I’m hoping to give some fair bit of idea about Microsoft Intune for SCCM admins. I don’t want to make this post very long, hence planning to divide into multiple posts. In the first part of Intune for SCCM admins, I will cover the basics.
NOTE! – This post is from an SCCM Admin (Windows Device Management) perspective. You might have a different perspective, depending on your job role.
What is Microsoft Intune for SCCM Admins?
Intune can perform most of the functionalities of SCCM. As per Microsoft, Microsoft Intune is built on modern modular cloud components. This solution was decoupling the services in the monolith from development, deployment, and maintenance perspectives.
Intune is ready-to-use SaaS (Software-As-A-Service) solution for device management from Microsoft
Microsoft Intune is an Enterprise Mobility Management (EMM) solution from Microsoft. Microsoft Intune helps to manage all flavors of devices (Windows, iOS, Android, and MacOS). This solution helps to deliver network settings and other device management settings.
Microsoft Intune is a combination of Device, Application, Information Protection, Endpoint Protection (antivirus software), Security, and Configuration policy management solution.
Intune Servers & Management?
Microsoft handles intune Servers and management of those servers. Microsoft Intune is a Software As A Service (SaaS) solution from Microsoft. Following are some of the points which are useful with Intune from some of the organization’s perspective.
- There is no Servers requirement to install Intune (Purchase EMS or Microsoft 365 license and start using it) – Managed by Microsoft
- Maintenance of Servers are not required to update Intune to latest version – Managed by Microsoft
- Intune Web Console access anytime anywhere – Managed by Internal IT (Intune Admin)
- Intune admin won’t be able to check and edit Intune Database unlike SCCM Database – Managed by Microsoft
- Intune Admin don’t have any option to go back to previous Intune version –
- Perform Intune Server side troubleshooting – Managed by Microsoft
Intune Infra Administration
As I mentioned above, Intune server infra is managed by Microsoft as this solution is SaaS. As an SCCM admin, all infra admin tasks are located in Administration workspace. The logical view of Microsoft Intune for SCCM Admins.
There are very less or no server admin tasks for Intune admins. However, you might still need to install connectors, global policies before start Intune deployment. Most of these activities are one time activities. You can just setup Intune and forget.
You might need to configure the following components from an Infra administration perspective.
- Windows Automatic Enrollment Setup (Mobility (MDM and MAM))
- Apple Enrollment Setup
- Android Enrollment Setup
- Certificate Connectors Setup
- TeamViewer Setup
- Device cleanup rules (Optional – Similar to SCCM Maintenance Tasks)
- Windows Autopilot Setup
- Enrollment Restriction Rules Setup
- Intune Roles (RBAC) Setup
Discovery of User, Groups, & Devices
SCCM can discover the resources from the network (Active Directory or Azure Active AD or Network discovery) and install clients on those devices. For Intune, you don’t have to do this type of configuration.
Intune is tightly integrated with Azure Active Directory and Intune blade will have all the Device, User, and Group resources available for you to use without doing any discovery configurations.
NOTE! – Microsoft Intune Setup steps explained in Microsoft Docs.
Client Installation & Upgrade
SCCM client installation and enrollment methods are different from Intune enrollment options.
Unlike SCCM, Intune doesn’t have any separate client component. Intune is managing Windows devices by in-build MDM component of Window 10 Operating System. So, there is no need to Install Intune client on Windows 10 devices.
NOTE! – Intune Supports only Client operating systems. Windows Server Operating systems are NOT supported by Intune. You won’t be able to manage servers with Intune.
NOTE! – Intune Company Portal is end user application for Microsoft Intune. This app can be installed as Intune client component on a Windows 10 device.
Two main Intune Enrollment Options are explained in the following blog posts. More details are available in my Intune Learning post. Also, Intune enrollment can be done via Microsoft Autopilot (Windows Autopilot).
- Windows 10 Intune Enrollment Process BYOD Scenario
- Windows 10 Azure AD Join Manual Process – CYOD
- Windows 10 Intune Enrollment with Company Portal
NOTE 1 – No, there is nothing called Intune Client upgrade for Windows devices. Intune is using Windows 10 MDM component for management. So, the MDM component will get updated with Windows 10 updates.
NOTE 2 – Intune also uses Intune Management Extension agent for Win32 App deployment. The installation & Update of this Intune Management Extension agent is handled automatically in 99% of the scenarios.
Collections & Groups
SCCM collections are used to group the resources which you want to manage. There is no collection concept in Microsoft Intune.
Intune uses Azure AD User & Device groups in the place of collections. So, you can create the following type of groups in Azure AD and deploy applications and policies to those Azure AD groups.
- Assigned/Static User AAD Groups
- Assigned/Static Device AAD Groups
- Dynamic User AAD Groups
- Dynamic Device AAD Groups
NOTE! – Many years (I feel like) before even Intune had their own separate Intune Groups and they removed Intune Groups as part of Azure Intune portal migration from Intune Silverlight portal.
Configuration Items & Compliance Policies
SCCM CI (Configuration Items), Baselines, Compliance Policies, and others are available in Microsoft Intune. The following details would be helpful in Microsoft Intune for SCCM admins context.
In the Intune portal, you can create similar policies (as mentioned above) from Device Compliance, Device Configuration, and Device Security nodes.
NOTE! – I will continue more settings and other details in upcoming posts (Microsoft Intune for SCCM Admins Part 2). So, in this post, I covered the SCCM Administration, Assets & Compliance Workspace.
Hi. Can I use Microsoft Intune for patching with updates Windows servers that are physical servers non-domain joined ?
You can not deploy and manage SERVER OSes with Microsoft Intune!!
But SCCM does it? Or there is any software develop by Microsoft that does manage physical non-domain joined Windows servers?
Yes SCCM does server patching. But Intune doesn’t support server management. on prem server patching via Azure is one other stuff you can check https://docs.microsoft.com/en-us/azure/automation/automation-update-management
sorry for replying back. i am still in confusion. I know SCCM requires AD integration. so my question is, can I use SCCM (which is part of an AD domain) to do server patching for physical NON-domain servers (servers that belong to WORKGROUP) ?
Yes. You can use sccm to patch workgroup or DMZ servers
Is your second part of this in tune story out yet?
It’s coming out in couple of weeks