Windows 10 for Business Pushes Microsoft Intune First

Windows 10 for Business Pushes Microsoft Intune First

System Center Configuration Manager is a clear market leader and one of Microsoft's identified cash cows in the Server and Tools business. A few months ago a Microsoft exec told me that ConfigMgr market share was somewhere between 75-85% for managing PCs in businesses. Several years back Microsoft was in hand-to-hand combat with competitors to gain leverage in the space, and its efforts were clearly successful. It's rare these days to find a medium to large organization not using ConfigMgr to manage endpoints.

With the Cloud, the landscape is changing again. More and more potential competitors are cropping up every day, providing their own Cloud-based management tools. ConfigMgr, though it has a conduit to Microsoft Intune, is still primarily an on-premises product, and as such doesn't exactly fit Microsoft's Mobile First/Cloud First mantra. But, that's where Microsoft Intune comes in, and though it won't exactly make ConfigMgr a second-class management citizen anytime soon, it does seem like that is the direction.

A recent Microsoft blog post in the Bringing the Cloud to Enterprise Desktops series, shows more information on what Microsoft is planning for Windows 10 management. For companies already using ConfigMgr to manage endpoints, not much will change. When a Windows 10 client attaches to the network, the ConfigMgr client will be exposed to install, making the Windows 10 PC or device immediately discoverable and managed. However, for those choosing to take advantage of connecting their Windows 10 devices to Azure AD (which will be an embedded feature), Microsoft Intune will be front and center, even during the registration process. And, this is something that business IT needs to be aware of.

Per the blog post, when the Windows 10 device joins Azure AD, users will be presented with a terms of use page that offers a choice whether or not to allow the PC to managed. And, if the user accepts, the PC is joined to Azure AD and then automatically enrolled for management using Microsoft Intune. This method works for both corporate assigned devices and personally owned devices that attempt to connect to the company's Azure AD account.

Though the blog post doesn't state this, sources tell me that the MDM registration process is optional and the ability to configure the Azure AD tenant with a special enrollment URL will be available. This gives companies the option to only perform the Azure AD join without the automatic MDM registration. For BYOD scenarios, companies will be able to employ the "Add Work Account" method to register devices and then include the MDM enrollment as part of the registration. Additionally, not all Azure AD SKUs will have this capability.

Policies will be available to IT administrators to allow them to manage who and what can connect to the company's Azure AD, and also to ensure that only compliant devices are allowed to attach. Additionally, Microsoft Intune will continue to evaluate compliance and deny access based on a device falling out of a supportable range.

This new automatic enrollment feature is not quite ready yet and is expected to show up shortly in a coming Technical Preview release of Windows 10, and the compliance reporting, coupled with the forthcoming GA of Azure AD Connect, will be available only when Windows Server 2016 releases.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.