Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 1 – new features)


At Microsoft Ignite this week in Florida, there were many new announcements of new capabilities in products such as Microsoft Intune. With so many new announcements it’s hard to keep up, but if you want to find out more, read on or select the part that interests you below.

This content is based on an excellent session entitled “BRK3036 – Managing devices with Microsoft Intune: What’s new and what’s next” and you can review it yourself here.

The session was presented by:

The session started with a reminder from Paul about way back in 2013 when Intune was first launched as part of Sataya’s announcement of a new service available called Enterprise Mobility Suite (EMS) which would bring together Azure Active Directory (AAD) and Microsoft Intune. Back then, customers were not that cloud focused as they are  today, things like GDPR were unheard of and even Microsoft has had to adapt their product strategy to deal with that new reality.

Different offerings for different customer segments

Microsoft has merged Intune and what they all Microsoft 365 (M365) flexible device management across different scenarios and personas. For example, Microsoft has one offering which they sell Per-User, for Knowledge Workers (for people’s laptops and phones, traditionally being EMM) that includes rights to Intune and ConfigMgr in Microsoft 365 Enterprise.

They also have a version called Intune in Microsoft 365 F1 for Firstline Workers, where again on a Per-User basis they sell the productivity, management and identity that goes with it.

For smaller customers (SMB), that might have a Microsoft 365 Business subscription, Microsoft has built in Intune experiences to protect their office use on mobile and on Windows in an offering called Microsoft Business powered by Intune.

Finally, they’ve launched a version specifically for Education, where a teacher in a K12 environment can provision iOS, Windows or Android devices and use them in a classroom environment with the Microsoft for Education offering called Intune for Education in Microsoft 365 Education, yes, it’s a mouthful.

The point here is that Microsoft has created these different offerings to suit different customers needs. All the above offerings are User Licensed.

Intune Device License

Another new announcement (coming soon) is device licenses for Intune. this is useful for scenarios where for example you need to deploy a digital sign (a monitor that shows you info in a shop or airport for example). This new license will be inexpensive and allow you to deploy things to devices by supplementing your existing stack with licenses for digital signs.

Fantastic momentum with customers, show us the numbers

Microsoft has seen tremendous momentum with Microsoft Intune and System Center Configuration Manager (SCCM), between them they are managing about 150 million devices, of which, Intune covers tens of millions. It’s hardly surprising, both offerings have been developing at a rapid rate of the last few years which new features and abilities coming every month.

Microsoft is also showing up as a leader in different quadrants from analysts like Gartner.

This great transformation from where they were in 2013 when the cloud was a ‘maybe’ to 2018 where everyone wants to be in on it (the cloud) and it becomes part of customers core values.

Intune-enlightened apps provide the best control, with or without enrollment across mobile threat defence telling us that for example we have a device that is showing us a risk signal. Secure resource access where you can integrate your network access control with your application control that comes from Microsoft 365.

Intune and Configuration Manager are the two management offerings from Microsoft, and Microsoft has brought these two technologies together where they are engineered in the same engineering team. And indeed, you can see this togetherness showing up in new features such as Co-Management.

If you look at what Configuration Manager traditionally manages in on premise environments, it’s things such a:

  • Operating System Deployment
  • Win32 apps management
  • Configuration and GPO
  • Bitlocker Management
  • Hardware and software inventory
  • Update Management

and then if you integrate Intune with ConfigMgr using Co-Management you gain access to a whole wealth of new abilities (both on prem and in the cloud), such as:

  • Unified endpoint management (ios, android windows)
  • Modern access control (conditional access, compliance)
  • Modern provisioning (Autopilot, DEP, zero touch, KME)
  • Modern security (Hello, Attestation, ATP, secure Score)
  • Modern Policy (security baselines, guided deployments)
  • Modern app management (O365 Pro Plus, Store, SaaS, VPP)
  • Full M365 Integration (Analytics, Graph, Console, Rbac, audit)

Yeah, that’s a lot of Modern things happening in the cloud attached scenario. But there are options too for Cloud Managed, where everything (other than traditional operating system deployment) is managed in the cloud (using Microsoft Intune standalone).

So how can you see the value the M365 offers by integrating their cloud services together ?

Well in a video shown, there’s a detonation of malware inside a lab, the scenario here was a end user that got infected by clicking on an attachment that he shouldn’t have on an unpatched machine.

The attachment goes through a series of attacks that result in an escalation of privilege happening on the device.

Meanwhile, in the Windows Defender Security Center, the sec-ops guys can be alerted to this infection as the AI in the cloud has identified a whole sequence of events on the infected machine (high impact incident).

The admin can then go over to Intune and create device compliance policy using Windows Defender ATP policies.

This policy is for Windows 10 devices, and defines what it means to be compliant with Corporate Standards. So if Windows Defender ATP see’s high risk on this device, it would mark the device as non-compliant in Intune and Azure Active Directory has a conditional access policy to deny access to corporate resources for devices that are marked as non-compliant. And similar actions can occur using different partner software on devices running iOS, Android, Mac, Windows.

Many different consoles

In the past Microsoft has had many different consoles or portals for managing things in the cloud, but it’s moving towards unifying them (thank goodness) via the Microsoft 365 Admin Center.

This Microsoft 365 Admin center will have 7 navigation points on it, and one of them is for Security, and that’s where you’d find your ATP settings that were shown previously and another is called Device Management available at:

That would cover Intune, Autopilot, Analytics, integration with Co-Management and ConfigMgr in the devicemanagement portal.

The central hub is called

Join me for more information and content in Part 2 where I’ll cover the new iOS features,

until then, adios !

This entry was posted in Intune. Bookmark the permalink.

4 Responses to Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 1 – new features)

  1. Pingback: Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 4 – macOS) | just another windows noob ?

  2. Pingback: Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 2 – iOS) | just another windows noob ?

  3. Pingback: Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 3 – Android) | just another windows noob ?

  4. Pingback: Managing devices with Microsoft Intune: What’s new and what’s next – my notes (Part 5 – Windows) | just another windows noob ?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.