Let us learn Microsoft Intune for SCCM Admins Part 1. I’m hoping to give a fair bit about Microsoft Intune for SCCM admins.
I don’t want to make this post very long. Hence planning to divide it into multiple posts. I will cover the basics in the first part of Intune for SCCM admins.
NOTE! – This post is from an SCCM Admin (Windows Device Management) perspective. You might have a different perspective, depending on your job role.
Great Learning
SCCM is great, and it will not die as per Microsoft. But, don’t go away from Intune learning. I would strongly recommend going through Intune learning process.
What to Learn Intune? Great Resource Around you! (1) LinkedIn Learning Courses for Microsoft Intune, (2) Learning How to Learn SCCM Intune Azure, (3) Learn Intune Beginners Guide MDM MAM MIM, (4) Microsoft Intune for SCCM Admins Part 1
What is Microsoft Intune for SCCM Admins?
Intune can perform most of the functionalities of SCCM. As per Microsoft, Microsoft Intune is built on modern modular cloud components.
This solution decoupled the monolith services from development, deployment, and maintenance perspectives.
Intune is ready-to-use SaaS (Software-As-A-Service) solution for device management from Microsoft
Microsoft Intune is an Enterprise Mobility Management (EMM) solution from Microsoft. Microsoft Intune helps manage all flavors of devices (Windows, iOS, Android, and macOS).
This solution helps to deliver network settings and other device management settings.
Microsoft Intune combines Device, Application, Information Protection, Endpoint Protection (antivirus software), Security, and Configuration policy management solution.
Intune Servers & Management?
Microsoft handles intune Servers and management of those servers. Microsoft Intune is a Software As A Service (SaaS) solution from Microsoft. Following are some of the useful points with Intune from some of the organization’s perspectives.
- There is no Servers requirement to install Intune (Purchase EMS or Microsoft 365 license and start using it) – Managed by Microsoft.
- Maintenance of Servers is not required to update Intune to the latest version – Managed by Microsoft.
- Intune Web Console access anytime, anywhere – Managed by Internal IT (Intune Admin)
- Intune admin won’t be able to check and edit Intune Database, unlike SCCM Database – Managed by Microsoft.
- Intune Admin doesn’t have an option to go back to the previous Intune version –
- Perform Intune Server-side troubleshooting – Managed by Microsoft
Intune Infra Administration
As I mentioned above, Intune server infra is managed by Microsoft as this solution is SaaS. As an SCCM admin, all infra admin tasks are located in the Administration workspace. The logical view of Microsoft Intune for SCCM Admins.
There are very few or no server admin tasks for Intune admins. However, you might still need to install connectors and global policies before starting Intune deployment.
Most of these activities are one-time activities. You can just set up Intune and forget.
You might need to configure the following components from an Infra administration perspective.
- Windows Automatic Enrollment Setup (Mobility (MDM and MAM))
- Apple Enrollment Setup
- Android Enrollment Setup
- Certificate Connectors Setup
- TeamViewer Setup
- Device cleanup rules (Optional – Similar to SCCM Maintenance Tasks)
- Windows Autopilot Setup
- Enrollment Restriction Rules Setup
- Intune Roles (RBAC) Setup
Discovery of User, Groups, & Devices
SCCM can discover the resources from the network (Active Directory or Azure Active AD, or Network discovery) and install clients on those devices. For Intune, you don’t have to do this type of configuration.
Intune is tightly integrated with Azure Active Directory, and Intune blade will have all the Device, User, and Group resources available for you to use without doing any discovery configurations.
NOTE! – Microsoft Intune Setup steps are explained in HTMD Intune Free Training.
Client Installation & Upgrade
SCCM client installation and enrollment methods are different from Intune enrollment options.
Unlike SCCM, Intune doesn’t have any separate client component. Intune manages Windows devices by built-in MDM client agent component of Windows 10 or Windows 11 Operating System. So, there is no need to Install Intune client on Windows 10 devices.
NOTE! – Intune Supports only Client operating systems. Intune does NOT support Windows Server Operating systems. You won’t be able to manage servers with Intune.
NOTE! – Intune Company Portal is an end-user application for Microsoft Intune. This app can be installed as Intune client component on a Windows 10 device.
Two main Intune Enrollment Options are explained in the following blog posts. More details are available in my Intune Learning post. Also, Intune enrollment can be done via Microsoft Autopilot (Windows Autopilot).
- Windows 10 Intune Enrollment Process BYOD Scenario
- Windows 10 Azure AD Join Manual Process – CYOD
- Windows 10 Intune Enrollment with Company Portal
NOTE 1 – No, there is nothing called Intune Client upgrade for Windows devices. Intune is using Windows 10 MDM component for management. So, the MDM component will get updated with Windows 10 updates.
NOTE 2 – Intune also uses Intune Management Extension agent for Win32 App deployment. The installation & Update of this Intune Management Extension agent is handled automatically in 99% of the scenarios.
Collections & Groups
SCCM collections are used to group the resources which you want to manage. There is no collection concept in Microsoft Intune.
Intune uses Azure AD User & Device groups in the place of collections. So, you can create the following type of groups in Azure AD and deploy applications and policies to those Azure AD groups.
- Assigned/Static User AAD Groups
- Assigned/Static Device AAD Groups
- Dynamic User AAD Groups
- Dynamic Device AAD Groups
NOTE! – Many years (I feel like) before even Intune had their own separate Intune Groups, and they removed Intune Groups as part of Azure Intune portal migration from Intune Silverlight portal.
Configuration Items & Compliance Policies
SCCM CI (Configuration Items), Baselines, Compliance Policies, and others are available in Microsoft Intune. The following details would be helpful in Microsoft Intune for the SCCM admin’s context.
In the Intune portal, you can create similar policies (as mentioned above) from Device Compliance, Device Configuration, and Device Security nodes.
NOTE! – I will continue more settings and details in upcoming posts (Microsoft Intune for SCCM Admins Part 2). So, in this post, I covered the SCCM Administration, Assets & Compliance Workspace.
Hi. Can I use Microsoft Intune for patching with updates Windows servers that are physical servers non-domain joined ?
You can not deploy and manage SERVER OSes with Microsoft Intune!!
But SCCM does it? Or there is any software develop by Microsoft that does manage physical non-domain joined Windows servers?
Yes SCCM does server patching. But Intune doesn’t support server management. on prem server patching via Azure is one other stuff you can check https://docs.microsoft.com/en-us/azure/automation/automation-update-management
sorry for replying back. i am still in confusion. I know SCCM requires AD integration. so my question is, can I use SCCM (which is part of an AD domain) to do server patching for physical NON-domain servers (servers that belong to WORKGROUP) ?
Yes. You can use sccm to patch workgroup or DMZ servers
Is your second part of this in tune story out yet?
It’s coming out in couple of weeks
Link to Part 2 article:
https://www.anoopcnair.com/microsoft-intune-for-sccm-admins-part-2/
I like to understand the backend flow (at the server level) what will happen when we enroll devices, add applications, create a policy in Intune Console. This is not about Push notification and how complete MDM flow occurs.
I want to know activities that occur only at the server level.