SCCM & InTune field experience?

DHR · 2 Jul 2019 at 06:12

Started using SCCM in anger 18 months ago on a rush 27001 compliance job, at the time installation management of software was out of control which isn't ideal given compliance.

I've got a kit refresh pending and want to use it as an opportunity to get a software install catalog sorted to ease patch management across all software, along with a Bitlocker rollout all onto HP kit.

I know Microsoft are pushing InTune but my understanding is, at present from a compliance point of view it doesn't report particularly well so people are either using SCCM, or both?

After some real world experience of both InTune and a hybrid of SCCM and InTune given what I need to accomplish?

clocka · 2 Jul 2019 at 12:12

I run our 2000 laptop estate with all the patch and software deployment and compliance being carried out from sccm. We then have an InTune environment just for our 1000 phone/tablet devices.
any questions just ask

DHR · 3 Jul 2019 at 08:11

We use personal devices for mobile/tablets, that hadn't even crossed my mind as far as InTune goes.

It was the software installation I was considering handling with InTune as I've heard that it doesn't feed back to SCCM as far as reports go? E.g. how many installations of this one build of 7zip are installed across the estate etc?

DHR · 22 Jul 2019 at 13:19

clocka said:
I run our 2000 laptop estate with all the patch and software deployment and compliance being carried out from sccm. We then have an InTune environment just for our 1000 phone/tablet devices.
any questions just ask

Are you using dynamic provisioning at all or still using images? Have a new batch of gear arriving and want to start down the road of rolling the config out with SCCM.

Throrik · 22 Jul 2019 at 17:12

Deployed SCCM at a college a few years back, did a zero-touch-implementation for all OSD and even wrote some custom scripting to get where it was on the network to plonk the computer in the right OUs for software deployments based on subjects. We also transitioned to SCCM managed WSUS and SCEP and it was a great tool with some frustrations. You will learn to love CMTrace and hunting through log files.

DHR · 22 Jul 2019 at 17:16

Yeah got to admit, CMTrace is a tool I can't live without!

TechMinerUK · 24 Jul 2019 at 11:33

I think Microsoft binned off the SCCM integration with Intune (Link) which sucks as personally I thought this was the only real way Intune was going to get any real traction in bigger enterprises.

From personal experience we have demoed the MDM/MAM side of Intune internally where I work and we have a few test sites which are using the Intune management for their Windows 10 laptops. Honestly unless you for Windows 10 Enterpsise and Microsoft 365 E3 licenses you miss out on quite a lot of the functionality such as "Good" bit locker management, pushing out corporate wallpapers and lockscreens and Windows ATP for the security side of things.

For mobile phones we found Intune works a lot better with Android Enterprise devices (Previously Android for Work) as pushing out applications, restricting apps and creating policies seemed to offer considerably more control than the iOS counterpart options (Full disclosure that I am biased as we predominantly have Android corporate devices). Again the app management, device restrictions, policy creations and remote wipe worked well although setting them up seemed to require a lot of unnecessary clicks and the interface just seemed clunky and not very well thought out

The place where we did had the Business subscription so we effectively used Intune to push out our RMM tool which we could then deploy apps like their own AV and LOB apps as at the time Intune was limited to MSI files only. For this we found pushing out applications and remote wipes worked consistently albeit with some significant delays some times.

There's a lot of promise in the system and once it matures it will likely be very competetive however like most of the Azure interface at the moment, simple basic tasks cant be completed without a lot of laborious unecessary clicks and even then they often dont work exactly as intended. It's not horrible, it's not perfect but it is a learning curve and it will probably be the main-stream very soon

Throrik · 24 Jul 2019 at 16:33

I don't know I am seeing a lot more jobs requiring InTune experience as part of EMS nowadays than when I was looking at roles 2-3 years ago.

DHR · 2 Aug 2019 at 19:31

Is anyone running task sequences that rolls out Bitlocker during OSD, it's been driving me insane today, on failure after another. Last error was the process not adding the machine to the domain, so when Bitlocker tries to activate it can't store the key in AD, given up for the week now but I was hoping it'd be a little easier than it is as far as Bitlocker is concerned, everything else is working like a dream.