Intune challenges (community edition)
What to expect
I wanted to hear from you on Reddit and Twitter about which challenges you are facing with Intune.
This post concentrates on a summary writeup on the most intense challenges and I want to bring in some of my advice and experience.
This post was written in November 2022 and contains some announcements on new features or products. Although without any guarantee on delivery.
First of all, I wanted to clarify something: Intune is a modern mobile device management (MDM) solution, fully cloud-based. This means that this is a public service that is in communication with your endpoints, regardless of their network location. Moreover, it is a SaaS whose features are constantly being developed and expanded. This is positive, but at the same time has some downsides. You shift the workload to Microsoft, which is great but you also have shared responsibility. Microsoft is responsible for the service itself, but you have the authority to configure and operate it the right way. As with every product there is always room for improvement, but Microsoft has a clear focus on Intune and this is their MDM solution for the future. They listen to community feedback, and with this post I want to contribute to that.
Challenges/FAQ and advice
This is a list of things that could need improvement in Intune, always described in the following format:
- Issues described
-> Solution/what we can expect
- Syncs take a lot of time and it takes time until we see a up to date status of what happened exactly.
- Device actions are sometimes so delayed that they do not even reach the device. (Wipe, Autopilot refresh)
- The status on the endpoint is very uncertain.
- No option to force apply anything.
->Please continously work on the service communication and integration to Windows.
->An overview in the Company Portal (just like in the settings app, but better) for the applied configurations or status insights would be helpful.
- App deployments are likely to fail and they take a lot of time.
- Self-service installations from the Company Portal are unreliable.
- It is a blackbox on many things, such as which version of the app is deployed or what is the exact status on the device.
->For the Microsoft 365 for Enterprise apps, create a lean package with the content prep tool and the Office configuration tool and upload it as Win32 package.
->Troubleshooting Intune app installation issues
->Troubleshooting MSI Deployments over the MDM Channel
->Ensure a high quality throughout your custom (LOB) packages that you deploy in Intune.
->Some more details in the Intune portal about errors or what exaclty went wrong would better the experience for an IT admin.
Windows Store for Business
Microsoft Store for Business/Education will be retired in Q1 2023.
->The new Microsoft Store integration is coming very soon. The Store of the future, Microsoft Technical takeoff
- Internet connection loss will let Autopilot fail completely.
- Mixing LOB and Win32 is likely to fail and takes long time for the ESP.
- Just in time enrollment require the hardware hash uploaded (if not before by the vendor) with the Get-WindowsAutopilotInfo script, this also takes some time to sync.
->Troubleshooting guide for the Autopilot process, in this blogpost.
->Only do Autopilot from ethernet or a robust Wi-Fi connection, that also has adequate speed. Verify that the Intune network endpoints are available from your network.
->Install as few apps during the ESP as possible. (Edge, M365 apps, but not more than ~5 apps)
->Microsoft is working on a new "scenario" to fill the gap of just in time deployment.
Migration of configuration profiles and security baselines
->Approach for a greenfield! This is your time to rethink endpoint configurations. Use the settings catalog to find items and only configure things that are really needed.
->Security baselines must be tested properly, I recommend to not use the built-in baselines, but build the profiles in the Endpoint Security section.
->Use the Security + Compliance Toolkit
->All deviations and changes to the baselines must be tracked and approved by a security officer.
- No uninstall or repair option
- Sync takes a lot of time
- App installation is likely to fail
- IMECache is temporary
->Let's hope that the new Store integration will relief us with great packages available from the Store and Winget.
->Uninstall button expected to come in Q1 2023.
Development, integration and testings
- Intune itself needs a high governance to be operated in a large environment, especially if you want to have development, integration and testing features. You can create things very fast, but need to have a proper concept and do your housekeeping!
->Build your LAB or DEV tenant environment.
->Take a look at the Technical Takeoff session Configuration as code in Intune.
Logs and what happens behind the scenes
- Some events are only to understand when looking under the hood in client event viewer logs. It may be hard to comprehend certain actions.
- As a cloud product, Intune starts to sync with an endpoint from the backend, where there is just few insights to it.
->Enable platform logs for Intune.
->Intune debug toolkit
->We would like to see some more pregnant information on some actions.
->If you need to investigate, make yourself familiar with the following locations:
|What to find||Where to find||Location|
|General Intune events||Applications and Services Logs>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostics-Provider||Event viewer|
|Intune management extension logs||C:\ProgramData\Microsoft\IntuneManagementExtension\Logs||Files (.log)|
|Advanced Diagnostic Report||Creation: Windows Settings app>Access work or school,
Driver update management
- Drivers for some device types are not supported in Windows Update. There is also no option to manage drivers in a good way from Intune.
- Often drivers are only displayed as "optional" in Windows Update, which doesn't automatically install them, even if they are very necessary.
->Stick to Drivers from the Windows Update (rings).
->Use third-party manufacturer tools.
->New feature is coming soon.
Profile correlation and assignment overviews
- There is no single-pane overview of which groups are assigned to which profiles.
->Keep it simple with the assignment based on an Azure AD dynamic group, that queries the GroupTag.
->Use the Troubleshooting + support section of Endpoint Manager admin center and select a user to find out which profiles are assigned to him.
- Integrated Workbooks are not always accurate (timing issue, when was the report created?) and they are also not that meaningful sometimes.
->Implement Azure Log Analytics and connect Intune platform data
->View my Intune changetracking Azure Workbook
->Implement Update Compliance with the Update Compliance Dashboard from MSEndpointMgr.
->The filter option in Intune is great to assign profiles based on a custom rule. This can help in various situations, e.g. if you wish to only apply a certain hardware manufacturer, model, devices that match a naming pattern or simply the name of the deployment profile
TPM (especially on AMD devices)
- TPM is a well-known suspect for Intune, but Windows 11 too.
- Remember that self-deployment needs TPM 2.0 with attestation, which is not available on VMs.
->Make sure the TPM is supported, sometimes it helps to clear the TPM. (but be careful with this, you will lose all your created keys from it)
->Often it can also help to update the TPM version with the manufactor tools.
- The primary user is the first user who logs on to an Intune device. This is not always desired, then you need to remove the primary user or make it a shared device.
->View my guide on Kiosk/shared PC mode
OMA-URI and settings
- Some Windows configurations are not accessible through CSP, but OMA-URI only.
->The settings are gradually moved to the settings catalog or dedicated endpoint security profiles.
- The Microsoft Cloud licensing can be a little bit confusing. Usually something of the Enterprise Mobility + Security suite is needed. More info on the Microsoft docs
->View my post on Microsoft 365 license compliance in a nutshell
->This is a great and up to date overview of all Microsoft license suites: M365maps
User or device assignment
- It is often a question if the profile or app shall be assigned to a user or device group.
->My advice on this is that you only use groups that have devices as members for all profiles. For Apps and Update rings you may also choose user groups.
->Exclusions should be kept at a minimum. You could create a dedicated exclusion group for each policy and nest it with the corresponding exclusion identities.
- The Endpoint Management admin center would greatly benefit of some more advanced search options or sort-function etc.
->Let's hope for development.
As always I would like to present my blog post about Tranistion to modern Endpoint Management, this addresses a lot of common technical desgin topics with Intune.
In the Intune path provies various Intune related posts on my blog.