement, no protection. Without compliance policy, an unpatched or unencrypted device is indistinguishable from a properly maintained one — until it's the one that gets compromised.
- No second gate on access. Without Conditional Access, a stolen password is often the only thing standing between an attacker and company data.
- No audit trail. If a client, insurer, or compliance framework ever asks how devices are managed, "we have Intune" isn't an answer — a documented policy is.
- No continuity. Whatever partial configuration exists usually lives in one person's head. If that person leaves, the organization doesn't just lose convenience — it loses the ability to understand its own environment.
How to find out where you actually stand
Before spending anything, it's worth knowing what's actually configured versus what just looks configured. The free Intune Readiness Assessment takes about two minutes and gives you a 0–100 maturity score based on your current setup, licensing, and security posture — no email spam, no sales call required to see it.