In this series:
Welcome to my guides on using Intune Standalone and ConfigMgr, to service Windows 10 devices. They will be aimed towards initiates, basically anyone that hasn’t yet dug their spurs into Intune and Azure.
Intune and Azure are an ever shifting landscape, so if you are visiting, the guide was written in March 2018 and some options or call outs may have been renamed or deprecated.
The scope of these guides will be limited to servicing Windows 10 using Intune Standalone, and ConfigMgr and Intune Standalone when used in conjunction with C0-Management.
We’ll start out with Intune Standalone, and try and manage a Windows 10 device with no on-premise moving parts.
Let’s see how far we can take it, before moving onto managing an Active Directory joined ConfigMgr managed device using Intune Standalone via Co-Management.
Key things I want to do with Intune Standalone are:
- Join Windows 10 Enterprise edition VM’s to Intune Standalone
- Manage GPO like settings
- Manage Software Updates
- Deploy Software
- Perform OSD using AutoPilot
So what about Intune Hybrid?
Well the writing is on the wall, its days are numbered, it has to be supported due to adoption, but it’s usage will dry up, and we’ll see Intune Standalone as the implementable version. Co-Management allows ConfigMgr to integrate with Intune Standalone, think about it …
So, it’s 2018 and just look at the systems management landscape today, in just the last 10 years we’ve gone from a reasonably entrenched, sophisticated world of on-premise data-centers, feeding services exclusively to clients within the confines of a ring-fenced network, with elaborate, often diverse and limited solutions to handle mobility, to an ultra-sophisticated world where the lines between Intranet and Internet are becoming truly blurred, with services shifting away from being hosted and only accessing on-premise, to being hosted and accessible from the Internet, and consequently on-premise too.
This kind of ‘displacement’ of technologies and services, is akin to when revolution was caused by the advent of the Personal Computer (PC!), and Mainframe guru’s where ‘huh? what is that thing?’ … Cloud Technologies,a mostly marketing term for subscription-based remotely managed services, isn’t just becoming a reality, it is a reality.
The workhorse for me, has been ConfigMgr, frequently termed as SCCM, which for the last 25 years, has been trying to keep up with the ever-changing IT landscape during its infrequent release milestones. A release cycle, that made it hard to predict where the ‘frontiers’ would be in several years time, and thus where to put the development energy ahead of a major release, and when Windows 10 came around, with its fast cadence, something had to change, and the product group did something about it, introducing the servicing model, allowing for a higher turn-over of releases and alignment with Windows 10 feature releases.
Servicing positioned ConfigMgr to align better with the needs of the customers and the release schedule Windows 10, which helped create the ‘frontiers’, instead of trying to predict where they are going to be and engineering towards them for a grand release.
I’ve witnessed much churn in the IT industry, in my couple of decades of being an administrator. The most significant to date would is the transition to cloud services.
Take Office365 for example, Email, Office, Skype for Business, Document Sharing and Rights Management as a Cloud experience, very attractive, easily adoptable, many of my customers have switched off their on-premise Exchange servers, and switched to Office365, as well as switching off some of their file servers, and opting to use OneDrive, even going as far as integrating their directory services with Azure Active Directory to leverage more Microsoft technologies.
Its quite the thing to witness really, seeing organisations becoming aware of Cloud technologies and adopting them.
I’ve seen one of my customers literally migrate 80% of their on-premise server estate (several hundred servers) into Azure, keeping some back due to legal and technical constraints, that will eventually iron out and let them move pretty much everything to the Cloud. They are not in the majority, but certainly represent the direction the rest of the herd will take over the next decade.
I figure, by the time I’m done with IT, on-premise services will be a distant memory just like MSDOS is to those that lived it.
Whatever the case may be, we have many years of phased and evolving adoption ahead of us, which as geeks we’re going to be privileged to have lived through, as these services transition into what our children will take over and maintain, as well as use.
The tooling of the future quite literally.
Cloud adoption once its soaked up what it can, will rest on what has been created for a while, before going through radical iteration or evolution. Its the destiny of all IT and Technology to continuously change form and function, to keep lock-step with our needs and uses for it.
My perspective of the industry and the growth its gone through, comes from being a ConfigMgr administrator for the best part of 15 years, 10 shy of the full lifecycle of ConfigMgr.
In that time, I’ve seen Microsoft begin to build out its Cloud service portfolio, to become what we have now, an absolute explosion of growth in features and service delivery over the internet.
Intune is playing an important part in this growth.
It has for several years been maturing towards its destiny, whether it takes on another form before it arrives, of providing full system management services to ‘modern devices’ anywhere they rest.
Feature-wise Intune has been happily eating up market share since its inception, competing with the other mobile device management solutions, AirWatch, MobileIron et al, but has had a hard time assailing its firmly established cousin, ConfigMgr.
Right now, the gaps between Intune and ConfigMgr have lessened to a greater degree, and the take up amongst my diverse customer base is ramping up on all fronts, adopting or having it on the roadmap.
Intune’s ideal use-case started out as being for organisations that have a reasonably sized device estate that is very diverse and highly mobile, Windows (Tablets …), Android, Apple, uses modern applications, and do not require a heavy-weight systems management solution like ConfigMgr to manage. It did a fine job of taking on the smaller customers needs, and protruded into the enterprise to provide service there, but its reach was limited by its ability in comparison to ConfigMgr.
This position has changed. Intune Standalone is rippling with features, as a product it has greatly matured, and the Microsoft Operating System landscape is dominated by Windows 10 now, with Windows 7 and variants of Windows 8 being migrated off of to get to 10.
We can now reach out and provide systems management services to Windows 10 devices in large numbers for example, almost as strongly as we can using ConfigMgr, while displacing the infrastructure needed to service Windows 10 devices, along with the attendant access limitations, into the cloud with Azure Active Directory for authentication, with some limitations overall still existing which still drives the need for ConfigMgr, while benefiting from many additional Microsoft Cloud solutions such as Rights Management\Conditional Access.
These truly are exciting times.
With Intune Hybrid, we were able to integrate Intune into ConfigMgr and bridge the two worlds, however, it led to a fork in the Intune product between Intune Stand-alone and Intune Hybrid, with Hybrid becoming the slow-lane for feature releases, and Stand-alone sitting on the leading edge of feature development and releases.
Now that we have the Co-Management feature in ConfigMgr, we can link with Intune Standalone and not require a hybrid code fork any longer. We can provide some services via Intune, and the rest via ConfigMgr (add in a Cloud Management Gateway and things get proper exciting!), and slowly slide sideways until we’re mostly in Intune …
So now the preamble is over with, let’s tear into standing up what’s needed to have some fun.
We’ll register for a 30-day Intune Evaluation, and use that to kick the feature-list tyres.
You use to have to provide credit card details, that’s changed, you can run up Intune Standalone and then once signed in, start an Azure Active Directory Premium P2 plan trial to round off.
There’s many ways to go at this, you can get an Enterprise Mobility + Security E5 Trial, or start a regular Intune standalone evaluation and bolt on an Azure AD plan. We’ll go the latter root for this guide and talk about the other options at a later date.
Click here to begin registration for an Intune evaluation (refer to MS Docs if link fails)
Do the necessary and sign up
Once you’ve filled everything in, select Next
Now we need to create an administrator for the Intune evaluation, fill in and click Create my account
Handle the way you want to be contacted and click Text me
Once you’ve obtained your verification code, punch it in and select Next
Instead of elevator music you get an animated Please wait message …
If all is well you’ll see the above and be ready to move on.
You should receive an email welcoming you to the evaluation, detailing some configuration information and listing some helpful resources. I would recommend storing the email away safely, and having a nose around the links in the email.
Now visit the Office 365 Admin Center
Login with your admin credentials, if not already logged in via the registration process.
Next up let’s visit our new Azure Active Directory!
Whenever you are prompted to authenticate, you’ll enter the Administrator credentials you created when setting up Intune.
In the Office 365 Admin Center, select Admin Centers then click Azure Active Directory
The Azure Active Directory Portal will appear in a new tab in your browser
We will need to upgrade this to Premium, so let’s do that now
The dashboard should show you a tile which offers a trial
Click Try Azure AD Premium
Let’s go for the Azure AD Premium P2 plan, so that beyond this guide you have a rich ‘services’ platform to explore.
Select Free trial in the Azure AD Premium P2 tile
Click that Activate button and off we go.
Another email should arrive, take time out and go read its contents. Lots of reference material in there to absorb.
At the time of writing, as the text above states, you get 100 licenses and a 30 day evaluation period. Worth noting that if you wish to retain the evaluation tenant and pay, you will have to match it with a paid Premium P2, when you may need a different plan. This is supposed to be a play area, not one to establish a possible production presence, so that’s cool, we’ll let this evaluation expire after 30 days, make another if you haven’t finished exploring. Microsoft have made it incredibly easy to stand up complex environments and evaluate within them.
While its preparing itself you’ll get a notification pop-up that it’s in progress
Click on the Bell icon to see notifications, you should see this
You’re now using an Azure AD Premium P2 plan, capabilities and pricing can be found here.
From the Azure Active Directory dashboard, you’ll see your service tile has changed to show we’re running with the Premium P2 plan
We now need to assign a Premium P2 license to our administrative user
You can do this both in the Azure Portal, and Office 365 Admin Center
From Azure, select Users, select the administrator account, then select Licenses
Select Assign and select Products
Tick Azure Active Directory Premium P2 and click Select
Or, you can do it from the Office 365 Admin Center (portal.office.com)
Navigate to Setup \ Products
Select Assign licenses for Azure Active Directory Premium P2
Select your administrator account which should slide out a property sheet
For Product licenses select Edit
Turn on the license and select Save
We now need to enable and setup Intune and Azure Active Directory, so that our devices will automatically enrol into Intune, otherwise they will just enrol to AAD
Visit the Intune Portal
There should be a note, informing you that device management hasn’t been enabled yet, this is because we haven’t set Intune as the Mobile Device Management Authority, click the note itself to be taken to the Choose MDM Authority panel
We will now choose who is the Mobile Device Management authority
Select Intune MDM Authority
Visit the Azure Active Directory Portal (aad.portal.azure.com)
Select Azure Active Directory
Then select Mobility (MDM and MAM)
Select Microsoft Intune Enrollment
Set MDM user scope to All
Go back to Mobility (MDM and MAM) (Modern Device Management, Modern Application Management)
Select Intune this time
For MDM user scope select All
For MAM User scope select None, at a later date and blog post, we will circle back here to switch it on.
We’re ready now to take Intune Standalone, and at a later date all the ConfigMgr Cloud services (CMG!) for a test drive.
Let’s wrap up this post by enrolling a Windows 10 Build 1709 (Enterprise) VM to Intune Standalone
On a Windows 10 device in workgroup mode, go to Settings, Accounts
Select Access work or school
Select Connect on the right (grey plus sign next to it)
Enter your Intune administrator credentials
Tap in your password and click Sign in
We haven’t configured Azure Active Directory or Intune, so 2-factor authentication is thrown up for us to interact with, select Set it up now
Choose your method, I’ve chosen text message and completed the next page
We now need to setup a PIN, something we can tweak later on
Select Create PIN
Tap in a complex enough PIN and select OK
Now we’re being asked to authenticate using a local account
Click Done to wrap up
You may see the You’re all set! page as above, or get taken back to the Accounts page
Click the newly added Work or school account
We’re now Managed!
Head back to the Intune Portal (portal.azure.com)
Our device shows up in the Intune devices list, result.
How easy was that, identical to domain joining a device that has completed its setup
Now that we have a platform, we can possibly enrol several more VM’s so that we can use them to test out the features. Once we’re done with standalone, we’ll move to Co-Management where Intune Standalone bridges with ConfigMgr to become an incredibly formidable game-changer for the systems management world!
Next up, let’s have a play around with our Windows 10 device by configuring Intune and Azure Active Directory further