In the previous post, Microsoft Intune for SCCM Admins Part 1, I covered the basic tips for learning Microsoft Intune for SCCM admins.
This series includes a Windows device management perspective for Intune admin. iOS, Android, and macOS management with Intune is another beast altogether.
Microsoft learned from their SCCM experience and tried to avoid bottleneck scenarios with Intune device management. One example is using Azure Active Directory Groups for deployments. We all know that collections (collection evaluations) can create many performance issues for your SCCM infrastructure.
Intune and Azure AD don’t provide custom options for evaluating Azure AD group members. If I understand correctly, all the AAD group evaluation scenarios are managed in the background.
This kind of evaluation restriction can improve the performance of the Intune device management platform. However, some questions exist about how fast Intune can deploy an app/policy.
Devices Node
SCCM Devices (\Assets and Compliance\Overview\Devices) node hosts all the discovered devices in SCCM.
The device node in the SCCM console can help you view and manage the devices with the SCCM client (controlled) and without the SCCM client (unmanaged).
So, some of the devices in this node might not be managed by SCCM.
The Devices blade in the Intune portal is similar to the SCCM devices node. The device’s blade in the Intune portal has the following options.
Most of the following nodes are one-time setup-and-forget nodes. You might also need to check the device’s node in some Intune troubleshooting scenarios.
- All devices – Intune (MDM) managed devices in this node, similar to the Devices node in SCCM.
- Azure AD devices—This node displays all the devices in Azure AD, similar to All Computer objects from the on-premises Active Directory.
- Intune Monitoring options are given below.
- Device actions
- Audit logs
- Following Setup options are available
Applications Packages Management
Application/package management (installation/removal of applications) is one of the main reasons most organizations use SCCM.
Intune application management differs from SCCM application management (\Software Library\Overview\Application Management).
When you create a package or application in SCCM (most scenarios), all the activities are done on-premises, and you probably don’t need internet connectivity.
Hence the creation of the package/application is pretty quick.
When Intune was released, support for application deployment scenarios was very limited.
The main focus of application deployment was to support cloud-based scenarios like Store Apps and simple MSI apps. However, the Win 32 app support in Intune helped IT pros to cover more deployment scenarios.
I recommend reading Microsoft documentation on Intune App management to get more details.
Intune application creation process is different (of course, cloud), and it could take more time. The main reason for the delay is the upload requirements of the source file to the cloud. It would help to wait until the application source is uploaded to Azure cloud storage.
NOTE! The total amount of Intune cloud storage space is unlimited when you have a full subscription. The maximum allowed file size (for a single file) in Intune is 8 GB (for Windows LOB apps). When you use the trial version of Intune, the total cloud storage limit is 2 GB.
In the previous post, SCCM admins part 1; Windows Intune management is based on a built-in Windows 10 MDM client agent.
The Windows 10 MDM client agent cannot support complex deployment scenarios for Win32 applications. Because of this limited capability, Intune application management is mostly powered by another client agent called Intune Management Extension.
The Intune application model is not as powerful as SCCM at the moment, but it’s improving with each release.
More details are available on the Windows App (Win32).
Software Updates with Intune
Software updates are another popular framework in SCCM. SCCM uses WSUS in the background to patch Windows devices.
- WSUS ensures that all the patches are available in the SCCM console. For more information, refer to the SCCM patching video guide.
- The patching of Windows devices (on the client side) is managed with the Windows Update Agent(WUA)/Service Stack Update(SSU).
As SCCM admins, don’t expect to list all the patches in the Intune console. You won’t be able to see any patches in the Intune portal. You can’t select particular patches and deploy them via Intune. Also, you don’t expect (as SCCM admin) third-party patching from Intune.
NOTE! – Do you foresee network issues with patches coming down from the Internet to thousands of Windows machines using Software Update for Business? Microsoft Intune provides Windows 10 Delivery Optimization options to handle network bandwidth issues.
Intune patching (Windows updates—Windows 10 Update Rings) is entirely based on the Windows Update for Business mechanism. You don’t need WSUS for Intune patching to work. It is straightforward and less complex than SCCM patching.
Intune has an option to create Windows 10 Update Rings. You can create a ring for Windows 10 quality (monthly patches) and feature updates (Windows 10 version upgrades).
Windows 10 Servicing configuration is also part of – Intune – Software – Windows Update Rings configuration– Feature Updates.
Intune gives only two options while creating Windows 10 Update rings update settings and user experience settings. Following are the two main sections to control Windows patching behavior via Intune.
- Update Settings – Choose Deferral period (days), Servicing channel, etc.
- User Experience setting – Automatic update behavior, Block user from pausing Windows updates, etc…
More details – Manage software updates in Intune & How to Setup Windows 10 Software Update Policy Rings
Office 365 ProPlus Management with Intune
SCCM provides options to install office 365 pro plus client and Office 365 updates from \Software Library\Overview\Office 365 Client Management\Office 365 Updates.
I would recommend reading the details about Office 365 pro plus updates.
Intune helps to install & update Office 365 pro plus clients from the Internet. However, SCCM still uses DP (in most of the scenarios) to install & update the Office 365 Pro Plus client.
Office 365 is one of the Intune app types for Windows 10 devices. Intune Office 365 ProPlus client deployment is part of the Client Apps blade.
You can manage Office 365 client installation and update options from Microsoft Intune – Client Apps – Apps – Add Apps – App Suite Settings.
NOTE 2 – The only difference is, again the content source. Intune content comes directly from the Cloud. And you might need to invest in Windows Delivery Optimization for large-scale deployments. However, SCCM uses local DP as a source location for Office 365 ProPlus client installations and updates.
Deploy Scripts with Intune
Since SCCM 2007, you can deploy scripts to SCCM-managed Windows devices using the packages option. The SCCM 1706 version added a new workflow to upload scripts and deploy them directly from collections. This method of deploying PowerShell scripts gives SCCM admins loads of power.
Intune Script deployment capabilities are slightly different because the built-in Windows 10 MDM client agent has limited capabilities. Let’s examine the details below.
Intune can not deploy PowerShell scripts to Windows 10 devices via the built-in MDM client agent.
So, similar to Win32 application deployment, Microsoft has taken a “workaround” solution to build an additional client agent called “Intune Management Extension.”
This management extension client agent shall help Intune deploy PowerShell scripts and complex Win32 applications to Windows 10 clients.
Are you wondering how this client agent gets installed on Intune-managed Windows 10 devices? I would recommend reading Microsoft documentation on Intune PowerShell script deployment.
You can upload a PowerShell script to Intune using Device Configuration (Microsoft Intune – Device configuration – PowerShell scripts – Add PowerShell Script) workload.
Interestingly, it’s not part of the Client Apps workload in Intune. Hence, Microsoft recommends using the PowerShell script only for deploying advanced configurations on Windows 10 devices.
NOTE! – The PowerShell file must be less than 200KB. The maximum supported size of the PowerShell script in Intune is 200 KB.
To be Continued – Microsoft Intune for SCCM Admins
Let’s continue with the remaining & more interesting topics in the Microsoft Intune for SCCM admins part 3.
Great Learning Resources for Intune
SCCM is great, and it’s not going to die as per Microsoft. But don’t abandon Intune learning. I strongly recommend going through Intune learning process.
What to Learn Intune? Great Resource Around you! (1) LinkedIn Learning Courses for Microsoft Intune, (2) Learning How to Learn SCCM Intune Azure, (3) Learn Intune Beginners Guide MDM MAM MIM, (4) Microsoft Intune for SCCM Admins Part 1
Resources
- Microsoft Intune for SCCM Admins Part 1
- Microsoft Intune Beginners Learning Guide
- Learning How to Learn SCCM Intune Azure
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc