Choose Your Own Adventure with Microsoft Intune
Microsoft Intune has multiple methods for managing Windows 10 - you can choose to deploy a client or use the mobile device management capabilities built into the operating system. However, guidance from Microsoft on the comparing the capabilities of each, especially from a policy perspective, is currently unclear.
Having spent some time with Intune recently, I’ve built what I think is a good understanding of how the product works and its strengths and limitations. For this particular project, we’ve deployed into a greenfield environment with as little as possible on premises - Windows 10 PCs and networking equipment; therefore we’re relying on cloud solutions for everything else including desktop management.
Note that this article will not cover a hybrid deployment with Intune and System Center Configuration Manager. Additional scenarios are possible with a hybrid approach, but my interest lies in utilising Intune as complete cloud solution to Windows PC management.
Intune Management Choices
Intune provides two management approaches for Windows 10:
- Intune client (installed manually by the administrator or via a deployment solution, e.g. in an image with MDT). You could also install the client via a Windows 10 Provisioning package
- Windows 10 built-in mobile device management (Microsoft has delivered improvements to MDM with Windows 10 1511 and 1607)
Intune console - note the differences between MDM (top window) and client (bottom window)
While the documentation for Intune is quite good, it doesn’t paint a clear picture of what you can and cannot achieve with the client vs. MDM - at least when you’re new to Intune. For most of us working with Windows desktop management for some time, it’s potentially natural to use the client and you’ll need to for Windows 7. It’s clear, however, that in regards to policies Microsoft is building capabilities into the MDM approach for Windows 10.
There are a few articles in the Intune documentation that provide an overview of the management capabilities that are provided by each approach:
- Manage Windows PCs with Intune PC client software
- Windows PC management capabilities (with the Microsoft Intune PC client)
- Windows 10 policy settings in Microsoft Intune
When reading the Microsoft documentation, the language is key to understanding the capabilities - if “enrolled” is used, then this is referring to a Windows 10 device enrolled in Intune MDM and is thus treated as a mobile device; if “client” is used, then this, of course, is referring to the installed client. That first article has this important paragraph:
While the Intune client supports policies that help protect PCs by managing software updates, Windows firewall, and Endpoint Protection, PCs managed with the Intune client cannot be targeted with other Intune policies.
I’ve come across two other great resources that provide more insight:
- A post at UserVoice highlighting the need for Microsoft to improve the comparison between the two: Improve documentation - it is very vague on what works with “Intune client” and what works with “MDM”
- An article by Gert-Jan van de Werfhorst & Eric Dunnewijk that provides the best overview I’ve found on the features available with each management option: Microsoft Intune, wat is nu toch modern management? (Dutch)
To summarise the key points:
- 3 policies apply to the Intune client - the Intune client Settings, Intune Center Settings and Windows Firewall Settings
- All other policies targeting Windows apply to Windows 8.1 and/or Windows 10 MDM.
Management Capabilities
Based on the article by Gert-Jan van de Werfhorst & Eric Dunnewijk, I’ve created the following tables with some additional information to show the differences between managing a Windows 10 PC with the client vs. MDM.
An administrator can see quite readily the differences in the Intune dashboard when managing devices. In the screenshot below you can see what the dashboard looks like after enrolling a number of devices. Note that Windows Updates and Endpoint Protection are not shown.
Intune with devices management via MDM only
Once the client is deployed to at least one Windows PC, the dashboard now shows the Windows Update and Endpoint Protection overview and you can see some additional links available on the left side of the dashboard.
Intune with devices management via the client and potentially MDM
Features
First, let’s take a look at an overview of the features available for the client and for Windows 10 MDM:
| Feature | Intune Client | Windows 10 MDM |
|---|---|---|
| Auto Enrollment via Azure AD | ✗ | ✓ |
| Software Deployment via Single MSI | ✓ | ✓ |
| Software Deployment via MSI + additional files | ✓ | ✗ |
| Software Deployment via EXE + additional files | ✓ | ✗ |
| Configuration Policies | ✗ | ✓ |
| Compliance Policies | ✗ | ✓ |
| Remote Assistance | via TeamViewer | ✗ |
| Windows Update Policy, Approved Updates & Reporting | ✓ | Policy only |
| Endpoint Protection Policy & Reporting | ✓ | Policy only |
| Software Inventory | ✓ | UWA only |
| Software License Management | ✓ | ✗ |
| Hardware Inventory | ✓ | Limited |
| Conditional Access | ✗ | ✓ |
Note 3 key items here - software deployment, Windows Update management and Endpoint Protection management:
Software Deployment
While software deployment with Windows 10 MDM is possible, only applications consisting of a single MSI can be deployed. It’s clear then that software deployment via MDM may require some custom packaging.
Software deployment via the client is limited to EXE and MSI files; however, it also enables additional files in an application setup thus providing more flexibility.
Windows Update
For Windows Updates on PCs managed with the client, full control is possible (not quite the same as WSUS). Additionally reporting is available to understand which updates are deployed and those that are outstanding. Finally, it is possible to deploy 3rd party MSP updates as well.
Endpoint Protection
The client provides for management of Windows Defender on the endpoint plus reporting on device status and malware found with remediation action taken.
With the MDM approach, Windows Defender configuration is possible via OMA-URI policies; however, no reporting is possible. Advanced Threat Analytics is a component the Enterprise Mobility Suite (EMS), which is a popular way that organisations are licensing Intune. While I haven’t seen how Windows Defender Advanced Threat Protection is licensed, this too looks like a good alternative endpoint management solution.
Policies
Understanding the configuration policies possible with either approach is important for getting a full picture of how much control you have over Windows 10 PCs:
| Policy | Intune Client | Windows 10 MDM |
|---|---|---|
| Custom Configuration (OMA-URI) | ✗ | ✓ |
| Edition Upgrade Policy | ✗ | ✓ |
| Email Profile | ✗ | ✓ |
| General Configuration | ✗ | ✓ |
| PKCS #12 (.PFX) Certificate Profile | ✗ | ✓ |
| SCEP Certificate Profile | ✗ | ✓ |
| Trusted Certificate Profile | ✗ | ✓ |
| VPN Profile | ✗ | ✓ |
| Wi-Fi Import | ✗ | ✓ |
| Windows Information Protection (Enterprise Data Protection) | ✗ | ✓ |
| Microsoft Intune Agent Settings | ✓ | N/A |
| Microsoft Intune Center Settings | ✓ | N/A |
| Windows Firewall Settings | ✓ | ✗ |
| Exchange ActiveSync | ✗ | ✓ |
| Mobile Device Security | ✗ | ✓ |
It’s initially surprising to see most policy configuration possible only available to Windows 10 MDM, given that Intune has been available since before Windows 8 and Windows 10. It’s important to note that policy configuration for Intune is a different approach than traditional Group Policy which can be filtered based on computer and user. With MDM policies, these will apply to all enrolled machines, regardless of which user is on the device.
Remote Administrative Actions
Given the difference in supported features, the remote actions possible for each management approach is, of course, different.
| Remote Action | Intune Client | Windows 10 MDM |
|---|---|---|
| Run a Full Malware Scan | ✓ | ✗ |
| Run a Quick Malware Scan | ✓ | ✗ |
| Restart Computer | ✓ | ✗ |
| Update Malware Definitions | ✓ | ✗ |
| Refresh Policies | ✓ | ✗ |
| Refresh Inventory | ✓ | ✗ |
| Remote Lock | ✗ | ✓ |
| Passcode Reset | ✗ | ✗ |
Conclusion
This information is correct to the best of my knowledge. I recommend checking the documentation and trialling Intune for yourself to determine which approach will apply for your specific requirements.
I’m certain that Microsoft understands the configuration requirements that most customers require as the product group looks to be very active on UserVoice. One of the management approaches requires the features from the other approach. The fastest way to do that would be for Microsoft to implement policies via the MDM configuration service provider in Windows 10 into the Intune client.
MDM for Windows 10 PCs is clearly the future - with automatic MDM enrollment when the PCs is connected to Azure AD and no additional agents to deploy, this approach really does simplify PC management.
With the popularity of Office 365 and EMS, Microsoft is looking to make Intune an important component of customer’s cloud strategies. It’s therefore, important to understand what its capabilities are when moving from traditional PC management to a cloud approach.
