Event banner
Event details
Why does Intune seem like it's been in alpha release for a decade? There are so many functions that are poorly labelled or with poor documentation (policies), have major undisclosed caveats (policy sets, Baselines), or have little visibility/easily consumable statuses (Autopilot, application deployment in general) compared to every other platform. Why does it take 2, 8, 24+ hours for most changes to sync or install automatically when every other platform performs these same changes in under 30 minutes, if not instantly?
As a medium-sized org, we don't have resources to hire an entire team to build out and craft Intune into a fully-capable and effective device management platform when it's so much more efficient to pay for additional products (PDQ, chocolatey, etc) that 1 person can manage part-time.
I can understand your frustration. Truly.
We are an MSP working exclusively with SMB and provide cloud-only M365 on enterprise level for them.
While Intune surely can use more consistency - we use it very successfully. It works!
Here are a few "work arounds" we learned that might help you too.
1. Refresh times are not determined by Intune, it's the OMA-DM client in Windows. It polls Intune for policy changes - Intune doesn't really push anything to Windows. The polling frequency is hard coded in the client. During normal operation it is every 8 hours, correct. This reflects the desire to minimize user impact by diverting CPU cycles, memory consumption and disk access. Also, imagine a network with ~5000 devices behind an internet access point. Too frequent polling will strain internet access as all OMA-DM comms go to the cloud. During normal operation, policy changes are (hopefully) infrequent, so frequent polling doesn't really add value. Btw newly deployed devices will poll every 5 minutes and then slowly lengthen the polling interval once the device has picked up and deployed all policies.
2. If you need an "instant" policy refresh for testing or because a user expects an instant fix, you can manually either trigger the poll/update from within Intune, or ask the user to manually do it from the Company Portal app - which I hope you deploy to all managed devices?
3. A new method of applying policies is currently in preview (AFAIK), where the MDM agent on the device applies policies to the device autonomously, near instantly. I forget what it is called and more details, but this new comm method may address your need for speed. 😁 Also, this new approach can remediate config drift even while offline, based on the last policy set they received. No idea what the status on this is, but stay tuned.
4. Baselines are really best for orgs that have NO or very little M365 capabilities. They set everything up "good enough", but not ideal. Being that: generalized baselines, they do not work for everyone with more specific needs and can even conflict with more specific needs, yes. We as an MSP therefore don't use MSFT Baselines but have our own.
5. Remote app deployment at scale on Windows is ALWAYS half good training, half luck, half experience and half black magic. 😉 There are sooo many different methods of installing apps from sooo many different sources with sooo many different licensing and activation methods and sooo many prerequisites that no single system can address them all. Some companies still use client-server apps leveraging AD that are 10-12 years old, others use modern cloud apps only. As an MSP, I can say that store apps are, by far, the least complicated to deploy. Even updating happens by itself with no interaction needed from us. So we steer customers to store apps whenever possible (for example Affinity vs. Adobe). Legacy AD-based apps are a nightmare in any MDM environment - which is why we don't support hybrid environments.
But I agree that deploying apps via Intune/Autopilot/ESP could use a lot more user-friendly insight.