A little while back I had to do a presentation about what options that are available from Microsoft to manage Windows PCs, and to summarize, there are only two (sort of): ConfigMgr or Intune (standalone), or combining ConfigMgr and Intune (the hybrid model). Anyway, when preparing the presentation I spent some time on testing the standalone Microsoft Intune solution, and quickly run into a question: Should you, or should you not, use the Intune client software ?
Creds: Special thanks to Per Larsen (@PerLarsen1975) for clarifying a few things, and to Jan Ketil Skanke (@JankeSkanke) and Andreas Stenhall (@AndreasStenhall) for tips on cloud services (Azure, Defender ATP, OMS) that extends Intune when using it to manage Windows 10 clients via it's native mobile device management (MDM) features.
Background – Managing Windows PCs using standalone Microsoft Intune
When managing Windows PCs using the standalone Microsoft Intune solution, you have two ways to manage the machines. Either by using native MDM capabilities in the Windows operating systems, which is only applicable for Windows 8.1 (not Windows 8) and Windows 10, or by installing the Intune client software.
For Windows 7 and Windows 8 machines, you obviously don't have a choice. Since it's missing native MDM capabilities, your only option is to use the Intune client software. But what about modern operating systems like Windows 10?
Summary: The general recommendation, also from Microsoft, for Windows 10 clients is to not install the Intune client software, and instead rely on the native MDM capabilities. But please be aware of that there are things you are missing out on when doing so. Please continue reading.
Using the Intune Client Software on Windows 10 machines – The Gotchas
When using the Intune client software on Windows 10 machines, there are some gotchas you should know about.
- It took Microsoft almost four months to make it even possible to install the Intune client software on Windows 10 v1607. If you tried install it before the November 2016 cumulative update (CU), it simply would not work. This could be a small hint on Microsoft wanting you to use native MDM capabilities in the first place 🙂 Â
- If you do install the Intune client on your Windows 10 machines, you can't deploy other Intune policies to them, like the Windows policy settings that are specific to mobile device management. This means you cannot do things like an edition upgrade of Windows 10 when the Intune client software is installed. Also, you cannot use the Conditional access or Full wipe of the machine (selective wipe is available).
Note: It's very clear that future Microsoft Intune investments for managing Windows 10 clients are for it's native MDM capabilities. Not for the Intune client software.
- You cannot use Microsoft Intune to install feature updates for Windows 10. Like going from Windows 10 v1511 to Windows 10 v1607.
If installing the Intune client software, you can only use policies from the Computer Management node.
Ok, so what Intune feature requires the full Intune client software on Windows 10 machines?
Intune features requiring the Intune client software
When managing Windows 10 via Microsoft Intune, via the Intune client software, it can manage basic Window settings like firewall, updates, and settings for the Intune client itself. As you you learned the preceding section, deploying Intune client software, stops the use of Windows policies, or the use of other related features.
Real World Note: Using the Intune client software or not is a bit of a mess (IMHO). You simply need to decide what is more important. The below feature list, or managing policy on Windows 10 clients as well as future features for Microsoft Intune.
The following features require the Intune client software to be installed:
- Deploy EXE style applications, like Setup.exe /s. Without the Intune client software you can only deploy MSI, UWP and Centenniel applications (Centenniel apps are apps that are using the Desktop Bridge feature).
- Full Software Inventory. When using MDM, you only get the applications that Intune has installed
- Full Hardware Inventory. When using MDM, you only get limited hardware inventory
- Granular control of Software Updates. Including automatic approval rules, compliance reports, and uploading third party updates.
Note #1: You can use MDM only features to configure Windows Update for Business settings: See this post for details: Use Microsoft Intune to configure Windows Update for Business
Note #2: You can also configure software updates from the Azure portal. That feature is currently in preview, and not yet available for all tenants, but will be shortly
Note #3: Windows Analytics (in OMS – Free tier) will give you reporting on Update Compliance, just need to deploy the Commercial ID.
- Configure Windows Firewall policy
- Windows defender reporting
Note #1: Windows Defender in a MDM world could be combined with Defender ATP for remote actions and reporting related to defender
Note #2: Andreas Stenhall (@AndreasStenhall) also pointed out that Windows Defender reporting can be handled using OMS. Something he set up for a customer, configuring it to send email alerts based on Windows Defender events in Event Log whenever problems occur or malware is found.
- Manage software licenses
- Using the automated remote assistance via the TeamViewer integration (requires separate license). You obviously can use TeamViewer on it's own.
- Remote administrative actions, like remotely restart a computer from the Microsoft Intune admin console, or force a malware scan.
Resources
After a tip from Nickolaj Andersen (@NickolajA) I found this post by Aaron Parker (@stealthpuppy) that gives you additional details on the topic
Choose Your Own Adventure with Microsoft Intune
http://stealthpuppy.com/windows-10-management-intune
A little off topic, but here is a good post about the differences between ConfigMgr and Intune:
SCCM vs. Intune Showdown
http://foxdeploy.com/2016/10/24/sccm-v-intune-showdown
Running remote tasks via the Microsoft Intune Admin console.
Written by Johan Arwidmark