Microsoft Intune

We get this question a lot. First, it could be that people have a different understanding of what are private apps or what are public apps. Private applications are applications: where the sources can’t be downloaded from the internet without providing personal information. that require a license key or license file. Private applications are not monitored for new versions. Note: It’s the customer or partner’s responsibility to provide Scappman any resources for the initial packaging or any update afterwards together with a procedure on how to install the application. Scappman can package these applications, but these are billable. Prices are listed on the platform. Public applications: Public applications are applications where Scappman has access to the sources on the website of the vendor. Public applications are monitored for new versions and are updated by Scappman on the platform. Note: Public applications that do not support silent installs can only be requested as a private application. Scappman will package these applications for free for subscribed customers. Private application management in Microsoft Intune Prepare the application installation file for upload Before you add a private app to Microsoft Intune to be able to manage it, you must use Microsoft Win32 Content Prep Tool in order to prepare the app for upload. The tool wraps the application installation file into the .intunewin format. Also, it detects some of the parameters that Intune requires to determine the application installation state. After that, your application is ready to be uploaded to Intune. Let’s use the app <yourprivateapp> as an example. Download Microsoft Win32 Content Prep Tool from GitHub . The .zip file contains IntuneWinAppUtil.exe, Microsoft License Terms, Read me file and Release notes. Use the latest version of the Microsoft Win32 Content Prep Tool otherwise, you’ll see a warning that says the app was packaged using an older version of the tool. Create a folder that contains the private application installation files Create an installation file yourprivateapp.cmd that contains the installation command and put the file in the directory with other installation files. Now open a Command Prompt and go to the location of IntuneWinAppUtil.exe: cd/<name of the folder> Run IntuneWinAppUtil.exe and provide the requested information: Source folder Setup file Output folder 6. Once the installation file is converted, you’ll see the message Done!!! Now the private application is ready to be uploaded to Microsoft Intune. Add a private app to Intune Sign in to the Microsoft Endpoint Manager admin center On the pane go to Apps -> All apps -> Add In Select app type menu choose Windows app (Win32) In the Add App menu you have to select the app package – the file that we created – yourprivateapp.intunewin in click OK In the App information menu add the details for your private application: Name Description Publisher Category Show this as a featured app in the Company portal Information URL Privacy URL Developer Owner Notes Logo 6. In the Program tab you can configure the application installation process using commands, install and device restart behavior. Install command – normally, it’s filled in automatically. If it’s not the case – use yourprivateapp.cmd Uninstall command – msiexec /x “{12345A67-89B0-1234-5678-000001000000}” Device restart behavior – here you can select one of 4 options: Determine behavior based on return codes No specific action: Choose this option to suppress device restarts during the app installation of MSI-based apps. This is preferred if you don’t want to reboot the device after the app installation App install may force a device restart Intune will force a mandatory device restart Specify return codes to indicate post-installation behavior: add the return codes that are used to specify either app installation retry behavior or post-installation behavior. Return code entries are added by default during app creation. But you can add more return codes or change existing ones. Code types: Success – the return code was successfully installed Retry – the return code will be attempted to be installed the application 3 times. It will wait 5 minutes between each attempt. Soft reboot allows the private app to be installed without a reboot. However, reboot is necesssary to complete application installation. Hard reboot does not allow the application to be istalled on the device without a reboot Failed – the application is failed to be installed 7. In the Requirements section you can specify the requirements that the device must meet before the application is installed: Operating system architecture : 32-bit / 64-bit Minimum operating system Disk space required (optional) Physical memory required (optional) Minimum number of logical processors required (optional) Minimum CPU speed required (optional) 8. When deploying the private app you must specify the detection rules – how the availability of the private application will be detected. It can be done manually or by using a custom PowerShell script. Manual detection rules format: MSI: this rule type enables the admin to create a detection rule that must detect a specific MSI product code or even a specific MSI version. This detection rule type can only be used once. File rule type enables the admin to create a detection rule that detects a specific file or folder, date, version, or size to determine the installation of the private app. Requirement rules: Path – specify the full path of the folder that contains the application file File or folder – specify the file or folder that should be used to detect the app Detection method – choose the option that should be used to detect the installation of the app (File or folder exists, Date modified, Date created, String (version), Size in MB) Registry: with this detection rule the Intune admin enables detection of the application installation based on the value, string, integer, or version. Requirement rules: Key path – identify the full path of the registry entry containing the value that should be used to detect the installation of the app. Ex.: HKEY_LOCAL_MACHINE\Software\YourPrivateApp Value name: if this property is empty, the detection will happen on the default value. The default value will also

Microsoft Intune is a comprehensive cloud-based solution for managing mobile devices, PCs, and applications across corporate and personal boundaries. Intune provides a range of features to help organizations secure and manage devices, protect their data, and enable productivity. In this article, we will explore the different terms and definitions associated with Microsoft Intune. Admin permissions or Directory Roles define the administrative scope for users and the tasks they can manage. Types of administrators: Global Administrator accesses all administrative features in Intune. By default, the person who signs up for Intune becomes a Global admin. Global admins are the only admins who can assign other admin roles. You can have more than one global admin in your organization. Password Administrator resets passwords, manages service requests, and monitors service health. Service support administrator opens support requests with Microsoft and views the service dashboard and message center. They have “view only” permissions except for opening support tickets and reading them. Billing administrator makes purchases, manages subscriptions, manages support tickets, and monitors service health. User administrator resets passwords, monitors service health, adds and deletes user accounts, and manages service requests. The user management admin can’t delete a global admin, create other admin roles, or reset passwords for other admins. Intune Service administrator has all Intune Global administrator permissions except permission to create administrators with Directory Role options. Android Device admin is the old management method of Android devices with limited functionality in application management requiring elevated administrative permissions in order to perform certain tasks. It has been deprecated since Android 9.0. Android Enterprise is an initiative to enable the use of Android devices and apps in the workplace. The program offers APIs and other tools for developers to integrate support for Android into their enterprise mobility management (EMM) solutions. App configuration policy is the settings that are supplied automatically when the app is configured on the end-users device, and end-users don’t need to take action. The configuration settings are unique for each app. App logs is a file with reporting that includes a record of activities that generate a change in in the app. App protection policy is the rule that ensures an organization’s data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move “corporate” data, or a set of actions that are prohibited or monitored when the user is inside the app. App types in Microsoft Intune: Apps from the store (store apps) – applications that have been uploaded to either the Microsoft store, the iOS/iPadOS store, or the Android store are store apps. The provider of a store app maintains and provides updates to the app. You select the app in the store list and add it by using Intune as an available app for your users. Apps written in-house or as a custom app (line-of-business) – applications that are created in-house or as a custom app are line-of-business (LOB) apps. The functionality of this type of app has been created for one of the Intune supported platforms, such as Windows, iOS/iPadOS, macOS, or Android. Your organization creates and provides you with updates as a separate file. You provide updates of the app to users by adding and deploying the updates using Intune. Apps on the web (web link) are client-server applications. The server provides the web app, which includes the UI, content, and functionality. Additionally, modern web hosting platforms commonly offer security, load balancing, and other benefits. This type of app is separately maintained on the web. Note that Android does not support web apps. Apps from other Microsoft services – application that have been sourced from either Azure AD or Office Online. Azure AD Enterprise applications are registered and assigned via the Microsoft Endpoint Manager admin center. Office Online applications are assigned using the licensing controls available in the M365 Admin Center Apple Automated Device Enrollment ADE lets you create and deploy policy “over the air” to iOS/iPadOS and macOS devices that are purchased and managed with ADE. The device is enrolled when users turn on the device for the first time and run Setup Assistant. This method supports iOS/iPadOS supervised mode, which enables a device to be configured with specific functionality. Apple push certificate is required for Intune to manage iOS/iPadOS and macOS devices and enroll users’ devices via Company portal or Apple’s bulk enrollment methods (Device Enrollment Program, Apple School Manager, Apple Configurator). Application deployment is the process of installing, configuring, and enabling a specific application or set of applications through Microsoft Endpoint Manager. Assigned groups are used when you want to manually add specific users or devices to a static group. Autopilot is used to set up and pre-configure new devices to get them ready for productive use. In other words, it allows your organization to take a device that is fresh out of the box (straight from OEM), and send that device to your user/employee for immediate use. Auto-enrollment is triggered by a group policy created on your local AD and happens without any user interaction (possible for Windows 10/11 devices). Azure Active Directory (AD) is Microsoft’s cloud-based identity and access management service, which is used by Endpoint Manager for identity of devices, users, groups, and multi-factor authentication (MFA). Azure Active Directory PowerShell is a module IT Pros commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features. Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures prerequisites and components required for the connection, including sync and sign on. Bring-your-own-device BYOD is a policy that allows employees in the company to use their personally-owned mobile device (phones, tablets, and PCs) for work-related activities. Bulk enrollment is joining a large number of new Windows devices

Of course, people who regularly follow our blog have heard of Autopilot, but this is Autopatch. An automated software update service for companies with Windows Enterprise E3 licenses or above will launch in July. What does Windows Autopatch do? Windows Autopatch is a managed service that will patch and update drivers and firmware for Windows and Microsoft 365 apps. This will result in automatic updates for Microsoft Teams, Microsoft Office, etc. What do you need for Windows Autopatch to work? You will need an Intune subscription, an E3 license, and an Azure AD (active directory). Remember, Windows Autopatch will only work on PCs running Windows 10 and Windows 11. We love that Microsoft is taking the same route as ours and believe that an updated computer is a safe computer. Just look at their takeaways on why they started on Windows Autopatch. “The development of Autopatch is a response to the evolving nature of technology. Innovations in hardware and software enhance usability and productivity. Changes like the pandemic-driven demand for increased remote or hybrid work represent particularly noteworthy moments but are nonetheless part of a cycle without a beginning or end. Business needs change in response to market shifts. Security postures must be hardened as new threats emerge. Enterprises must continually respond to stay competitive, enhance protection, and optimize performance.” We love that Microsoft introduced the term gaps. Those gaps can be two things. Security gaps and productivity gaps. Their phrasing is as follows: A security gap forms when quality updates that protect against new threats are not adopted in a timely fashion. A productivity gap forms when feature updates that enhance users’ ability to create and collaborate are not rolled out. As gaps widen, it can require more effort to catch up. Why is Windows Autopatch and Scappman match made in heaven? While Microsoft, from July 2022 onwards, takes care of their software and applications, SCAPPMAN can take care of your third-party applications and your applications already today. To use SCAPPMAN, you will need the exact requirements. You connect your Microsoft Intune to our SCAPPMAN portal, and you are good to go. So, Microsoft takes care of their own, and we will take care of the rest. Are you interested in starting today? Book a demo or start a free trial.

Intune is a cloud-based mobile device management and mobile application management service from Microsoft. The majority of companies are using SCCM for managing their mobile devices, but everything is changing. Based on Microsoft data, the percentage of the Windows devices managed by Intune is constantly growing. And by the end of 2022, Microsoft is forecasting that 50 per cent of Windows 10 devices will be managed from the Cloud. So, if you’re thinking to migrate to Intune, this blog is useful because we’re going to cover 5 main reasons why you should switch to Microsoft Intune. 1. Intune supports all OSs Despite Intune is a Microsoft product, you aren’t restricted only to Windows OS. Unlike Config Mgr, Intune supports all operating systems, including macOS, iOS, Android and… Linux! Microsoft promised to add Linux support to Intune in 2022. They plan to start with Ubuntu and to provide support for CentOS, Fedora and Redhat. Linux support means that now all endpoints can be controlled and managed in one cloud-based MDM system and enables organizations to apply policies and device configurations in the same way for all supported platforms. 2. The best security management With Microsoft Intune, you can implement full control over all endpoints in your company. The more control you have, the easier it is to secure them. With Intune, you can set up device a compliance policy that will automatically block devices that don’t meet your organization’s security requirements. You can also create app protection policies that offer an extra layer of protection, securing access on personal devices, and isolating company data from personal data. 3. Everything is on the Cloud As Intune is a cloud-based MDM and MAM solution, you don’t have to set up and maintain on-premises servers. Everything can be done from the Cloud! 4. Improved IT experience Microsoft Intune does a lot to make the life of your IT department much easier. For example, because of the flexibility of application installation settings you can assign it to users/groups that need this application – no need to deal with one individual endpoint at a time. With Intune, you can also track licensing, and collect information about hardware configurations as well as software installations. Migration to Intune will allow your IT department to work with greater efficiency. 5. Automated application management with Scappman Even though it is easy to manage applications in Intune, keeping applications across all enrolled devices up to date is a difficult and time-consuming task because you must track all applications for available updates, test the update, if there are no bugs, package it, upload the app to Intune and deploy it to selected users or groups. Read more about how to manage applications in Intune in our blog here. With Scappman you will forget about packaging! Scappman is a 100% cloud solution that automatically installs all the necessary updates for your applications. Scappman automates the entire process of uploading the application and updating it in the Microsoft Intune environment. There are more than 500 third-party applications in Scappman App Store, that are always up to date and secure to use. Want to migrate to Microsoft Intune? This blog series about how to get started with Intune may be useful.

Everyone can agree that packaging and creating a Windows app is a daunting task. In this blog, we will show you step-by-step how to package and deploy a Win32 app in Microsoft Intune and how to do this in a smart way just in a couple of clicks. What is a win32 app? Win32 applications are programs written for the Windows operating system. Microsoft Intune allows Win32 app management capabilities and supports both 32-bit and 64-bit operating system architecture for Windows applications. Win32 app management allows you to manage different types of files, such as .msi, .exe, .msix or any other formats. The only thing you must remember before creating a win32 app in Microsoft Intune I have to package it. Intune Win32 App Deployment Prerequisites To be able to manage win32 apps in Microsoft Intune, you should meet some criteria: Process of Intune Win32 App Deployment Step 0. Download Microsoft Win32 Content Prep Tool As we already mentioned, before you can upload a win32 app to Microsoft Intune, you must package it by using the Microsoft Win32 Content Prep Tool. The tool converts installation files into an .intunewin format. Also, it detects some of the parameters that Intune requires to determine the application installation state. You can download Microsoft Win32 Content Prep Tool on GitHub. When you download Intune Win32 Content Prep tool, it’s a .zip file and you must extract the contents to a folder. The .zip file contains IntuneWinAppUtil.exe, Microsoft License Terms, Read me file and Release notes. Use the latest version of the Microsoft Win32 Content Prep Tool otherwise, you’ll see a warning that says the app was packaged using an older version of the tool. Step 1. Win32 app preparation In this step, we’re going to package an application – wrap it into an .intunewin using Intune Win32 Content Prep tool. As an example, we will use 7zip. Make sure, that your installation file is in a specific folder, and that you know the folder’s name. Step 2. Packaging a Win32 app in Intune (.intunewin) It’s time for packaging! Open the IntuneWinAppUtil.exe and provide the folder of the installation file – in this case, the location of the 7zip installation file (7z2200-x64). Then specify the file that you’re going to package. And, finally, specify the output folder. Press Enter, and voila – the .intunewin file is ready. Once you have an application with the .intunewin format, you can create that win32 application in Intune. Step 3. Intune Win32 App Deployment Finally, we’re about to start Win32 app deployment in Microsoft Intune. For the following steps log in to Microsoft Endpoint Manager admin center. Navigate to Apps > All apps and press +App. In the App type select Other – Windows app (Win32). Open the App package file blade and browse for the just created 7z2200-x64.intunewin. The next step is to fill in some application information like Name, Description, Publisher, Category, Information URL, Privacy URL, Developer, Owner, Notes and upload an app’s logo. This icon is displayed with the app when users browse through the Company portal. In the Program section, you can configure the application installation process using commands, install and device restart behavior. Install command – normally, it’s filled in automatically. If it’s not the case – customize the app installation process. Uninstall command – msiexec /x “{12345A67-89B0-1234-5678-000001000000}” Device restart behavior – here you can select one of 4 options: Also, you can specify return codes to indicate post-installation behavior. Return code entries are added by default during app creation. But you can add more return codes or change existing ones. Code types: In the Requirements you can fill in the requirements that devices must meet to install the app: When deploying the win32 app in Microsoft Intune you must specify the detection rules – how the availability of the application will be detected. It can be done manually or by using a custom PowerShell script. Manual detection rules format – Path – specify the full path of the folder that contains the application file – File or folder – specify the file or folder that should be used to detect the app – Detection method – choose the option that should be used to detect the installation of the app (File or folder exists, Date modified, Date created, String (version), Size in MB) – Key path – identify the full path of the registry entry containing the value that should be used to detect the installation of the app. Ex.: HKEY_LOCAL_MACHINE\Software\7zip – Value name: if this property is empty, the detection will happen on the default value. The default value will also be used as a detection value if the detection method is other than file or folder existence. – Detection method: there are 5 self-explaining methods – Key exists, Key does not exist, String comparison, Version comparison, integer comparison In our example, we’re going to use the MSI detection rule. The MSI product code is populated automatically, however, if you don’t see it, add it manually. Custom PowerShell Script: That rule format enables the Intune admin to create detection rules that can check on basically anything that can be scripted, as long as the script has the correct output. It requires the configuration properties as mentioned below: Intune checks the results from the running script. It reads the values written by the script to the STDOUT stream, the standard error (STDERR) stream, and the exit code. If the script exits with a nonzero value, the script fails, and the application is not installed. If the exit code is zero and STDOUT has data, the application is installed. While uploading the win32 app to Microsoft Intune you can add dependencies – applications, that must be installed before your win32 app. In the Assignments menu, you can configure Required, Available for enrolled devices, or Uninstall group assignments for the win32 app. And, finally, after reviewing all the configurations you can add your win32 application to Microsoft Intune. Once the application is uploaded, the

Autopatch, which is available for public review since April, as it will become generally available very soon.* *According to Microsoft, Windows Autopatch will launch in July 2022 It’s worth getting educated about this new feature of Microsoft Endpoint Manager and its potential impacts on you as an IT admin will be. What is Windows Autopatch Windows Autopatch is a cloud service that automatically manages Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates for enterprises in order to improve security and productivity in organizations. Windows Autopatch is aiming to make life of IT admins easier so they can focus on the tasks that matter, taking over patching Microsoft products. Along with this, Microsoft Autopatch solves other challenges, that IT departments face today: it closes security gap – keeping software up to date protects endpoints from CVEs; it closes productivity gap it optimizes IT admin resources – by automating updates, IT admins can create more value in other areas forces the implementation of Modern device management minimizes end-user disruption – by releasing update rings, user disruptions are minimized. “The takeaway if you’re an IT admin? You can continue using the tools and processes you’re accustomed to for managing and deploying updates—or you can take a hands-off approach and let Windows Autopatch do it for you,” said Lior Bela, a Sr. Product Marketing Manager at Microsoft. This service is responsible to take control of: Windows quality updates – Windows Autopatch aims for at least 95% of eligible devices to be patched in 21 days of release. Microsoft 365 apps for enterprise – Aims to keep at least 90% of eligible devices on supported version of Monthly Enterprise Channel Microsoft Edge – Progressive rollout of Microsoft edge for eligible devices Microsoft Teams – To benefit from standard automatic update channel Prepare your endpoints for Windows Autopatch To get started with Windows Autopatch, make sure that you meet the infrastructure requirements. Licensing: Microsoft 365 E3 Microsoft 365 E5 Windows 10/11 Enterprise E3 Windows 10/11 Enterprise E5 Windows 10/11 Enterprise VDA. Additionally, Azure Active Directory Premium and Microsoft Intune are required. Supported operating systems: Windows 10/11 Pro Windows 10/11 Enterprise Windows 10/11 Pro for Workstations Device management: Devices must be corporate-owned – Windows Autopatch doesn’t support BYOD devices Devices must be managed by either Intune or Configuration Manager Co-management Devices must be in communication with Microsoft Intune in the last 28 days Devices must be connected to the Internet. Devices must have a Serial number, Model and Manufacturer. If you’re on-prem (SCCM)… If you are using ConfigMgr, you can’t use Windows Autopatch ☹. Co-management is a solution ? Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices. Setup & device regististration Tenant onboarding To enroll your tenant, you must use one of the following built-in roles: Azure AD Global Administrator Intune Service Administrator Modern Workplace Intune Administrator To enroll your tenant to Windows Autopatch, log in to Microsoft Endpoint Manager admin center, go to Tenant administration > Tenant enrollment (under Windows Autopatch) and hit Run management check to check if your Intune devices are ready to enroll. Once the assessment is done, the Readiness assessment tool will report one of four possible results: Ready – no action required before enrollment Advisory – you can enroll your tenant but there are some issues that must be fixed before deploying the first device Not ready – enrollment will fail if you don’t fix these issues Error – you’re using the Azure AD role, which doesn’t have permissions to enroll the tenant. For Advisory and Not ready settings, Microsoft provides you with steps that you have to follow to fix the issues. Once done with Readiness, you can enroll your tenant by pressing Enroll. This will take some time as this will create new Azure AD security groups and policies. Afterward, you need to provide Windows Autopatch with administrator access and fill in some information, like your phone number, email, name and preferred language. Click Complete. When the setup is complete you will see the notification. Now you can register devices. Onboarding devices to Windows Autopatch Go to Devices and under Windows Autopatch click on Devices. To register the device, click on Windows Autopatch Device Registration hyperlink. The Azure Active Directory group blade opens. Add either devices through direct membership, or other Azure Active Directory dynamic or assigned groups as nested groups in the Windows Autopatch Device Registration group. Once devices or Azure AD groups containing devices are added to the Windows Autopatch Device Registration group, Windows Autopatch discovers these devices and runs software-based prerequisite checks to try to register them with its service. Windows Update Rings in Windows Autopatch Now it’s getting interesting. You need to assign devices to Update Rings created by Windows Autopatch: Modern Workplace Devices – Test Modern Workplace Devices – First Modern Workplace Devices – Fast Modern Workplace Devices – Broad Each of the update rings has a specific objective and has assigned a set of policies to control the rollout of updates in each management area. Ring Device count Description Test Windows Autopatch doesn’t automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:– 0–500 devices: minimum one device– 500–5000 devices: minimum five devices– 5000+ devices: min 50 devicesDevices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. First 1% The First ring is the first group of production users to receive a change.This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for

When it comes to managing devices, many IT professionals still prefer the traditional on-premises approach. This involves a corporate-owned device, which is issued to the employees, and only these are permitted to join the corporate network for access to corporate applications. But today there are more and more companies that are opting for adopting the modern device strategy – a Microsoft-invented term that describes cloud-based device management. One of the biggest triggers for this switch is remote work. Many organizations adopted the BYOD policy because employees want to perform their tasks at home. This trend requires additional actions to ensure the security of the company data on these devices. FYI, regardless of the company’s official “bring your own device” policy, 67% of people use their devices for work purposes. As a result of all these trends, modern device management solutions are quickly becoming the norm. In this blog, we’re going to discuss modern management, co-management and what is its role in the modern device management strategy. What is Modern Management? Microsoft introduced the concept of modern device management to describe the shift from traditional on-premises infrastructure to modern cloud device management. With modern management, devices are managed in a consistent and unified way with a focus on the security of endpoints. The “modern” element of this strategy basically means “cloud-based”. And Modern management is Microsoft’s vision for the future of device management. With modern management, Microsoft wants to turn every endpoint into a modern, always up to date and secure device. Companies have been slowly moving to the cloud implementing a modern management strategy: based on Microsoft data, by the end of 2022, 50 per cent of Windows 10 devices will be managed from the Cloud. What is co-management and why do you need it? Moving from traditional to modern management is not a quick journey – it’s a long and complex process. For this reason, Microsoft introduced co-management as a bridge between traditional and modern management. Co-management allows users to manage their endpoints using both ConfigMgr and Intune. Co-management enables organizations to benefit from the features and capabilities of Microsoft’s cloud solution while allowing each to move at their own pace to modern management. When you enroll Configuration Manager-managed endpoints in co-management, you gain the following immediate value: Conditional access with device compliance – if a device meets the security requirements of your organization Intune-based remote actions, for example, restart, remote control, or factory reset Centralized visibility of device health Link users, devices, and apps with Azure Active Directory (Azure AD) Modern provisioning with Windows Autopilot. With co-management, you can determine which workloads can be moved from traditional to modern management. ConfigMgr provides a simple interface to slide over workloads to modern management for: Compliance policies Resource access policies Windows Updates policies Endpoint Protection Device configuration Office Click-to-Run apps Client apps To be able to take advantage of co-management you need to follow these requirements: ConfigMgr 1710 or later Windows 10 version 1709 (Fall Creators Update) or later Azure AD Premium (with clients joined to both AD and AAD) Intune subscription (MDM authority in Intune set to Intune). Read more about how to get started with Microsoft Intune in this blog series.