Forum Discussion
Windows 10 Policies: Apply to user or device?
MicrosoftsbuccimsftShared devices are my single biggest concern, but also trying to get non shared devices enrolled in MDM also.
We have about 300 Win 10 devices that are shared and hybrid joined. Deciding how we are going to manage those devices with Intune has been an ongoing discussion for the last few years. DEM? Bulk? Unfortunately there isn't an easy answer for that question. Each deployment method has different capabilities when it comes to Intune management, especially when talking about non-admin users and application deployment, configuration and other types of profiles needing to be targeted to those users.
That's why we've stuck with the PC agent for this long, it's simple, doesn't require a ton of management and while doesn't do everything we want, it gives us some fairly important functionality.
- sbuccimsft
Lynn Towle there is definitely a plethora of variables and methods for enrolling. There is a matrix on this 3rd-party blog article that illustrates the options and capabilities (updated towards the end for Intune and enrollment) https://microscott.azurewebsites.net/2018/08/31/managing-windows-10-with-intune-the-many-ways-to-enrol/
This is a scenario where I recommend talking to a Microsoft Partner or Microsoft Consulting Services to go over your companies current scenario and goals so you can go forward with the appropriate solution.sbuccimsft I'm about to talk your ear off, but I'm not expecting a reply. I'm just passionate about this, and knowing how different companies environments are setup would seem useful :)
We are a smaller mid-sized business, in the real estate sector, and have about 600 devices that we manage. Almost half of those devices are shared Win 10 desktops. We have a hybrid environment and will have one until certain things are changed on the Azure Active Directory Services side.
We've spoken to a few partners, but unfortunately, there isn't a "single" deployment method that would work in our environment. We will most likely use DEM, but we are still working out all the particulars on that model, but DEM will get us to about 85% of where we need to be.
85% of the users in our environment are what many businesses would call "first line" workers, but their jobs are a bit more complex than that, technologically speaking. Our leasing offices are an open floor plan, and users bounce from one desktop to another depending on the day, who is working, and other various factors.
DEM deployment for those users is a no brainer, they will never need to be an admin on the desktop and their application, configuration, and permission sets are standardized throughout the company. The other 15% of users is where we run into our headaches.
Those users are what would have historically been called our "Power Users", and they require slightly different application, configuration, and permission sets than the standard users. These users try to use the same computer every day, but in cases such as a break/fix situation, or office to office movements for coverage, they may sign into a totally different computer in order to work. SCCM handles that situation fairly well; Intune, especially in a DEM deployment, does not.
The computers the "Power Users" log into are also available for the "Standard Users" to log into, again, break/fix, or movement for coverage, are the biggest contributing factors to this.
I've considered setting up an SCCM server, but for our environment, SCCM is fairly complex and requires a significant portion of resources to manage and maintain properly. We are also trying very hard to decommission our on-prem environment, but can't at this moment for various reasons. I've admin'd SCCM environments before, it is an awesome tool, but a bit too much for our current environment, and am trying not to install another on-prem service to manage our fleet.
So, Yay! Complexity!
We'll get there, it's just taking some extra time to fully realize our dreams of being able to be fully managed by Intune. :)
