次の方法で共有


Managing Windows 10 PCs with Intune

Microsoft Intune manages everything from iOS, Android, and Windows phone devices to Windows RT, Windows PCs, and even Mac OS X, but I'm going to kick off this  blog series to talk specifically about managing Windows 10 PCs. This might seem like a straightforward subject to be spending so much of my time blogging about, but bear with me; there are plenty of interesting twists and turns you should be aware of before deciding how you will manage Windows 10 with Intune. Knowing these ins and outs will enable you to take full advantage of the management capabilities that Intune—and Windows 10 itself—provides to make your life as an IT admin easier.

Trust me, if you want to know how to properly manage not only Windows 10 PCs, but also the apps and files used on them, with Intune then you’ll want to keep reading this series. In this particular post I’ll get you started with deciding how to enroll PCs into Intune and then get deeper into the actual management of these devices, and the apps/settings in use on them, in subsequent posts.

Getting Win10 PCs under management

Before you can manage Windows 10 PCs with Intune, you first must enroll them into management by the service. Seems obvious right? What is not so obvious is just how you get them snug as a bug in the Intune rug. The first question you will need to answer is: do I install the Intune computer client to manage Windows 10 PCs as computers or should I enroll these PCs into management as mobile devices? A simple question with an answer of immense consequences. Choose wisely.

Note: To avoid the tl;dr phenomenon on this post I’ll get you started with the scoop on managing Windows 10 PCs as computers and then get to the good stuff (managing them as mobile devices) in the next.

Manage Windows 10 PCs as computers (please only if you really, really have to)

The only way you can manage Windows 7 or Windows 8 computers with Intune is to use the Intune computer client so it's kind of a no-brainer for those PCs to follow a more traditional management strategy. With the newer operating systems like Windows 8.1 and Windows 10 (where we can leverage OMA-DM), you have a choice to enroll as a PC or mobile device and leverage more modern management practices. So, one way to think about the computer client is that it is the old school way of managing Windows PCs. As an old school SMS admin in a previous life, the simplicity, and basic feature set the computer client enables can be appealing. That said, you're really better off managing the more modern (Win8.1 and Win10) PCs as mobile devices, but I said I wouldn't say anything about that until we get this computer client stuff out of the way.

It’s easy to get the computer client installed. First, you’ll need to go grab the bits to deploy. You can get a link to the files from within the Intune admin console (ADMIN\Client Software Download). Then, with your trusty Microsoft_Intune_Setup.zip file in hand, either manually sneakernet the installation files around to each PC you want to manage as a computer or use Group Policy to install the client. You could also try telling your users to open the Company Portal website from their PC and install the client themselves. Good luck with that, but if you're interested in establishing the affiliation between a user and their managed PC, that's the way to do it. User device affinity will not be set when you, as an admin, push the client bits to PCs.

With the computer client successfully installed, you can review software and hardware inventory reports, remotely run malware scans, install desktop apps (.exe and .msi), perform a selective wipe (not full wipe) of company data from the PC, remotely restart the computer, and manage Windows Update and firewall settings. Your users can use the Microsoft Intune Center to do some handy things like open the Company Portal website to see what apps are available for them to install, check for updates (don’t you use WSUS by now?), start Windows Defender to scan for malware (you know Windows 10 comes with Defender built-in right?), or…well, that’s it really.

Don’t believe me? See for yourself:

IntuneCenterOK, to be fair, in theory you can also enable the TeamViewer Connector and use TeamViewer software to request remote assistance, but that's not "right out of the box".

Tip: When you enable the TeamView connector in the Intune admin console, the Remote Assistance text at the bottom of the Intune Center for managed Windows 10 PCs automatically changes from "Remote assistance is not supported on this version of Windows" to "Request remote assistance".

Do you really want to do this?

So, now you know how to use the Intune computer client to manage Windows 10 PCs as computers and what capabilities you get using that method. The more interesting part to me though is what you don’t get. Namely the ability to leverage most of the mobile device management capabilities Intune provides. And these are handy things like conditional access to company data, resource access profiles (VPN, Wi-Fi, email, etc.), and Windows Information Protection (WIP) and OMA-URI settings management.

I could go on and on about why it’s a better idea to manage Windows 10 PCs as devices, and I will, but that’s another blog post (that you won’t want to miss).

 


You’ve seen my blog; want to follow me on Twitter too? @JeffGilb.

Comments

  • Anonymous
    September 02, 2016
    Thanks Jeff for sharing your knowledge. Just i started learning Intune. Its very help full for me.
  • Anonymous
    October 09, 2016
    Jeff, you can't do both, right? That is manage a Windows 10 PC with the Intune client and at the same time as a mobile device.
    • Anonymous
      October 09, 2016
      Correct. If you want to manage it with the PC agent you'll need to un-enroll the device from MDM channel management first.
  • Anonymous
    October 26, 2016
    Hi Jeff, do Microsoft look to building in the functionality so you can have both in the future? As although you mention Windows 10 has defender built in the Intune Agent Policy you can configure from within Intune allows you to specify scan and update times which is quite a powerful feature for companies that have no other way of centrally managing their security.
    • Anonymous
      November 02, 2016
      Hi Sophie, you can manage Windows Defender settings either way. Probably just a little more granular control when managing the device as a computer.
  • Anonymous
    December 14, 2016
    In reading your last paragraph, it seems that if we enroll the device by using the Intune client, we will not be able to utilize conditional access for the device. Is that true? I'm testing now and getting blocked by conditional access with the Intune client installed. I will be trying the mobile method of install, however wanted to get your feedback. Thanks!
    • Anonymous
      December 22, 2016
      Hi Kim, conditional access is not supported for PCs managed with the Intune agent. What will happen, and what I'm guessing you are seeing, is that the PC will get blocked from email, but will have no recourse to remediate itself because it cannot enroll as a device at that point...so conditional access just turns into no access in that case! Please let me know if you're seeing something different.