Event banner
Event details
254 Comments
- Heather_Poulsen
Community Manager
We're more than halfway through today's Cloud attach vs. cloud only AMA. Keep your questions—and suggestions on future feature prioritization—coming. Thanks!
- Can you recommend any info or resources to help with the speed and reliability of Intune? We've had it more than 5 years and it's always been slow and intermittent pushing out settings and apps to windows and Ios devices. That applies to both hybrid and non-hybrid (azure-intune only) devices for us.
- Underrated question. Intune is *horrifyingly* slow to apply changes to endpoints. Very scary to think about when you have a security incident and need to make a response. GPO is incredibly predictable - next reboot or gpupdate sync (with LOS to AD) and changes are nearly guaranteed.
- Jason_Sandys
Microsoft
There are a lot of mitigating factors here. I suggest you bring in a knowledgeable Intune person to help with this or open a support case as this is not the expectation. All changes should apply targeted managed endpoints within 8 hours but in general, changes are pushed out as soon as they are made in the admin console. On Windows, this requires that WNS is open and can communicate with the endpoints; we often find that enterprise environments do not allow WNS and thus the endpoints must wait the full 8 hours. As for GPO reliability, that's great if your systems are on-prem, but that's rarely the case in today's world and also, GPO provides no reporting, so while you may expect this, I find more often than not, most orgs have varying levels of GPO delivery failures for a variety of reasons.
- We have moved to Endpoint Management exclusively and one issue we have is our printer deployments to our labs which are bulk enrolled so we do not have an admin account on the machines. We tried a policy which looks like a gpo but that didn't work. We use a script that works but it wants an admin account on the devices before the students can add a printer that we have deployed. We talked to an Intune analyst from Microsoft and I asked if there was a command that I can add to the script that would work so we didn't need to add a network account to the device but he didn't know. We only had an issue after the print nightmare issue. Before then we didn't have an issues with deploying the printers to the labs, no admin account was needed.
- We wrote a proactive remediation. If a device doesn't have the required printers, it backs out the Reg setting that requires Admin to install printers. Then another PR runs as the user to do the Add-Printer commands.
- Easy fix is Universal Print, fixes everything, but that's a journey.
- There seems to be some things missing from Intune that makes it very hard to fully move to the cloud such as application control and logging. how do you get around those limitations when you tell people to move fully to the cloud.
- Have you plans to allow cross-tenant Cloud Attach feature? One Configuration Hierarchy doing multiple cloud attach to different Intune tenants?
- Jason_SandysNot at this time no. What challenge exactly are you looking to address by having this functionality?
- We have some big enterprise clients that have one AD forest and one Configuration Manager hierarchy, but multiples AD Connect syncing user accounts to different M365 tenants. Those clients are restricted to receive Intune policies from just one tenant and not for the one where the user account resides.
- What are the most common issues why people, in this thread, are not migrating from CM to Intune. I'm really wondering what others are looking at why they can't migrate. Is it certain GPO's that simply are non-existing in Intune, is it application delivery, etc. I'm realy wondering.
- Slow and unreliable push of settings and apps from Intune.... We've had issues for 5 years...wether hybrid or just azure-intune only..... For example we push out new settings or apps to a group of 30 machines and half may get the settings right away others will intermittently get them much later and some may get only some of the settings and apps....
- Management buy in, time, time to learn new tool. CM is rock solid and running and reliable. Processes for adding apps in a quick time. Task sequences, able to do some complex installs that require reboots and removing aps etc
- imaging devices, you can do a lot of custom stuff with the base image/task sequences. When you move to Autopilot you start with vanilla, and have to make all config changes/customisation through policy. Doable, but a different end user experience and a bunch of work.
- Jason_SandysThis begs the question though, why? Why perform all of these customizations? You've stated yourself that these increase cost and they certainly increase complexity. We've been calling this out for many years even before Autopilot was released. Anything and everything you tweak, customize, change, etc. away from the default adds risk, cost, and long-term overhead. My constant statement here is that just because you can, doesn't mean you should.
- Are there any premade PowerBI templates for Intune reporting?
- A report on Windows Updates would be EXTREMELY helpful
- Jason_SandysAre you aware of Windows Update for Business Reports? See https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-windows-update-for-business-reports/ba-p/3650956
- There's a compliance one, but I've found it to be fairly problematic and compliance is low on the list of things that most people need first from reporting.
- Responding to "why have two systems" by Johannes -- the problem is Intune doesn't have 100% coverage of all GPOs. GPP being a significant pain point.
- Agreed. We are almost coming to terms with having to manage and maintain two different systems going forward 😞
Background: we are starting down a multi-domain + multi-CM site merge project, and we are considering the implications of perhaps collapsing all CM sites first (migrating CM clients to a single CM site), before ultimately performing ADDS domain migrations (or Autopilot resets to convert to AAD-native when viable).
Primary question: What workloads bring the most value and/or are lowest-hanging-fruit for us to look into on the co-management workload transition journey?
Specific questions:- In the situation where clients / endpoints from multiple ADDS domains are managed in a single ConfigMgr site (without the endpoints having hybrid joins): will Endpoint Analytics data flow from all clients (in all ADDS domains) into EA without difficulty?
- Is swinging the "Windows Update policies" workload all that's needed in order to switch endpoints to WUfB (will this work without also swinging the "Device configuration" slider)?
- Rachelle_Blanchard
This question was answered live.
- Cloud Attach was created in order to centralize endpoint security management. In terms of bring a single pane of glass, have you plans to bring Defender AV reporting on Intune Reporting pane for cloud attached devices? So far AV information available is for co-managed or intune MDM native but not for the cloud attached devices.
