In post 1, I covered the basics tips to start learning Microsoft Intune for SCCM admins. As mentioned in the previous post, this series includes a Windows device management perspective for Intune admin. The iOS, Android, and macOS management with Intune is another beast altogether.
Learned from SCCM Experience
Microsoft learned from their SCCM experience and tried to avoid some bottleneck scenarios with Intune device management. One example is using Azure Active Directory Groups for deployments. We all know that the collections (collection evaluations) can create many performance issues for your SCCM infrastructure.
Intune and Azure AD don’t provide any custom options for evaluating the Azure AD group members. If I understand correctly, all the AAD group evaluation scenarios are managed in the background. This kind of evaluation restrictions can improve the performance of Intune device management platform. But, there are some questions to be asked about how fast Intune can deploy an app/policy.
Subscribe to this Blog via eMail:
SCCM Devices (\Assets and Compliance\Overview\Devices) node host all the discovered devices in SCCM. Device node in the SCCM console can help you to view and manage the devices with SCCM client (managed) and without SCCM client (unmanaged). So, some of the devices in this node might not be managed by SCCM at all.
The Devices blade in Intune portal is similar to SCCM devices node. The devices blade in Intune portal has the following options.
Most of the following nodes are one-time setup & forget nodes. You might also need to check the devices node in some of Intune troubleshooting scenarios.
- All devices – Intune (MDM) managed devices in this node. Similar to the Devices node in SCCM.
- Azure AD devices – All the devices in Azure AD will be displayed in this node. Similar to All Computers objects from on-premises Active Directory.
- Intune Monitoring options are given below
- Device actions
- Audit logs
- Following Setup options are available
Applications Packages Management
Application/package management (installation/removal of applications) is one of the main reason that most of the organization use SCCM. Intune application management is a bit different from SCCM application management (\Software Library\Overview\Application Management).
When you create a package or application in SCCM (most of the scenarios), all the activities are done on-premises, and most probably you don’t need any internet connectivity. Hence the creation of the package/application is pretty quick.
When Intune got released, supported for application deployment scenarios were very limited. The main focus of application deployment was to support cloud-based scenarios like Store Apps and simple MSI apps. But, the Win 32 app support in Intune helped IT pros to cover more deployment scenarios.
I would recommend reading Microsoft documentation on Intune App management to get more details.
Intune application creation process is different (of course cloud), and it could take more time. The main reason for the delay is because of the upload requirements of the source file to the cloud. You need to wait until the application source is uploaded to Azure cloud storage.
NOTE! – There is no limit on the total amount of Intune cloud storage space when you have a FULL subscription. The maximum allowed file size (for a single file) in Intune is 8 GB (for Windows LOB apps). When you use the trial version of Intune, the total cloud storage limit is 2 GB.
As I mentioned in the previous post, SCCM admins part 1; Windows Intune management is based on built-in Windows 10 MDM client agent. Windows 10 MDM client agent has limited capability to support the complex deployment scenarios for Win32 applications.
Because of the above mentioned limited capability, Intune application management is mostly powered by another client agent called Intune Management Extension. Intune application model is not so powerful as SCCM at the moment. But, it’s getting improved with every release.
More details available on the Windows App (Win32) here.
Software Updates with Intune
The software update is another popular framework in SCCM. SCCM uses WSUS in the background to patch Windows devices. WSUS makes sure that all the patches are available in SCCM console. You can refer to SCCM patching video guide here.
The patching of Windows devices (on the client side) is managed with the Windows Update Agent(WUA)/Service Stack Update(SSU).
As SCCM admins, don’t expect to list of all the patches in Intune console. You won’t be able to see any patches in Intune portal. You can’t select particular patches and deploy it via Intune. Also, you don’t expect (as SCCM admin) third-party patching from Intune.
NOTE! – Do you foresee network issues with patches coming down from Internet to thousands of Windows machines using Software Update for Business? Microsoft Intune provides options to use Windows 10 Delivery Optimization to handle network bandwidth issues.
Intune patching (Windows updates – Windows 10 Update Rings) is entirely based on Windows Update for Business mechanism. You don’t need WSUS for Intune patching to work. Intune patching is straight forward and less complex if you compare it with SCCM patching.
Intune has an option to create a Windows 10 Update Rings. You can create a ring for Windows 10 quality (monthly patches) and feature updates (Windows 10 version upgrades).
Windows 10 Servicing configuration is also part of – Intune – Software – Windows Update Rings configuration– Feature Updates.
Intune gives only two set of options while creating Windows 10 Update rings update settings and user experience settings. Following are the two main sections to control Windows patching behavior via Intune.
- Update Settings – Choose Deferral period (days), Servicing channel, etc..
- User Experience setting – Automatic update behavior, Block user from pausing Windows updates, etc…
Office 365 ProPlus Management with Intune
SCCM provides options to install office 365 pro plus client and Office 365 updates from \Software Library\Overview\Office 365 Client Management\Office 365 Updates. I would recommend reading the details about Office 365 pro plus updates.
Intune helps to install & update Office 365 pro plus client from the internet. However, SCCM still uses DP (most of the scenarios) to install & update Office 365 pro plus client.
Office 365 is one of the Intune app types for Windows 10 devices. Intune office 365 ProPlus client deployment is part of the Client Apps blade. You can manage Office 365 client installation & update options from Microsoft Intune – Client Apps – Apps – Add Apps – App Suite Settings.
NOTE 1 – Intune also provides all the options (you can use either Configuration Designer or XML) to create Office 365 ProPlus client install application similar to SCCM. More details about Intune Office 365 ProPlus deployment are here.
NOTE 2 – The only difference is again the content source. Intune content is coming directly from the Cloud. And you might need to invest in Windows Delivery Optimization for large scale deployments. However, SCCM uses local DP as a source location for Office 365 ProPlus client installations and updates.
Deploy Scripts with Intune
You can deploy scripts to SCCM managed Windows devices since SCCM 2007 days using packages option. SCCM 1706 version added a new workflow to upload scripts and deploy it directly from collections. This method of deploying PowerShell script gives loads of power to SCCM admins.
Intune Script deployment capabilities are bit different because of limited capabilities of built-in Windows 10 MDM client agent. Let’s check out more details below.
Intune can not deploy PowerShell scripts to Windows 10 devices via built-in MDM client agent. So, similar to Win32 application deployment, Microsoft has taken a “workaround” solution to build an additional client agent called “Intune Management Extension.”
This management extension client agent shall help Intune to deploy PowerShell scripts and complex Win32 applications to Windows 10 clients. Are you wondering how this client agent gets installed on Intune managed Windows 10 devices? I would recommend reading Microsoft documentation on Intune PowerShell script deployment.
You can upload a PowerShell script to Intune using Device Configuration (Microsoft Intune – Device configuration – PowerShell scripts – Add PowerShell Script) workload. Interestingly, it’s not part Client Apps workload in Intune. Hence, Microsoft’s recommendation is to use PowerShell script only for deploying advanced configurations in Windows 10 devices.
NOTE! – The PowerShell file must be less than 200KB. The maximum supported size of the PowerShell script in Intune is 200 KB.
To be Continued – Microsoft Intune for SCCM admins
Let’s continue with remaining & more interesting topics in the Microsoft Intune for SCCM admins part 3.
Great Learning Resources for Intune
SCCM is great and it’s not going to die as per Microsoft. But, don’t go away from Intune learning. I would strongly recommend going through Intune learning process.
What to Learn Intune? Great Resource Around you! (1) LinkedIn Learning Courses for Microsoft Intune , (2) Learning How to Learn SCCM Intune Azure (3) Learn Intune Beginners Guide MDM MAM MIM, (4) Microsoft Intune for SCCM Admins Part 1
- Microsoft Intune for SCCM Admins Part 1
- Microsoft Intune Beginners Learning Guide
- Learning How to Learn SCCM Intune Azure