Roberts Blog

The House of SCCM on System Center Street

Intune Standalone–Part 1

In this series:

Intune Standalone – Part 2 – Enrol from OOBE

Welcome to my guides on using Intune Standalone and ConfigMgr, to service Windows 10 devices. They will be aimed towards initiates, basically anyone that hasn’t yet dug their spurs into Intune and Azure.

Intune and Azure are an ever shifting landscape, so if you are visiting, the guide was written in March 2018 and some options or call outs may have been renamed or deprecated.

The scope of these guides will be limited to servicing Windows 10 using Intune Standalone, and ConfigMgr and Intune Standalone when used in conjunction with C0-Management.

We’ll start out with Intune Standalone, and try and manage a Windows 10 device with no on-premise moving parts.

Let’s see how far we can take it, before moving onto managing an Active Directory joined ConfigMgr managed device using Intune Standalone via Co-Management.

Key things I want to do with Intune Standalone are:

  • Join Windows 10 Enterprise edition VM’s to Intune Standalone
  • Manage GPO like settings
  • Manage Software Updates
  • Deploy Software
  • Perform OSD using AutoPilot

So what about Intune Hybrid?

Well the writing is on the wall, its days are numbered, it has to be supported due to adoption, but it’s usage will dry up, and we’ll see Intune Standalone as the implementable version. Co-Management allows ConfigMgr to integrate with Intune Standalone, think about it …

So, it’s 2018 and just look at the systems management landscape today, in just the last 10 years we’ve gone from a reasonably entrenched, sophisticated world of on-premise data-centers, feeding services exclusively to clients within the confines of a ring-fenced network, with elaborate, often diverse and limited solutions to handle mobility, to an ultra-sophisticated world where the lines between Intranet and Internet are becoming truly blurred, with services shifting away from being hosted and only accessing on-premise, to being hosted and accessible from the Internet, and consequently on-premise too.

This kind of ‘displacement’ of technologies and services, is akin to when revolution was caused by the advent of the Personal Computer (PC!), and Mainframe guru’s where ‘huh? what is that thing?’ … Cloud Technologies,a mostly marketing term for subscription-based remotely managed services, isn’t just becoming a reality, it is a reality.

The workhorse for me, has been ConfigMgr, frequently termed as SCCM, which for the last 25 years, has been trying to keep up with the ever-changing IT landscape during its infrequent release milestones. A release cycle, that made it hard to predict where the ‘frontiers’ would be in several years time, and thus where to put the development energy ahead of a major release, and when Windows 10 came around, with its fast cadence, something had to change, and the product group did something about it, introducing the servicing model, allowing for a higher turn-over of releases and alignment with Windows 10 feature releases.

Servicing positioned ConfigMgr to align better with the needs of the customers and the release schedule Windows 10, which helped create the ‘frontiers’, instead of trying to predict where they are going to be and engineering towards them for a grand release.

I’ve witnessed much churn in the IT industry, in my couple of decades of being an administrator.  The most significant to date would is the transition to cloud services.

Take Office365 for example, Email, Office, Skype for Business, Document Sharing and Rights Management as a Cloud experience, very attractive, easily adoptable, many of my customers have switched off their on-premise Exchange servers, and switched to Office365, as well as switching off some of their file servers, and opting to use OneDrive, even going as far as integrating their directory services with Azure Active Directory to leverage more Microsoft technologies.

Its quite the thing to witness really, seeing organisations becoming aware of Cloud technologies and adopting them.

I’ve seen one of my customers literally migrate 80% of their on-premise server estate (several hundred servers) into Azure, keeping some back due to legal and technical constraints, that will eventually iron out and let them move pretty much everything to the Cloud. They are not in the majority, but certainly represent the direction the rest of the herd will take over the next decade.

I figure, by the time I’m done with IT, on-premise services will be a distant memory just like MSDOS is to those that lived it.

Whatever the case may be, we have many years of phased and evolving adoption ahead of us, which as geeks we’re going to be privileged to have lived through, as these services transition into what our children will take over and maintain, as well as use.

The tooling of the future quite literally.

Cloud adoption once its soaked up what it can, will rest on what has been created for a while, before going through radical iteration or evolution. Its the destiny of all IT and Technology to continuously change form and function, to keep lock-step with our needs and uses for it.

My perspective of the industry and the growth its gone through, comes from being a ConfigMgr administrator for the best part of 15 years, 10 shy of the full lifecycle of ConfigMgr.

In that time, I’ve seen Microsoft begin to build out its Cloud service portfolio, to become what we have now, an absolute explosion of growth in features and service delivery over the internet.

Intune is playing an important part in this growth.

It has for several years been maturing towards its destiny, whether it takes on another form before it arrives, of providing full system management services to ‘modern devices’ anywhere they rest.

Feature-wise Intune has been happily eating up market share since its inception, competing with the other mobile device management solutions, AirWatch, MobileIron et al, but has had a hard time assailing its firmly established cousin, ConfigMgr.

Right now, the gaps between Intune and ConfigMgr have lessened to a greater degree, and the take up amongst my diverse customer base is ramping up on all fronts, adopting or having it on the roadmap.

Intune’s ideal use-case started out as being for organisations that have a reasonably sized device estate that is very diverse and highly mobile, Windows (Tablets …), Android, Apple, uses modern applications, and do not require a heavy-weight systems management solution like ConfigMgr to manage. It did a fine job of taking on the smaller customers needs, and protruded into the enterprise to provide service there, but its reach was limited by its ability in comparison to ConfigMgr.

This position has changed. Intune Standalone is rippling with features, as a product it has greatly matured, and the Microsoft Operating System landscape is dominated by Windows 10 now, with Windows 7 and variants of Windows 8 being migrated off of to get to 10.

We can now reach out and provide systems management services to Windows 10 devices in large numbers for example, almost as strongly as we can using ConfigMgr, while displacing the infrastructure needed to service Windows 10 devices, along with the attendant access limitations, into the cloud with Azure Active Directory for authentication, with some limitations overall still existing which still drives the need for ConfigMgr, while benefiting from many additional Microsoft Cloud solutions such as Rights Management\Conditional Access.

These truly are exciting times.

With Intune Hybrid, we were able to integrate Intune into ConfigMgr and bridge the two worlds, however, it led to a fork in the Intune product between Intune Stand-alone and Intune Hybrid, with Hybrid becoming the slow-lane for feature releases, and Stand-alone sitting on the leading edge of feature development and releases.

Now that we have the Co-Management feature in ConfigMgr, we can link with Intune Standalone and not require a hybrid code fork any longer. We can provide some services via Intune, and the rest via ConfigMgr (add in a Cloud Management Gateway and things get proper exciting!), and slowly slide sideways until we’re mostly in Intune …

So now the preamble is over with, let’s tear into standing up what’s needed to have some fun.

We’ll register for a 30-day Intune Evaluation, and use that to kick the feature-list tyres.

You use to have to provide credit card details, that’s changed, you can run up Intune Standalone and then once signed in, start an Azure Active Directory Premium P2 plan trial to round off.

There’s many ways to go at this, you can get an Enterprise Mobility + Security E5 Trial, or start a regular Intune standalone evaluation and bolt on an Azure AD plan. We’ll go the latter root for this guide and talk about the other options at a later date.

Click here to begin registration for an Intune evaluation (refer to MS Docs if link fails)

Do the necessary and sign up

Once you’ve filled everything in, select Next

image

Now we need to create an administrator for the Intune evaluation, fill in and click Create my account

image

Handle the way you want to be contacted and click Text me

image

Once you’ve obtained your verification code, punch it in and select Next

image

Instead of elevator music you get an animated Please wait message …

image

If all is well you’ll see the above and be ready to move on.

You should receive an email welcoming you to the evaluation, detailing some configuration information and listing some helpful resources. I would recommend storing the email away safely, and having a nose around the links in the email.

Now visit the Office 365 Admin Center

https://portal.office.com

Login with your admin credentials, if not already logged in via the registration process.

image

Next up let’s visit our new Azure Active Directory!

Whenever you are prompted to authenticate, you’ll enter the Administrator credentials you created when setting up Intune.

In the Office 365 Admin Center, select Admin Centers then click Azure Active Directory

image

The Azure Active Directory Portal will appear in a new tab in your browser

image

We will need to upgrade this to Premium, so let’s do that now

The dashboard should show you a tile which offers a trial

image

Click Try Azure AD Premium

image

Let’s go for the Azure AD Premium P2 plan, so that beyond this guide you have a rich ‘services’ platform to explore.

Select Free trial in the Azure AD Premium P2 tile

image

Click that Activate button and off we go.

Another email should arrive, take time out and go read its contents. Lots of reference material in there to absorb.

At the time of writing, as the text above states, you get 100 licenses and a 30 day evaluation period. Worth noting that if you wish to retain the evaluation tenant and pay, you will have to match it with a paid Premium P2, when you may need a different plan. This is supposed to be a play area, not one to establish a possible production presence, so that’s cool, we’ll let this evaluation expire after 30 days, make another if you haven’t finished exploring. Microsoft have made it incredibly easy to stand up complex environments and evaluate within them.

While its preparing itself you’ll get a notification pop-up that it’s in progress

image

Click on the Bell icon to see notifications, you should see this

image

You’re now using an Azure AD Premium P2 plan, capabilities and pricing can be found here.

From the Azure Active Directory dashboard, you’ll see your service tile has changed to show we’re running with the Premium P2 plan

image

We now need to assign a Premium P2 license to our administrative user

You can do this both in the Azure Portal, and Office 365 Admin Center

From Azure, select Users, select the administrator account, then select Licenses

image

Select Assign and select Products

image

Tick Azure Active Directory Premium P2 and click Select

image

Click Assign

Or, you can do it from the Office 365 Admin Center (portal.office.com)

Navigate to Setup \ Products

Select Assign licenses for Azure Active Directory Premium P2

Select your administrator account which should slide out a property sheet

image

For Product licenses select Edit

image

Turn on the license and select Save

image

We now need to enable and setup Intune and Azure Active Directory, so that our devices will automatically enrol into Intune, otherwise they will just enrol to AAD

Visit the Intune Portal

There should be a note, informing you that device management hasn’t been enabled yet, this is because we haven’t set Intune as the Mobile Device Management Authority, click the note itself to be taken to the Choose MDM Authority panel

We will now choose who is the Mobile Device Management authority

image

Select Intune MDM Authority

Select Choose

Visit the Azure Active Directory Portal (aad.portal.azure.com)

Select Azure Active Directory

Then select Mobility (MDM and MAM)

Select Microsoft Intune Enrollment

Set MDM user scope to All

Select Save

Go back to Mobility (MDM and MAM) (Modern Device Management, Modern Application Management)

Select Intune this time

image

For MDM user scope select All

For MAM User scope select None, at a later date and blog post, we will circle back here to switch it on.

Select Save

We’re ready now to take Intune Standalone, and at a later date all the ConfigMgr Cloud services (CMG!) for a test drive.

Let’s wrap up this post by enrolling a Windows 10 Build 1709 (Enterprise) VM to Intune Standalone

On a Windows 10 device in workgroup mode, go to Settings, Accounts

Select Access work or school

Select Connect on the right (grey plus sign next to it)

Enter your Intune administrator credentials

Click Next

image

Tap in your password and click Sign in

image

We haven’t configured Azure Active Directory or Intune, so 2-factor authentication is thrown up for us to interact with, select Set it up now

image

Choose your method, I’ve chosen text message and completed the next page

image

We now need to setup a PIN, something we can tweak later on

Select Create PIN

image

Tap in a complex enough PIN and select OK

image

image

Now we’re being asked to authenticate using a local account

image

Select OK

image

Click Done to wrap up

You may see the You’re all set! page as above, or get taken back to the Accounts page

image

Click the newly added Work or school account

Click Info

image

We’re now Managed!

Head back to the Intune Portal (portal.azure.com)

image

Our device shows up in the Intune devices list, result.

image

How easy was that, identical to domain joining a device that has completed its setup

Now that we have a platform, we can possibly enrol several more VM’s so that we can use them to test out the features. Once we’re done with standalone, we’ll move to Co-Management where Intune Standalone bridges with ConfigMgr to become an incredibly formidable game-changer for the systems management world!

Next up, let’s have a play around with our Windows 10 device by configuring Intune and Azure Active Directory further

Previous

PatchMaster 1.2–Shaping up for release

Next

ConfigMgr Build 1802 released

2 Comments

  1. Wayne

    Nice article, very helpful for me as im wanting to to an eval of intune and sccm together. Any links to the next part or parts

    • RobertMarshall

      Thanks Wayne, will try to keep all the posts updated with links to the next 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Powered by WordPress & Theme by Anders Norén