Intune: experience from the field

So I am working with Intune since early 2020. Until now I have nearly done everything whats possible and have seen it's strengths and weaknesses from a technical perspective as well as in the field for the business and the end-consumer. This post will focus on managing Windows 10 with Intune.
I also often enjoy talks with IT colleagues, students or people from the web - convincing them with the charm of Microsoft. It seems to me like Intune is still a "newschool" product from Microsoft and not very frequently represented in todays organizations, that currently have an on-premises background. Although cloud products are a trend, facing the fact that a cloud-native strategy is most organizations aim for the next 4-8 years in information technology. But is Intune device management any good?
If you wan't to have a simple answer: Yes, it is. At least from my experience and opinion.
Quick facts
Intune is a cloud-based endpoint management solution from Microsoft, that requires no server infrastructure, but only client hardware. You can manage the devices, sophisticated configurations and compliance requirements, enrollment, endpoint security - combined with cloud capacity, automated updating direct from the cloud, apps from multiple sources, users and groups and get powerful reports at the same time. This is all in the Enterprise Mobility + Security suite, please note corresponding licensing. If you want to get a full review of Intune.
Enterprise mobility + security
Intune is one of the fundamental products from the Microsoft cloud. I can recommend starting your cloud journey with it, but I also suggest you taking a look into Azure AD sphere. By first getting a concept and a governance strategy for it and doing tasks like:
- Foundation for a simple secure environment
- Setting up conditional access
- Configure & manage identity federation and applications
What I enjoy
Configurations
Now let's get to the good parts. First of all Intune is a super simple product, from nearby any angle. All available in a single portal - integrated in the Microsoft cloud. To get your tenant ready you don't even need more than 5 minutes. Learn more.
Additionally configurations, for example setting OneDrive roaming policies, you get a catalog of possible configs that are all well structured. These are handable and offer anything you need.
Applications
Apps are included through the Microsoft store, Edge and Office are even natively built-in in Intune and honestly, this was always working and never let me down. And if we are serious a browser and the Office apps are the most important tools on a normal workstation. But don't be afraid; you can also add em manually with the win32 content prep tool and upload it to Intune. This should work with an .exe or .msi and a batch or Powershell file that executes silently with the parameters you set. Furthermore in Intune, you can add requirements, detection rules and dependencies. This really works out in the field and satisfied my desires - only from an update perspective, e.g. if there is a new major version, it is sometimes a litte hard. (Supersedence feature is nice, but it is horrible that I need to configure the app twice in the portal.) Our organization does collaborate with a software packaging and distribution specialist that provides us our business apps with a simple PS1 file to hit up. Downloads from the Company Portal, which is like an enduser app store for all Intune apps, enables the user for self-service application installations. Thats really something cool, that is reliable and starts a clean installation from a cache. A modern approach to managing apps is for example Chocolatey that gets all apps from a public repository in the cloud. And even the better solution would to use fully SaaS :)
Security
Now security is the next big pleasure within Intune. Even as someone who doesn't has to much of SecOps experience, Intune is capable of cloud-powered enterprise-class technology security management. This is really a masterclass from Microsoft with offering products like Defender for Endpoint, Defender for Identity, Defender for Office 365 or Cloud app security. Everything cloud-only and super competent and dynamic. Azure Sentinel is your security information and event management tool and with Power Apps you can even use security orchestration automation and response. But you don't even need it, of course the common Defender in Windows 10 is the solid foundation. Defender in Windows 10, is it any good?
To configure the Defender and DFE-Sensor, simply apply the Microsoft recommended baselines, that hold many security concerning settings and harden your endpoints at a standardized level. That's as simple as it sounds. The only real impact that I suffered of, where some business apps (that where often very old) had some depreciated security settings that didn't work correctly.
And for the future Artificial intelligence and big data can find real use-case here to relief you from work and do an anomaly detection based on intelligence.
If you are interest in more: Microsoft security concepts and Some more security ramble.
Reports
So now that I have some devices in Intune I can generate reports and reviews. This is obviously not a feature used every day, although getting the state of the device compliance count or a Windows Update summary or Defender feedback is sometimes quite useful. But I like the Proactive remediation feature, that can help detect problems on your endpoints and resolve them. Application reliability tells you which apps are used by the users and how often they crash and gives it a score at the end.
To get more insight you could set up a Intune data warehouse or more Azure products.
The challenges
Why should a "modern" organization switch?
Personally I think, the biggest barrier for most organizations currently is, that they are not ready for the innovation, or do not see a big reason for migrating their endpoint management solution. Because they have a functioning system at the time. But I am convinced that Intune could empower every organization and not only the IT department benefits but also the business to achieve more, safe time and maximize profits. And this is just the approach to future IT.
The cloud is slow
This is a statement often dropped by many people. And they are not even necessary wrong, I can confirm that we have delays when working with something that is geographically apart. Thats just the technical limitation.
In the real world, this means that it can take some time when applying new configurations, as well as when syncing a device or downloading an app. The average waiting time is about 15 minutes, until I saw applying new policies getting effective. But I was always sure that it did arrive and worked - now once you are used to it, it is really not that bad and won't cost you any time.
Security concerns about the cloud
The biggest myth is that your data isn't secure and reliable in the cloud. To analyze that we need to differentiate between technical data security and privacy concerns. From a technical angle you couldn't be more secure than in a Microsoft/Google/Amazon Datacenter. Multiple layers of security, highly restricted access, staff that is dedicated for each task, optimized environment, redundancy more and more. Most service level agreements guarantee an uptime of >99% plus data replication for highest availability. So based on my opinion this is a clear win against any single tenant environment/data center in a usual organization.
When talking about privacy and trust, confidentiality or data sovereignty, things start to get more complicated. Any workload in the cloud is run on foreign systems, thats a fact. The question is, if you trust the cloud provider. In the case of Microsoft, I am convinced that is definitely a satisfying way, to hand over your data. Trust and privacy are serious subjects that impact the reputation. One more thing: just because your data is in the cloud, it isn't directly secure, you are still responsible for the governance and compliance.