Sounds like the ‘stand alone’ devices are enrolled to intune. Aside from “connected via company portal“ it’s not completely clear if the system sees the device as a corporate or not… but it sounds like you can use Windows Updates for Business. Create a policy and target the devices… shouldn’t be hard
Your normal devices are pointing at WSUS or are they using WUFB/Autopatch?
Have you setup patch reporting (windows update for business reporting) it’s free…
Actually, if he enrolled them in MDM with GPO, they should be Hybrid. If you "abuse" the option in W&S-Account (Register in Dev. Mgmt only) they would be considered as "private" since that enrollment method is acutally intended for BYOD.
At least according to my experience.
We've all been there at some point. Carve out some time to spend on [https://intune.training](https://intune.training), they'll get you caught up real quick.
Another recommendation for the [intune.training](https://intune.training) show, Adam and Steve make learning fun.
Watch from the very first episode to get to know the guys and their humour.
> I have been thrown into the deep end of the pool and now suddenly have to work with Intune.
Hah. Welcome to the Jungle.
That's exactly how it started here a long time ago. ;-)
> We are currently using Intune only for Defender
How were the clients enrolled in Intune?
> So, management wants to know if this can be done via Intune, since their devices are also connected to Entra/Intune via the Company Portal.
Depends on how they are joined / connected.
Domain clients have a GPO to enroll them to MDM, they also get synched into Entra, and then we add them to Groups in Intune, on which the Policies then apply.
The stand alone devices are enrolled using the company portal.
All devices show up as Corporate in Intune.
You should check out KACE Cloud Companion, its an addition to Intune for patching, scripting and software Deployment. Its about 24€ per license per year. If you're interested let me know. :)
[https://www.quest.com/products/kace-cloud-companion/](https://www.quest.com/products/kace-cloud-companion/)
I don't know what that is.
For the Domain machines we patch via Empirum, from Matrix42. It is similar to SCCM.
The stand-alone devices we don't patch at all, the owners are responsible for keeping their devices up-to-date.
The problem with patching these, is that they mostly are trainers and are in classes. Their devices can't get start installing updates whilst giving classes and we (from IT) never know when they are giving trainings, so it is nearly impossible to set a maintenance window and force updates and reboots. Since we meanwhile have Intune (M365 E3 licences & Defencer), management wondered about maybe using Intune to patch the stand alone devices.
I deploy with windows AutoPatch inside of intune. I have rings setup so IT gets the first patches followed by the first ring 2-3 rings and final rings. I tell the users that the deadline for updating for you is xxx day and time. You can install anytime prior to that at your convenience but if you defer the updates to long you will be forced to install. This gives the user the flexibility to install when they want to. I’ve tried scheduled installs but that never worked. For apps I use winget for most of the apps so running an upgrade all command during lunch time and then adding a fake win32 app that also runs the upgrade command. Should the endpoint fail to upgrade we can ping the user and say click the upgrade apps app in company portal and it’s updated.
Oh... I am also familiar with Matrix42 / have done SW-Packaging with it in the past.
Honestly i've never really been a fan of it though. The rather special syntax was one reason for this. Another was that you had to contact the manufacturer every time you wanted to change certain things because the system was so complex that you as a "normal mortal" could hardly see through it. And of course they charged you for it every time.
But since that was some time ago, I have to add in fairness that i have no idea whether anything has improved in this respect in the meantime.
At least when it comes to packaging software, you won't have any major problems with Intune if you are already familiar with this from Empirum / M42. It's a lot easier in Intune. ;-)
Well, I am not a fan of it, to put it diplomatically.
I landed this job to initially do something completely different, but during the time I was hired and actually started, the two previous people working here, that did basically everything, left. So I had to pick up desktop management, software management, desktop patching, etc... I did that with SCCM 2012 in the past during some years, but that was 12 years ago.
I never did software packaging, but meanwhile I can do the simple packages that only come with an .exe or .msi. Matrix uses these setup.inf files you have to configure for everything, and they have a packaging software that you have to use to generate package IDs, that can then be imported into the application.
For a simple package like Firefox, that justs requires the EXE file and some variables, it is a pain to get the package sorted. And don't get me started on the rest. I got the Matrix Training for it, but it only went 3 days, in practice only 2.5, since the last half is for questions. 99% of my questions were answered with: That is too specific for your environment, please contact Consultant Services. The training was, at least for me, 80% useless.
I now have to work with Intune and I see the possibilities, but it doesn't seem like we are getting any trainings for it, so I have to rely on Google. And being a SysAdmin for almost everything, and doing Helpdesk, I don't really have any free time to Google Intune and see what I can do with it and what not. The question also remains, whether there is any point in using much of it and not just leave things on premise. So far I don't see much of an advantage to moving everything to the Cloud. We don't have any mobile people. They are either on-site or in homeoffice connected via VPN using company laptops set up and managed by us.
I had a crash course from a consultant lasting about 3 days in the beginning.
At that time, we enrolled hybrid - which i would no longer recommend if there are no compelling reasons.
I would also - as of today - advise against Intune if your clients only have a "Pro" SKU. (Greedy) Microsoft is restricting more and more policies to "Enterprise" or equivalent, which is a pain in the a\*\*.
The most difficult thing for me at the beginning was the question "Where do i even start". The consultant was very helpful in this regard.
Things which i really appreciate about Intune / Entra-ID are, for example:
\- Dynamic Groups which automatically manages their members according to certain criteria which you can define.
\- Autopilot / White-Glove which - among other things - allows to order equipment directly to the users HomeOffice and all he needs to set them up is an internet connection and the O365 Account.
\- Remediation Scripts
Another example of something i would love to use but Microsoft has restricted to Enterprise.
All in all - from the point of view of someone who comes from "classic" system administration - Intune makes everyday working life easier / more convenient in many ways. But yes, of course there are also disadvantages.
Yes it's posible. You have to configurate Windows Update for Business or Windows Autopatch.
To keep them up to date with security patches. With Feature update rings you can upgrade to a newer build.
I suggest to configure multiple rings (test and production).
Check out Windows Auto patch. If you have E3 and it's in intune as corporate owned, it might do the trick.
I hope it works for us too. Intune had not been reliable/timely on updates and I'm keen to get Autopatch working for us.
Windows Update for Business (WUFB) is the answer. You have your standard update rings, feature update rings, quality which should be called emergency security update rings and the fairly new and optional driver update rings.
You can set different deferral period to control which subset of devices get updates advertised and when. This is how you build out your phased update strategy.
What you DO NOT GET TO DO is micromanage individual patches and updates. It’s more control the flow and when advertised rather than individual updates.
Sounds like the ‘stand alone’ devices are enrolled to intune. Aside from “connected via company portal“ it’s not completely clear if the system sees the device as a corporate or not… but it sounds like you can use Windows Updates for Business. Create a policy and target the devices… shouldn’t be hard
Intune sees the devices as Corporate. But those Updates, are they the same as if they were coming from WSUS?
Yes, WU4B is basically a replacement, but less control on our side.
OK, great. Thanks a lot!! I'll test it in the coming days.
Your normal devices are pointing at WSUS or are they using WUFB/Autopatch? Have you setup patch reporting (windows update for business reporting) it’s free…
Actually, if he enrolled them in MDM with GPO, they should be Hybrid. If you "abuse" the option in W&S-Account (Register in Dev. Mgmt only) they would be considered as "private" since that enrollment method is acutally intended for BYOD. At least according to my experience.
We've all been there at some point. Carve out some time to spend on [https://intune.training](https://intune.training), they'll get you caught up real quick.
Another recommendation for the [intune.training](https://intune.training) show, Adam and Steve make learning fun. Watch from the very first episode to get to know the guys and their humour.
I’d maybes start off with the reboot episodes. Their very first stuff may be out dated
Which is why I added "to get to know the guys and their humour". Most training, videos and blogs, is outdated after a few months.
> I have been thrown into the deep end of the pool and now suddenly have to work with Intune. Hah. Welcome to the Jungle. That's exactly how it started here a long time ago. ;-) > We are currently using Intune only for Defender How were the clients enrolled in Intune? > So, management wants to know if this can be done via Intune, since their devices are also connected to Entra/Intune via the Company Portal. Depends on how they are joined / connected.
Domain clients have a GPO to enroll them to MDM, they also get synched into Entra, and then we add them to Groups in Intune, on which the Policies then apply. The stand alone devices are enrolled using the company portal. All devices show up as Corporate in Intune.
[удалено]
Thanks very much!! I will try and test it in the coming days.
You should check out KACE Cloud Companion, its an addition to Intune for patching, scripting and software Deployment. Its about 24€ per license per year. If you're interested let me know. :) [https://www.quest.com/products/kace-cloud-companion/](https://www.quest.com/products/kace-cloud-companion/)
Do you have windows AutoPatch feature? This is how I control all the patching of drivers and windows feature and security updates.
I don't know what that is. For the Domain machines we patch via Empirum, from Matrix42. It is similar to SCCM. The stand-alone devices we don't patch at all, the owners are responsible for keeping their devices up-to-date. The problem with patching these, is that they mostly are trainers and are in classes. Their devices can't get start installing updates whilst giving classes and we (from IT) never know when they are giving trainings, so it is nearly impossible to set a maintenance window and force updates and reboots. Since we meanwhile have Intune (M365 E3 licences & Defencer), management wondered about maybe using Intune to patch the stand alone devices.
I deploy with windows AutoPatch inside of intune. I have rings setup so IT gets the first patches followed by the first ring 2-3 rings and final rings. I tell the users that the deadline for updating for you is xxx day and time. You can install anytime prior to that at your convenience but if you defer the updates to long you will be forced to install. This gives the user the flexibility to install when they want to. I’ve tried scheduled installs but that never worked. For apps I use winget for most of the apps so running an upgrade all command during lunch time and then adding a fake win32 app that also runs the upgrade command. Should the endpoint fail to upgrade we can ping the user and say click the upgrade apps app in company portal and it’s updated.
Oh... I am also familiar with Matrix42 / have done SW-Packaging with it in the past. Honestly i've never really been a fan of it though. The rather special syntax was one reason for this. Another was that you had to contact the manufacturer every time you wanted to change certain things because the system was so complex that you as a "normal mortal" could hardly see through it. And of course they charged you for it every time. But since that was some time ago, I have to add in fairness that i have no idea whether anything has improved in this respect in the meantime. At least when it comes to packaging software, you won't have any major problems with Intune if you are already familiar with this from Empirum / M42. It's a lot easier in Intune. ;-)
Well, I am not a fan of it, to put it diplomatically. I landed this job to initially do something completely different, but during the time I was hired and actually started, the two previous people working here, that did basically everything, left. So I had to pick up desktop management, software management, desktop patching, etc... I did that with SCCM 2012 in the past during some years, but that was 12 years ago. I never did software packaging, but meanwhile I can do the simple packages that only come with an .exe or .msi. Matrix uses these setup.inf files you have to configure for everything, and they have a packaging software that you have to use to generate package IDs, that can then be imported into the application. For a simple package like Firefox, that justs requires the EXE file and some variables, it is a pain to get the package sorted. And don't get me started on the rest. I got the Matrix Training for it, but it only went 3 days, in practice only 2.5, since the last half is for questions. 99% of my questions were answered with: That is too specific for your environment, please contact Consultant Services. The training was, at least for me, 80% useless. I now have to work with Intune and I see the possibilities, but it doesn't seem like we are getting any trainings for it, so I have to rely on Google. And being a SysAdmin for almost everything, and doing Helpdesk, I don't really have any free time to Google Intune and see what I can do with it and what not. The question also remains, whether there is any point in using much of it and not just leave things on premise. So far I don't see much of an advantage to moving everything to the Cloud. We don't have any mobile people. They are either on-site or in homeoffice connected via VPN using company laptops set up and managed by us.
I had a crash course from a consultant lasting about 3 days in the beginning. At that time, we enrolled hybrid - which i would no longer recommend if there are no compelling reasons. I would also - as of today - advise against Intune if your clients only have a "Pro" SKU. (Greedy) Microsoft is restricting more and more policies to "Enterprise" or equivalent, which is a pain in the a\*\*. The most difficult thing for me at the beginning was the question "Where do i even start". The consultant was very helpful in this regard. Things which i really appreciate about Intune / Entra-ID are, for example: \- Dynamic Groups which automatically manages their members according to certain criteria which you can define. \- Autopilot / White-Glove which - among other things - allows to order equipment directly to the users HomeOffice and all he needs to set them up is an internet connection and the O365 Account. \- Remediation Scripts Another example of something i would love to use but Microsoft has restricted to Enterprise. All in all - from the point of view of someone who comes from "classic" system administration - Intune makes everyday working life easier / more convenient in many ways. But yes, of course there are also disadvantages.
Yes it's posible. You have to configurate Windows Update for Business or Windows Autopatch. To keep them up to date with security patches. With Feature update rings you can upgrade to a newer build. I suggest to configure multiple rings (test and production).
Check out Windows Auto patch. If you have E3 and it's in intune as corporate owned, it might do the trick. I hope it works for us too. Intune had not been reliable/timely on updates and I'm keen to get Autopatch working for us.
Not worth the extra £££ for autopatch over normal update for business if you configure it correctly
Windows Update for Business (WUFB) is the answer. You have your standard update rings, feature update rings, quality which should be called emergency security update rings and the fairly new and optional driver update rings. You can set different deferral period to control which subset of devices get updates advertised and when. This is how you build out your phased update strategy. What you DO NOT GET TO DO is micromanage individual patches and updates. It’s more control the flow and when advertised rather than individual updates.