Improve documentation - it is very vague on what works with "Intune client" and what works with "MDM"
I had to open a ticket with support to get the following authorative answer:
1. intune client manages only two policies; intune agent policy and intune firewall settings
2. all other windows* related policies require device managed by MDM
3. MDM and intune client do not (cannot) coexist on the same computer
While there is a short note on TechNet regarding the differences between intune client and MDM it would have been VERY useful to have these three short points covered in bold letters.
FWIW marketing wise you are implying that windows 10 systems can be fully managed and I would as a customer argue that it isn't exactly true - remote access doesn't work and neither does endpoint protection (defender) ;-)
We’ve improved our content re: this topic. For details, see https://docs.microsoft.com/en-us/intune/device-management.
@angrobe, the improvement needs further improving. Microsoft has gone to extreme lengths to hide the fact that the Intune Client Software is required to create a full list of installed apps. MDM management only shows managed apps (a.k.a. deployed via Intune). The page at https://docs.microsoft.com/en-au/intune-classic/deploy-use/pc-management-comparison fails to state this important detail which is a limiting factor for many others - see https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/8416476-inventory-of-all-installed-software-not-just-the.
So, @angrobe, the issue is far from COMPLETED. Keep working on it, you've got lots to improve. Your (Microsoft's) comparison between Intune Client vs. MDM management is as messy and confusing as it gets, years on. Admins have been requesting it very loudly for way too long, so what is Microsoft trying to hide?
Thank you for bringing up this issue! It has been holding us up in our discovery phase for some time now.
Yes please contact me as well regarding that topic - I agree with everyone.
Chad Simmons commented
You are welcome to contact me.
I see this is a big deal when rolling out Intune to a new customer as there is simply too much undocumented and too much vagueness to give definitive answers to the pros and cons to each management scenario.
Aaron Parker commented
Came across this article today: https://wow365.nl/mobiliteit/intune/modern-management/
This is the detail we need in the documentation and the Intune console.
I can't stress enough how high this should be on the priority list to fix.
I agree that the marketing and message is very misleading.
A lot of us are moving clients closer to a cloud-only model, and managing desktops with InTune is sold as a solution but only after fighting with it for hours do you realize these severe shortcomings of not having the option to configure both screen lock timeout AND firewall/endpoint protection. I think your priority should be to improve the robust management of Windows Pro/Enterprise clients with the Intune client, able to do inventory, manage EPP, and the basics of enterprise security like screen lock, password complexity, etc. This seems like such a no-brainer, and the fix can't come quick enough.
Oliver Kieselbach commented
Oh yeah this is so true I had to learn the three mentioned points by doing a lot of tests. It's not clear enough. And it is always talked about real Dekstop Management with the Intune client but never mentioned the coexistence problem. Very disappointing... needed to do a Intune PoC to find all this by myself...
Kaj Niemi commented
@CathyMoya yes it is ok to contact me. the emails you send out via this service have a reply address of no-reply@ so it is hard to respond to those :-)
David Chanter commented
I agree, Marketing Material around "Desktop" management is misleading at best. I do not wish to manage my desktop fleet as if they were phones.
Kaj Niemi commented
my definition of "endpoint protection not working" is that as an EMS admin I would have liked to see the malware check status.