Microsoft Intune for SCCM Admins Part 2

In post 1, I covered the basics tips to start learning Microsoft Intune for SCCM admins.

As mentioned in the previous post, this series includes a Windows device management perspective for Intune admin.

The iOS, Android, and macOS management with Intune is another beast altogether.

Learned from SCCM Experience

Microsoft learned from their SCCM experience and tried to avoid bottleneck scenarios with Intune device management.

Patch My PC

One example is using Azure Active Directory Groups for deployments. We all know that the collections (collection evaluations) can create many performance issues for your SCCM infrastructure.

Intune and Azure AD don’t provide custom options for evaluating the Azure AD group members. All the AAD group evaluation scenarios are managed in the background, if I understand correctly.

This kind of evaluation restriction can improve the performance of Intune device management platform. But, there are some questions about how fast Intune can deploy an app/policy.

Subscribe to this Blog via eMail:

Adaptiva
[jetpack_subscription_form show_only_email_and_button=”true” custom_background_button_color=”#fcb900″ custom_text_button_color=”undefined” submit_button_text=”Subscribe” submit_button_classes=”wp-block-button__link has-text-color has-background has-luminous-vivid-amber-background-button-color” show_subscribers_total=”true” ]
SCCM Collection Evaluation Vs AAD Group - Microsoft Intune for SCCM admins part
SCCM Collection Evaluation Vs. AAD Group – Microsoft Intune for SCCM admins part 2

Devices Node

SCCM Devices (\Assets and Compliance\Overview\Devices) node host all the discovered devices in SCCM.

The device node in the SCCM console can help you view and manage the devices with SCCM client (controlled) and without SCCM client (unmanaged).

So, some of the devices in this node might not be managed by SCCM.

SCCM Devices Node - Microsoft Intune for SCCM admins part 2
SCCM devises Node – Microsoft Intune for SCCM admins part 2

The Devices blade in Intune portal is similar to the SCCM devices node. The device’s blade in Intune portal has the following options.

Most of the following nodes are one-time setup & forget nodes. You might also need to check the device’s node in some Intune troubleshooting scenarios.

  • All devices – Intune (MDM) managed devices in this node. Similar to the Devices node in SCCM.
  • Azure AD devices – All the devices in Azure AD will be displayed in this node. Similar to All Computer objects from on-premises Active Directory.
  • Intune Monitoring options are given below.
    • Device actions
    • Audit logs
  • Following Setup options are available
Devices Node - Microsoft Intune for SCCM admins part 2
Intune devises Node – Microsoft Intune for SCCM admins part 2

Applications Packages Management

Application/package management (installation/removal of applications) is one of the main reasons most organizations use SCCM.

Intune application management is different from SCCM application management (\Software Library\Overview\Application Management).

When you create a package or application in SCCM (most of the scenarios), all the activities are done on-premises, and most probably, you don’t need any internet connectivity.

Hence the creation of the package/application is pretty quick.

SCCM Application/Package Management -  Microsoft Intune for SCCM admins part 2
SCCM Application/Package Management – Microsoft Intune for SCCM admins part 2

When Intune got released, support for application deployment scenarios was very limited.

The main focus of application deployment was to support cloud-based scenarios like Store Apps and simple MSI apps.

But, the Win 32 app support in Intune helped IT pros to cover more deployment scenarios.

I recommend reading Microsoft documentation on Intune App management to get more details.

Intune application creation process is different (of course, cloud), and it could take more time. The main reason for the delay is the upload requirements of the source file to the cloud.

It would help if you waited until the application source is uploaded to Azure cloud storage.

NOTE! – There is no limit on the total amount of Intune cloud storage space when you have a FULL subscription. The maximum allowed file size (for a single file) in Intune is 8 GB (for Windows LOB apps). When you use the trial version of Intune, the total cloud storage limit is 2 GB.

In the previous post, SCCM admins part 1; Windows Intune management is based on a built-in Windows 10 MDM client agent.

Windows 10 MDM client agent has limited capability to support the complex deployment scenarios for Win32 applications.

Because of the above-mentioned limited capability, Intune application management is mostly powered by another client agent called Intune Management Extension.

Intune application model is not so powerful as SCCM at the moment. But it’s getting improved with every release.

More details are available on the Windows App (Win32).

Intune Application/Package Management -  Microsoft Intune for SCCM admins part 2
Intune Application/Package Management – Microsoft Intune for SCCM admins part 2

Software Updates with Intune

The software update is another popular framework in SCCM. SCCM uses WSUS in the background to patch Windows devices.

WSUS makes sure that all the patches are available in the SCCM console. You can refer to the SCCM patching video guide.

The patching of Windows devices (on the client-side) is managed with the Windows Update Agent(WUA)/Service Stack Update(SSU).

As SCCM admins, don’t expect to list all the patches in Intune console. You won’t be able to see any patches in Intune portal. You can’t select particular patches and deploy them via Intune.

Also, you don’t expect (as SCCM admin) third-party patching from Intune.

NOTE! – Do you foresee network issues with patches coming down from the Internet to thousands of Windows machines using Software Update for Business? Microsoft Intune provides Windows 10 Delivery Optimization options options to handle network bandwidth issues.

SCCM Patching -  Microsoft Intune for SCCM admins part 2
SCCM Patching – Microsoft Intune for SCCM admins part 2

Intune patching (Windows updates – Windows 10 Update Rings) is entirely based on Windows Update for Business mechanism. You don’t need WSUS for Intune patching to work. Intune patching is straightforward and less complex compared to SCCM patching.

Intune has an option to create Windows 10 Update Rings. You can create a ring for Windows 10 quality (monthly patches) and feature updates (Windows 10 version upgrades).

Windows 10 Servicing configuration is also part of – Intune – Software – Windows Update Rings configurationFeature Updates.

Microsoft Intune for SCCM Admins Part 2 1
+Intune Patching – Microsoft Intune for SCCM admins part 2

Intune gives only two options while creating Windows 10 Update rings update settings and user experience settings. Following are the two main sections to control Windows patching behavior via Intune.

  • Update Settings – Choose Deferral period (days), Servicing channel, etc.
  • User Experience setting – Automatic update behavior, Block user from pausing Windows updates, etc…

More detailsManage software updates in Intune & How to Setup Windows 10 Software Update Policy Rings

Office 365 ProPlus Management with Intune

SCCM provides options to install office 365 pro plus client and Office 365 updates from \Software Library\Overview\Office 365 Client Management\Office 365 Updates.

I would recommend reading the details about Office 365 pro plus updates.

SCCM Office 365 ProPlus -  Microsoft Intune for SCCM admins part 2
SCCM Office 365 ProPlus – Microsoft Intune for SCCM admins part 2

Intune helps to install & update Office 365 pro plus clients from the Internet. However, SCCM still uses DP (most of the scenarios) to install & update Office 365 pro plus client.

Office 365 is one of the Intune app types for Windows 10 devices. Intune office 365 ProPlus client deployment is part of the Client Apps blade.

You can manage Office 365 client installation & update options from Microsoft Intune – Client Apps – Apps – Add Apps – App Suite Settings.

NOTE 1 – Intune also provides all the options (you can use either Configuration Designer or XML) to create Office 365 ProPlus client install application similar to SCCM. More details about Intune Office 365 ProPlus deployment.

NOTE 2 – The only difference is, again the content source. Intune content is coming directly from the Cloud. And you might need to invest in Windows Delivery Optimization for large-scale deployments. However, SCCM uses local DP as a source location for Office 365 ProPlus client installations and updates.

Office 365 Client - Microsoft Intune for SCCM admins part 2
Office 365 Client Install & Updates – Microsoft Intune for SCCM admins part 2

Deploy Scripts with Intune

Using the packages option, you can deploy scripts to SCCM-managed Windows devices since SCCM 2007 days. SCCM 1706 version added a new workflow to upload scripts and deploy it directly from collections. This method of deploying PowerShell script gives loads of power to SCCM admins.

Intune Script deployment capabilities are a bit different because of the limited capabilities of the built-in Windows 10 MDM client agent. Let’s check out more details below.

SCCM Script - Microsoft Intune for SCCM admins part 2
SCCM Script Microsoft Intune for SCCM admins part 2

Intune can not deploy PowerShell scripts to Windows 10 devices via the built-in MDM client agent.

So, similar to Win32 application deployment, Microsoft has taken a “workaround” solution to build an additional client agent called “Intune Management Extension.”

This management extension client agent shall help Intune deploy PowerShell scripts and complex Win32 applications to Windows 10 clients.

Are you wondering how this client agent gets installed on Intune-managed Windows 10 devices? I would recommend reading Microsoft documentation on Intune PowerShell script deployment.

Microsoft Intune for SCCM Admins Part 2 2
Intune Script Microsoft Intune for SCCM admins part 2

You can upload a PowerShell script to Intune using Device Configuration (Microsoft Intune – Device configuration – PowerShell scripts – Add PowerShell Script) workload.

Interestingly, it’s not part Client Apps workload in Intune. Hence, Microsoft’s recommendation is to use the PowerShell script only for deploying advanced configurations on Windows 10 devices.

NOTE! – The PowerShell file must be less than 200KB. The maximum supported size of the PowerShell script in Intune is 200 KB.

To be ContinuedMicrosoft Intune for SCCM admins

Let’s continue with the remaining & more interesting topics in the Microsoft Intune for SCCM admins part 3.

Great Learning Resources for Intune

SCCM is great, and it’s not going to die as per Microsoft. But, don’t go away from Intune learning. I would strongly recommend going through Intune learning process.

What to Learn Intune? Great Resource Around you! (1) LinkedIn Learning Courses for Microsoft Intune , (2) Learning How to Learn SCCM Intune Azure, (3) Learn Intune Beginners Guide MDM MAM MIM, (4) Microsoft Intune for SCCM Admins Part 1

Resources

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.