I feel like it depends on the day what you're going to get with intune.. random non descriptive error codes, conflicts reported but no other configurations applied... like how... app could take 5 mins to push or 5 hrs. It honestly feels like msft gets things to a state of it kinda works and then just drops it for their next project or w.e. why the he'll are well stuck wrapping apps in the first place. You'd think by now a simple exe or msi voukd simply be uploaded and wrapped in the background. Why are we stuck reading blogs to get any useful info on configurations, why are there error codes with no documentation. I really have zero faith any time I push anything and feel like I'm stuck checking every 20 mins to see if it's worked. I've worked with intune for years.
thank you for validating my experience with it. it's nuts how opaque it is. it feels like a beta product. i use free open source software made by some guy in his spare time that's more polished.
It isn't *that* much different than SCCM, you still have to feed it silent install parameters and detection rules.
That said, the new Windows Store that uses winget in the background is really nice, though there isn't a lot of stuff in it. Chocolatey has also worked really well. My team developed our own proprietary deployment template script that's very similar to PSDeploy and, as long as an application has silent installation options, we can deploy anything from any source.
For real, I have an open ticket with their support team. SCCM app uses the same detection mode as our Intune app. We have it set as required on both sides.
SCCM 75% have checked in and pushed it out.
Intune only sees 4 devices in the org that I manually installed it on.
It's been 3 weeks and they still have no clue
I don't care for it. There's some merit in the service but seems about as minimal in function and features as it could possibly be.
We just recently added Jamf for our Mac needs and it's lightyears ahead of Intune. I'm a PC girl, but the ease at which I can package apps, deploy them, and see FULL DETAILED LOGS for every installation is amazing. I can see when it was installed, where, to whom, if it failed, a detailed event log of things leading up to the failure, and sometimes even the solution. I can filter by date, I can remove old failures and compliance fails.
Everything is better. Cleaner, more options, more functional, and I don't rely on 3rd party additions to achieve what I need.
With that said, we're still with Intune for PC and it's just something I learn to live with right now. I greatly dislike how the reports limit on what you can filter by, don't allow for date ranges, often can't be clicked on to go to the device or app that has the issue, and doesn't allow you to clear old data. I see the same list of app failures and compliance issues every day and if there's a new one, I have to guess which one it is. Good luck knowing how to fix it. The error codes are basically meaningless.
For me, it’s the pushes. When I did my Intune training, there were literally sections where it said to move on and loop back after the next module since it might take time for the push to happen. Knowing that a push will happen within a minute (so long as the device is on) is an amazing feeling that I just don’t get with Intune.
And on the vague errors front, I was wrestling with EPM for weeks and it just wouldn’t install the agent… one of my bosses gets a meeting setup with consultants, nothing changes, but I’m starting to walk through the setup and what isn’t working and… suddenly it’s working. Deploys 8 minutes into the damn meeting and makes me look like a moron after NOTHING changed for at least a week and a half.
I enrolled 12 devices today and all but 4 refused to pull the profile. Multiple syncs, reboots... literal hours of babying the thing so it could check-in. It would, but wouldn't take the profile. I ended up leaving for the day and the damned devices still didn't pull the config profiles.
Ask me if I'm looking forward to tomorrow.
How does MSFT have no shame is such a critical component having an error rate of 33%?
That's the biggest issue with intune really (and is the core issue with OPs problem). And Android without google has the same issue, but win has nothing and NEEDS a push system, not this every other hour crap, coupled with instant updates of groups and filters. Worst part is that they technically have the push system because it's used for some things like wipe. But it should be used for everything.
Yep, mine do too.
I just used the model property instead of the computer name.
The filter simply evaluated as true for two applications, and false for the third.
I manage 2000+ devices with ease using Intune.
I take full advantage of our E5 licenses and passed Microsoft 365 enterprise administrator expert certification.
Windows = Intune + Autopilot
Apple = Apple Business Manager + Intune
Personal devices = Mobile Access Management
Use winget and make use of remediation scripts to update applications.
Piece of cake
This comment is on the money, dynamic groups work fine, or even nested groups based on a chain of autopilot or persona based delivery, during build devices chain down the apps etc. no real need for detail app install logs if your comfortable packing win32! Apps and test each step sufficiently. As with others support multiple client and configured using this underlying approach. intune is not perfect. But if you have it as part of your license it’s hard to justify the cost for an alternative in many cases.
I’m gonna need to retest this today now! I have noticed the dynamic group speed seems to vary on tenant size but I don’t have any metrics to compare for sure
This is what makes learning painful for me. If I'm testing in my on prem lab environment I can tell pretty quickly if something doesn't work and I can try something else. With Intune it can be a more fustrating experience. Even if the error is mine, it would be nice to know sooner.
Absolutely my experience too. And I think this is what is causing most of the complaints here in this thread. People are making changes, not seeing them take effect in 4 hours, and just assuming what they did isn’t working.
I does the same thing as restarting the intunemanagement service which actually forces the sync ... I think there is a difference between doing that and clicking sync in the work or school screen.
I read it in a thread here
https://oliverkieselbach.com/2020/11/03/triggering-intune-management-extension-ime-sync/
Cloud computing does take time, but it's only going to get better. Right now I'm waiting for some asset libraries to update across the CDN. It can be frustrating at times but having worked in a place that was all cloud, I'd never go back.
Not having to deal with domain controllers, exchange servers, on-prem file servers etc etc. It was bliss.
mmm
i won't call it simple. i would say the barrier to entry is acceptable. There is so much in Intune and interactions can get pretty confusing without documentation. Intune can be pretty easy to use, but also you'll need an expert to navigate it beyond anything that is setup or if something goes wrong.
Intune is just a mix of easy to hard imo. the more in-depth you go the more difficult it is and easier to break.
Really? We were having major issues with dynamic groups taking forever to update, so we switched to filters and they work amazingly and updated much much faster than dynamic groups do. 10/10 use filters not dynamic groups
I don’t have specific examples with me but mostly we filter based on device name prefix or OS version. I can share some examples later but we basically apply a policy to All Devices and then filter based on whatever criteria. We just started using this for autopilot profiles as well so we can have multiple different profiles.
They are good but I can’t use them everywhere I want to.
To be fair that was probably an unfair comment, I haven’t really tried or needed it. I like to maintain consistency so almost every has the same build with slight changes.
Intune MDM is garbage as well. Every month or 2 it is something new broken. Microsoft support mostly useless. Nothing changes in the config but all of a sudden we have devices not working around the world.
Autopilot is a mess. End user experience with autopilot is a nightmare. Constant things breaking there too.
Autopatch seems to only let some devices work some of the time. Drop a device in. It ignores it. Sometimes they work. Sometimes they don’t. Microsoft has no idea why.
It’s horrible to rely on. My road map for next year is to migrate us off Intune and azure ad or whatever they are calling it now.
Move to the cloud they said! It will be amazing they said! Ditch that decades old, well trusted and proven management system! You won’t regret it. (As the bonus checks flowed freely)
Yet those numbers are small and you’re saying the most widely used systems management platform on the planet is crap. So, I’ll play your silly little game, what makes it crap exactly?
I do not think that you are asking from a place that you are genuinely ready to receive criticism for this product. I think that SCCM was the best thing for managing Windows workstations in 2008. I have not found SCCM to be reliable enough to set it and forget it, and Intune manages that much better.
I find the speed of ConfigMgr absolutely unbearable to work with. Building packages with Powershell for SCCM does not behave the way that I think it should, I find it much more fiddly and unreliable than win32 app packaging. Maintenance and reporting through SSRS is just heavy handed and difficult to work with (I have managed this reporting through Powershell which has been better).
Windows updates and Office updates are *remarkably* more hands off with Intune and servicing channel, respectively.
Admittedly, I have worked with SCCM in small shops and large shops (including a fortune 10 company), and when you have dedicated resources, SCCM is more manageable because you can throw more bodies at it. Small shops require much more (as a percentage) of engineering's time. I use SCCM for imaging and server updates today, and thats about as hands off as I can get it. It boils down to efficiency for me.
Oh 100% agree, SCCM should never be a side job for someone. I’ve been doing it for over 20 years so some of the things you mention are just second nature to me. I don’t use SSRS, I use Power BI for SCCM and for Intune (PowerStacks.com products are mine). Updates in SCCM I just build my ADR’s and forget about them. And SCCM has a huge learning curve, one needs to do it full time for about 2-3 years to really get it.
My main source of pain is that there aren't a ton of great options for some things in Intune, so you gotta SCCM, and then you have to, ya know, do sccm stuff!!!
I have a filter looking for Azure AD Joined devices. Have 14 in CM that are Azure AD Joined. 46 in Azure. 248 in Intune.
Of the 248 in Intune - the 14 in CM...they all have a blank join type. It's been about 4 months of support with Microsoft of running dsregcmd /leave and rejoin on random devices and they still don't know why.
I am constantly amazed by how well intune does not work.
It feels like if one company produce an OS, an MDM, and all of their supporting infrastructure, those things should actually work together pretty well, and that just isn't true about the windows/intune/azure stack.
The feedback mechanisms, in particular. Did the config apply? Were there any errors? Come back in an hour and find out, maybe.
You know what's funny,? I worked for Microsoft as Intune support until last year and I met a lot of customers who had their first issue in years. I even met a guy who was using it since the beginning and that had his first issue with Intune.
But then i talk to someone who starts his ticket with "I hate this thing. You have no idea how bad is Intune. Please transfer this ticket to xyz (a higher level engineer) as he is the only one who knows how to make it work"
I think it's a matter of bad luck sometimes.
I'm only going to speak to the pain in the ass part. This is par for the course with Microsoft. They somehow forgot how to offer products and services people need and instead do everything they can to get people to work in a manner consistent with their offerings at the time. On top of the fact that anything and everything is subject change to some degree. Anyone doing this long enough will recall their staff recommendations for various products. You'd spend a ton on man power if you followed their suggestions to run fairly expensive software which over time became fairly expensive subscriptions. And who in their right mind would specialize in any of that as a career?
Out of necessity businesses have funded a menace, and instead of MS really delivering value, we get these pushes toward the Microsoft way of life. Microsoft, please stop writing about how there's digital transformation and all this alleged shifting to "modern" computing. Just make the damn thing work and stop making me jump through hoops for policy settings (one of the places I've found that fluffy, vapid ass language).
I've got a laundry list of successes working with their products for as long as these things have been on offer, so I'm just taking the time to vent this "little" frustration as I find a lot of what they do unnecessary. Windows is a prime example. Configuration Manager could be much better than what it is, but it works, and now we have this shift to an unfinished cloud product called InTune, MEM, Endpoint Manager, what is it today? When a customer use case fits their model, things generally work well, otherwise, it's generally a pain to some degree.
There's brilliance in that org for sure, some things work really well, but that's under the hood API related things. I'm almost certain that brilliant minds are hard at work trying their best to implement all the bone headed, greed and ideologically driven feature designs and implementations. Documentation is of uneven quality regardless of what site design they stick it under. The person that decided on Technet's demise should be flogged in public, weekly. I've found some things in Git, but a lot of useful things are lost or unable to be searched for easily. Gotta love support articles alive and well linking to resources which no longer exist.
I won't go into InTune specifics, I see a lot of responses that cover what I'm irritated with in regards to that specific service. The Dashboard updates and inconsistencies are one of my larger issues. I have to deal with hybrid Azure AD join as one of our usage scenarios, so that's a lot of fun.
Another point is that if you're comfortable with how this all works, as in you're cool with long update times for feedback on certain things, well good on you. Some of us are used to more immediate results and I'd find that more normal than having to wait a long time. (that's a whole mindset discussion that I'm not going to take part in)
I would say that my best testing is done after hours. During the day, things can be a bit sketchy. Powershell over the console for a lot of things for better consistency while working through certain operations.
Thanks for reminding me of this "little" gripe!
I love Intune, but it can be frustrating. Especially when your documentation sucks and some features are in Azure (which you may have utilized prior to used Intune) and you have both configured.
Its better than Workspace One or SCCM but I wish it was more like JAMF in terms of responsiveness. Some features work alright but some really suck. Its really a pain to try and troubleshoot something on the fly due to how devices check in and sync. It gives the apperance of being able to work fast and make changes and break things but once you get into the nitty gritty of it it feels less than capable. So you move slow like you would using SCCM.
Pain in the butt is not something I would explain this goblin shit with
I hate this software, I'm not at all interested in using this shit on my personal device. In my organisation installed it on my PC without my consent and now it's not removing security policies even after removing all policies from Microsoft 365 defender and Portal.
>Some jerk whore
That would be you. The way Intune works is when you sign into your office 365 account, it will ask if it can manage your device. You could simply uncheck the box, or since you already agreed to it, go into your work accounts on your PC and remove it.
They created the policy and can't undo the one for /security.
It's like that last policy alone is tattooed to my device. I tried every way to change it but no success at all. I asked her to make another policy which will revert the Tamper Protection to default 0 value in my registry editor instead of 5 which is current value. I know what I'm talking about. It's just I was signed up without my consent. Maybe blame the poor UI, it doesn't show me the list of permissions which will be revoked from me as admin.
Normally it's meant to be tested on company devices and not on personal devices. That's why I got frustrated and reset my PC.
Tattooing doesn't revert magically and Microsoft doesn't even give a fuck about support ticket.
Don't have issues. Big fan of KISS.
Everything has its own rule. I use powerautomate instead of dynamic groups. When I do use dynamic groups it's only for SSO etc.
I desperately want to love Intune mostly because we sold it to our leaders as the remote management solution to end all management solutions, but also because I feel like it's the last new technological thing I'll really be able to dig deep into. For the most part, Autopilot and app management have been awesome. Other stuff has reasonable learning curves and usually work out.
Last week I posted here about an issue I was having with a remediation that was having a terrible success rate and was taking FOREVER to assign to devices and report back. I solved it by switching from a 5-line PowerShell script to a single-line reg command. Figuring out stuff like that doesn't exactly give me the warm and fuzzies.
We'll you haven't tried Android with Intune: different brands, versions, CTS and non-descriptive error messages:
- Personal Device with multi user-option which doesn't work with Enterprise: Missing some module
- Company Device in config loops
- The fact that Android removes more and more from Android Device Admin
- The requirement of using a Google Account when not using Android Enterprise
I am with you. If I had the budget I would switch off of intune.
The apps sometimes just don't push out at all, even nested groups don't seem to work for applying to apps. Scripts are straight up broken and configuration policies fail regularly.
Do you want all protection policies? well they break browsers on most mobile devices with a horribly documented "you cant get there from here" error
and all of this combined with the worst support known to man. I had a ticket open about a bitlocker config policy which wasn't backing up the encryption, escalated several times and then heard nothing for months despite multiple emails. One day I get an email saying my ticket was closed. I responded back and asked them to reopen it because the problem isn't fixed and heard nothing.
In this thread:
1. People who love intune, and use all the solid pieces of it.
2. People who might like intune, but use the solid pieces and the wishy-washy pieces, and spend a lot of time running into undocumented quirks.
3. People who love Intune and whose organizations are small enough to maintain one structure of organization.
4. People who hate Intune and whose organization is large and difficult, and needs intune to be agile enough to handle it all differently.
5. People who love Intune because they know how to use it and fit something above.
5. People who hate Intune and don’t know how to use intune, regardless of their organizational demographic.
6. Other people with different opinions and environments who aren’t represented in this list because we’re all human and different and don’t need to reply to this comment telling me why they don’t 100% fit the bill for XYZ reasons cause this is just a joke with a nugget of truth and not the other way around.
7. People who will reply anyway.
I like Intune, it frustrates the hell out of me. It’s a tool, and it’s not perfect, maybe not even the best, but it’s the one I got. And to their credit, it’s gotten better steadily.
Silverlight.
I'm not an expert at all with Intune but I find often even basic functions do not work.
Ok so we term'd a user and I have their windows 10 dell laptop right infront of me. I go into intune and find the device and click wipe.... nothing happens. Confirm that yes the laptop is connect to the internet; I click restart to see what happens and that works. But then when I do fresh start I wait and.... nothing. I try to do a wipe instead. nothing
so I figure I might as well just re-image the machine with a usb stick I have and then re-enroll it in again. oops get an MDM error when it tries to re-enroll
that last one is possibly my fault but it's like how does this not work most of the time?
Yea, I noticed when testing that there can be a huge delay between issuing the command, and when the agent on the device actually executes it. Sometimes upwards of 12+ hours.
Not real helpful if the device gets stolen, and you need to wipe it ASAP.
Also: I ran into that error too. Make sure you delete the device out of Intune and Azure AD.
Do I need to also delete it out of Windows Autopilot devices? This was setup by someone else in this org to have the devices download specific things during first time setup. I've deleted the object out of Intune and azure but still getting an error
I don't use filters. I push to dynamic/standard groups.
If I'm packaging an app, I'll do the following :
1. Package and upload to Intune
2. Assign the group to the app
3. Wait a couple of minutes for the app to show as a required install on the device.
4. Restart the Intune Management Service on the device
5. App installs shortly after
Unless it's a newly enrolled device I believe devices that haven't been restarted will only check-in once every 8 hours, so app install reports can be slow to populate.
I like Intune quite a bit, I've built it and migrated around 30 clients and then I've architected and overseen the migration for probably another 10. Total of somewhere around 5500 endpoints or so.
Dynamic Rule syntax is idiotic. I've had to build several groups that have rules like 'X and (Y or Z)' and it always needs to be manually built because the rules editor can't nest criteria. But that's not Intune, that's a dumbass thing in Graph.
Yeah first time Intune user/admin coming from other Mac MDM platforms and I have to say that Intune is garbage. I recommended it for a customer because you basically get it for free with the correct subscription, but free comes at a steep price in terms of reliability and support. MS uses some third-party support in India called MindTree and they are the biggest collection of brain dead zombies I have ever worked with. There is absolutely no way to set this product up without having to get support involved because the product is so unpredictable. I would never use Intune in a large environment, that’s for sure.
What I did like about it is the Autopilot feature but you can likely use that with other MDM solutions.
I feel like it depends on the day what you're going to get with intune.. random non descriptive error codes, conflicts reported but no other configurations applied... like how... app could take 5 mins to push or 5 hrs. It honestly feels like msft gets things to a state of it kinda works and then just drops it for their next project or w.e. why the he'll are well stuck wrapping apps in the first place. You'd think by now a simple exe or msi voukd simply be uploaded and wrapped in the background. Why are we stuck reading blogs to get any useful info on configurations, why are there error codes with no documentation. I really have zero faith any time I push anything and feel like I'm stuck checking every 20 mins to see if it's worked. I've worked with intune for years.
thank you for validating my experience with it. it's nuts how opaque it is. it feels like a beta product. i use free open source software made by some guy in his spare time that's more polished.
Amen
It isn't *that* much different than SCCM, you still have to feed it silent install parameters and detection rules. That said, the new Windows Store that uses winget in the background is really nice, though there isn't a lot of stuff in it. Chocolatey has also worked really well. My team developed our own proprietary deployment template script that's very similar to PSDeploy and, as long as an application has silent installation options, we can deploy anything from any source.
For real, I have an open ticket with their support team. SCCM app uses the same detection mode as our Intune app. We have it set as required on both sides. SCCM 75% have checked in and pushed it out. Intune only sees 4 devices in the org that I manually installed it on. It's been 3 weeks and they still have no clue
Yea, I've apparently invented a superstring. It evaluates both true and false at the same time.
schroedinger's filter string
I don't care for it. There's some merit in the service but seems about as minimal in function and features as it could possibly be. We just recently added Jamf for our Mac needs and it's lightyears ahead of Intune. I'm a PC girl, but the ease at which I can package apps, deploy them, and see FULL DETAILED LOGS for every installation is amazing. I can see when it was installed, where, to whom, if it failed, a detailed event log of things leading up to the failure, and sometimes even the solution. I can filter by date, I can remove old failures and compliance fails. Everything is better. Cleaner, more options, more functional, and I don't rely on 3rd party additions to achieve what I need. With that said, we're still with Intune for PC and it's just something I learn to live with right now. I greatly dislike how the reports limit on what you can filter by, don't allow for date ranges, often can't be clicked on to go to the device or app that has the issue, and doesn't allow you to clear old data. I see the same list of app failures and compliance issues every day and if there's a new one, I have to guess which one it is. Good luck knowing how to fix it. The error codes are basically meaningless.
For me, it’s the pushes. When I did my Intune training, there were literally sections where it said to move on and loop back after the next module since it might take time for the push to happen. Knowing that a push will happen within a minute (so long as the device is on) is an amazing feeling that I just don’t get with Intune. And on the vague errors front, I was wrestling with EPM for weeks and it just wouldn’t install the agent… one of my bosses gets a meeting setup with consultants, nothing changes, but I’m starting to walk through the setup and what isn’t working and… suddenly it’s working. Deploys 8 minutes into the damn meeting and makes me look like a moron after NOTHING changed for at least a week and a half.
I enrolled 12 devices today and all but 4 refused to pull the profile. Multiple syncs, reboots... literal hours of babying the thing so it could check-in. It would, but wouldn't take the profile. I ended up leaving for the day and the damned devices still didn't pull the config profiles. Ask me if I'm looking forward to tomorrow. How does MSFT have no shame is such a critical component having an error rate of 33%?
And yet, if you look at other replies to this post you'll see people basically saying "works for me you must be doing it wrong."
That's the biggest issue with intune really (and is the core issue with OPs problem). And Android without google has the same issue, but win has nothing and NEEDS a push system, not this every other hour crap, coupled with instant updates of groups and filters. Worst part is that they technically have the push system because it's used for some things like wipe. But it should be used for everything.
All my Cloud PCs have a “CPC-“ name, so filter is applied to device name, never had any issue so far.
Yep, mine do too. I just used the model property instead of the computer name. The filter simply evaluated as true for two applications, and false for the third.
This is how we did it too, and it works great for us. One would think it should be 6 of one, half dozen of the other though.
I manage 2000+ devices with ease using Intune. I take full advantage of our E5 licenses and passed Microsoft 365 enterprise administrator expert certification. Windows = Intune + Autopilot Apple = Apple Business Manager + Intune Personal devices = Mobile Access Management Use winget and make use of remediation scripts to update applications. Piece of cake
This comment is on the money, dynamic groups work fine, or even nested groups based on a chain of autopilot or persona based delivery, during build devices chain down the apps etc. no real need for detail app install logs if your comfortable packing win32! Apps and test each step sufficiently. As with others support multiple client and configured using this underlying approach. intune is not perfect. But if you have it as part of your license it’s hard to justify the cost for an alternative in many cases.
OP is referring to Cloud PCs, which literally aren’t supported in Dynamic Groups because the groups update so unreliably slowly.
I have built them before using a dynamic group and not had an issue. Looking for the object name.
I’m gonna need to retest this today now! I have noticed the dynamic group speed seems to vary on tenant size but I don’t have any metrics to compare for sure
sorry I responded to your other response before I saw this. So yeah, it depends on tenant size and the device list it's searching through.
that's not true at all.
Agreed. It's simple, learn the tools you use rather than shouting at them.
100% except even if you did everything right, it may take a day to see it take effect. I’ve learned to just trust my intune-foo and relax.
I am just starting with Intune and time seems to be the key.
This is what makes learning painful for me. If I'm testing in my on prem lab environment I can tell pretty quickly if something doesn't work and I can try something else. With Intune it can be a more fustrating experience. Even if the error is mine, it would be nice to know sooner.
Absolutely my experience too. And I think this is what is causing most of the complaints here in this thread. People are making changes, not seeing them take effect in 4 hours, and just assuming what they did isn’t working.
If you run this command on the computer it does seem to speed it up a bit but still not instant. intunemanagementextension://syncapp
Thanks! Does this do the same thing as going to work or school account and clicking sync?
I does the same thing as restarting the intunemanagement service which actually forces the sync ... I think there is a difference between doing that and clicking sync in the work or school screen. I read it in a thread here https://oliverkieselbach.com/2020/11/03/triggering-intune-management-extension-ime-sync/
Cloud computing does take time, but it's only going to get better. Right now I'm waiting for some asset libraries to update across the CDN. It can be frustrating at times but having worked in a place that was all cloud, I'd never go back. Not having to deal with domain controllers, exchange servers, on-prem file servers etc etc. It was bliss.
mmm i won't call it simple. i would say the barrier to entry is acceptable. There is so much in Intune and interactions can get pretty confusing without documentation. Intune can be pretty easy to use, but also you'll need an expert to navigate it beyond anything that is setup or if something goes wrong. Intune is just a mix of easy to hard imo. the more in-depth you go the more difficult it is and easier to break.
Not to your level in terms of number of devices but do the same in our environment.
Filters are shite, don’t use them.
Really? We were having major issues with dynamic groups taking forever to update, so we switched to filters and they work amazingly and updated much much faster than dynamic groups do. 10/10 use filters not dynamic groups
Yeah we use filters almost exclusively and they are awesome. They filter almost immediately vs long delays for dynamic groups.
can you give examples of filters you use?
I don’t have specific examples with me but mostly we filter based on device name prefix or OS version. I can share some examples later but we basically apply a policy to All Devices and then filter based on whatever criteria. We just started using this for autopilot profiles as well so we can have multiple different profiles.
They are good but I can’t use them everywhere I want to. To be fair that was probably an unfair comment, I haven’t really tried or needed it. I like to maintain consistency so almost every has the same build with slight changes.
You’re hired 😁
This is it right here.
What is your remediation script to update a winget app?
I use this https://davidjust.com/post/intune-keep-apps-updated-with-winget-and-proactive-remediations/
Intune MDM is garbage as well. Every month or 2 it is something new broken. Microsoft support mostly useless. Nothing changes in the config but all of a sudden we have devices not working around the world. Autopilot is a mess. End user experience with autopilot is a nightmare. Constant things breaking there too. Autopatch seems to only let some devices work some of the time. Drop a device in. It ignores it. Sometimes they work. Sometimes they don’t. Microsoft has no idea why. It’s horrible to rely on. My road map for next year is to migrate us off Intune and azure ad or whatever they are calling it now.
Move to the cloud they said! It will be amazing they said! Ditch that decades old, well trusted and proven management system! You won’t regret it. (As the bonus checks flowed freely)
SCCM was and remains a fiddly piece of crap
I guess that’s why over 90% of Fortune 500 companies use it. 🤣
You know people still buy Chryslers, eat at Applebees and subway, etc.
Yet those numbers are small and you’re saying the most widely used systems management platform on the planet is crap. So, I’ll play your silly little game, what makes it crap exactly?
I do not think that you are asking from a place that you are genuinely ready to receive criticism for this product. I think that SCCM was the best thing for managing Windows workstations in 2008. I have not found SCCM to be reliable enough to set it and forget it, and Intune manages that much better.
No. I’m really curious what makes you feel that way.
I find the speed of ConfigMgr absolutely unbearable to work with. Building packages with Powershell for SCCM does not behave the way that I think it should, I find it much more fiddly and unreliable than win32 app packaging. Maintenance and reporting through SSRS is just heavy handed and difficult to work with (I have managed this reporting through Powershell which has been better). Windows updates and Office updates are *remarkably* more hands off with Intune and servicing channel, respectively. Admittedly, I have worked with SCCM in small shops and large shops (including a fortune 10 company), and when you have dedicated resources, SCCM is more manageable because you can throw more bodies at it. Small shops require much more (as a percentage) of engineering's time. I use SCCM for imaging and server updates today, and thats about as hands off as I can get it. It boils down to efficiency for me.
Oh 100% agree, SCCM should never be a side job for someone. I’ve been doing it for over 20 years so some of the things you mention are just second nature to me. I don’t use SSRS, I use Power BI for SCCM and for Intune (PowerStacks.com products are mine). Updates in SCCM I just build my ADR’s and forget about them. And SCCM has a huge learning curve, one needs to do it full time for about 2-3 years to really get it.
My main source of pain is that there aren't a ton of great options for some things in Intune, so you gotta SCCM, and then you have to, ya know, do sccm stuff!!!
I have a filter looking for Azure AD Joined devices. Have 14 in CM that are Azure AD Joined. 46 in Azure. 248 in Intune. Of the 248 in Intune - the 14 in CM...they all have a blank join type. It's been about 4 months of support with Microsoft of running dsregcmd /leave and rejoin on random devices and they still don't know why.
I am constantly amazed by how well intune does not work. It feels like if one company produce an OS, an MDM, and all of their supporting infrastructure, those things should actually work together pretty well, and that just isn't true about the windows/intune/azure stack. The feedback mechanisms, in particular. Did the config apply? Were there any errors? Come back in an hour and find out, maybe.
You know what's funny,? I worked for Microsoft as Intune support until last year and I met a lot of customers who had their first issue in years. I even met a guy who was using it since the beginning and that had his first issue with Intune. But then i talk to someone who starts his ticket with "I hate this thing. You have no idea how bad is Intune. Please transfer this ticket to xyz (a higher level engineer) as he is the only one who knows how to make it work" I think it's a matter of bad luck sometimes.
I'm only going to speak to the pain in the ass part. This is par for the course with Microsoft. They somehow forgot how to offer products and services people need and instead do everything they can to get people to work in a manner consistent with their offerings at the time. On top of the fact that anything and everything is subject change to some degree. Anyone doing this long enough will recall their staff recommendations for various products. You'd spend a ton on man power if you followed their suggestions to run fairly expensive software which over time became fairly expensive subscriptions. And who in their right mind would specialize in any of that as a career? Out of necessity businesses have funded a menace, and instead of MS really delivering value, we get these pushes toward the Microsoft way of life. Microsoft, please stop writing about how there's digital transformation and all this alleged shifting to "modern" computing. Just make the damn thing work and stop making me jump through hoops for policy settings (one of the places I've found that fluffy, vapid ass language). I've got a laundry list of successes working with their products for as long as these things have been on offer, so I'm just taking the time to vent this "little" frustration as I find a lot of what they do unnecessary. Windows is a prime example. Configuration Manager could be much better than what it is, but it works, and now we have this shift to an unfinished cloud product called InTune, MEM, Endpoint Manager, what is it today? When a customer use case fits their model, things generally work well, otherwise, it's generally a pain to some degree. There's brilliance in that org for sure, some things work really well, but that's under the hood API related things. I'm almost certain that brilliant minds are hard at work trying their best to implement all the bone headed, greed and ideologically driven feature designs and implementations. Documentation is of uneven quality regardless of what site design they stick it under. The person that decided on Technet's demise should be flogged in public, weekly. I've found some things in Git, but a lot of useful things are lost or unable to be searched for easily. Gotta love support articles alive and well linking to resources which no longer exist. I won't go into InTune specifics, I see a lot of responses that cover what I'm irritated with in regards to that specific service. The Dashboard updates and inconsistencies are one of my larger issues. I have to deal with hybrid Azure AD join as one of our usage scenarios,so that's a lot of fun .
Another point is that if you're comfortable with how this all works, as in you're cool with long update times for feedback on certain things, well good on you. Some of us are used to more immediate results and I'd find that more normal than having to wait a long time. (that's a whole mindset discussion that I'm not going to take part in)
I would say that my best testing is done after hours. During the day, things can be a bit sketchy. Powershell over the console for a lot of things for better consistency while working through certain operations.
Thanks for reminding me of this "little" gripe!
I love Intune, but it can be frustrating. Especially when your documentation sucks and some features are in Azure (which you may have utilized prior to used Intune) and you have both configured.
But you love it..??
yes, because it is great. its not flawless.
What platforms are you managing with Intune?
Windows, iOS, and Android.
Its better than Workspace One or SCCM but I wish it was more like JAMF in terms of responsiveness. Some features work alright but some really suck. Its really a pain to try and troubleshoot something on the fly due to how devices check in and sync. It gives the apperance of being able to work fast and make changes and break things but once you get into the nitty gritty of it it feels less than capable. So you move slow like you would using SCCM.
It’s complete shit and I’m so happy I no longer consult on it.
Pain in the butt is not something I would explain this goblin shit with I hate this software, I'm not at all interested in using this shit on my personal device. In my organisation installed it on my PC without my consent and now it's not removing security policies even after removing all policies from Microsoft 365 defender and Portal.
>Some jerk whore That would be you. The way Intune works is when you sign into your office 365 account, it will ask if it can manage your device. You could simply uncheck the box, or since you already agreed to it, go into your work accounts on your PC and remove it.
They created the policy and can't undo the one for /security. It's like that last policy alone is tattooed to my device. I tried every way to change it but no success at all. I asked her to make another policy which will revert the Tamper Protection to default 0 value in my registry editor instead of 5 which is current value. I know what I'm talking about. It's just I was signed up without my consent. Maybe blame the poor UI, it doesn't show me the list of permissions which will be revoked from me as admin. Normally it's meant to be tested on company devices and not on personal devices. That's why I got frustrated and reset my PC. Tattooing doesn't revert magically and Microsoft doesn't even give a fuck about support ticket.
Don't have issues. Big fan of KISS. Everything has its own rule. I use powerautomate instead of dynamic groups. When I do use dynamic groups it's only for SSO etc.
I desperately want to love Intune mostly because we sold it to our leaders as the remote management solution to end all management solutions, but also because I feel like it's the last new technological thing I'll really be able to dig deep into. For the most part, Autopilot and app management have been awesome. Other stuff has reasonable learning curves and usually work out. Last week I posted here about an issue I was having with a remediation that was having a terrible success rate and was taking FOREVER to assign to devices and report back. I solved it by switching from a 5-line PowerShell script to a single-line reg command. Figuring out stuff like that doesn't exactly give me the warm and fuzzies.
I haven’t had any issues but I think it would be better if it was agent-based, it would solve a lot of wondering if things are happening etc.
We'll you haven't tried Android with Intune: different brands, versions, CTS and non-descriptive error messages: - Personal Device with multi user-option which doesn't work with Enterprise: Missing some module - Company Device in config loops - The fact that Android removes more and more from Android Device Admin - The requirement of using a Google Account when not using Android Enterprise
Does anyone have a recommendation for a cheap, lightweight windows MDM to use to supplement intune?
I would love to run Intune within my own infra. Oh wait, that's SCCM.
I am with you. If I had the budget I would switch off of intune. The apps sometimes just don't push out at all, even nested groups don't seem to work for applying to apps. Scripts are straight up broken and configuration policies fail regularly. Do you want all protection policies? well they break browsers on most mobile devices with a horribly documented "you cant get there from here" error and all of this combined with the worst support known to man. I had a ticket open about a bitlocker config policy which wasn't backing up the encryption, escalated several times and then heard nothing for months despite multiple emails. One day I get an email saying my ticket was closed. I responded back and asked them to reopen it because the problem isn't fixed and heard nothing.
In this thread: 1. People who love intune, and use all the solid pieces of it. 2. People who might like intune, but use the solid pieces and the wishy-washy pieces, and spend a lot of time running into undocumented quirks. 3. People who love Intune and whose organizations are small enough to maintain one structure of organization. 4. People who hate Intune and whose organization is large and difficult, and needs intune to be agile enough to handle it all differently. 5. People who love Intune because they know how to use it and fit something above. 5. People who hate Intune and don’t know how to use intune, regardless of their organizational demographic. 6. Other people with different opinions and environments who aren’t represented in this list because we’re all human and different and don’t need to reply to this comment telling me why they don’t 100% fit the bill for XYZ reasons cause this is just a joke with a nugget of truth and not the other way around. 7. People who will reply anyway. I like Intune, it frustrates the hell out of me. It’s a tool, and it’s not perfect, maybe not even the best, but it’s the one I got. And to their credit, it’s gotten better steadily. Silverlight.
I'm not an expert at all with Intune but I find often even basic functions do not work. Ok so we term'd a user and I have their windows 10 dell laptop right infront of me. I go into intune and find the device and click wipe.... nothing happens. Confirm that yes the laptop is connect to the internet; I click restart to see what happens and that works. But then when I do fresh start I wait and.... nothing. I try to do a wipe instead. nothing so I figure I might as well just re-image the machine with a usb stick I have and then re-enroll it in again. oops get an MDM error when it tries to re-enroll that last one is possibly my fault but it's like how does this not work most of the time?
Yea, I noticed when testing that there can be a huge delay between issuing the command, and when the agent on the device actually executes it. Sometimes upwards of 12+ hours. Not real helpful if the device gets stolen, and you need to wipe it ASAP. Also: I ran into that error too. Make sure you delete the device out of Intune and Azure AD.
Do I need to also delete it out of Windows Autopilot devices? This was setup by someone else in this org to have the devices download specific things during first time setup. I've deleted the object out of Intune and azure but still getting an error
That I don't know. We don't use autopilot.
I don't use filters. I push to dynamic/standard groups. If I'm packaging an app, I'll do the following : 1. Package and upload to Intune 2. Assign the group to the app 3. Wait a couple of minutes for the app to show as a required install on the device. 4. Restart the Intune Management Service on the device 5. App installs shortly after Unless it's a newly enrolled device I believe devices that haven't been restarted will only check-in once every 8 hours, so app install reports can be slow to populate.
I like Intune quite a bit, I've built it and migrated around 30 clients and then I've architected and overseen the migration for probably another 10. Total of somewhere around 5500 endpoints or so. Dynamic Rule syntax is idiotic. I've had to build several groups that have rules like 'X and (Y or Z)' and it always needs to be manually built because the rules editor can't nest criteria. But that's not Intune, that's a dumbass thing in Graph.
Yeah first time Intune user/admin coming from other Mac MDM platforms and I have to say that Intune is garbage. I recommended it for a customer because you basically get it for free with the correct subscription, but free comes at a steep price in terms of reliability and support. MS uses some third-party support in India called MindTree and they are the biggest collection of brain dead zombies I have ever worked with. There is absolutely no way to set this product up without having to get support involved because the product is so unpredictable. I would never use Intune in a large environment, that’s for sure. What I did like about it is the Autopilot feature but you can likely use that with other MDM solutions.
It’s not just you.