Microsoft Intune

Read more about the advantages of migration to Microsoft Intune, how to plan the migration process, and the peculiarities of application packaging in Intune.

Microsoft Ignite conference takes place these days, and the company has already announced a lot of updates designed to help companies be more secure and productive.  For enhanced endpoint management, Microsoft announced the advanced endpoint management plan that will include remote help, Microsoft Tunnel for Mobile application management, Endpoint Privilege Management, intelligent automation and data insights, and automated app patching and packaging – all based on Intune. Yes, not on Microsoft Endpoint Manager. The name Microsoft Endpoint Manager will no longer be used. That means, that from now on Microsoft refers to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager.  The number of Intune-managed devices (including Windows, Android and iOS) increased by 60% last year. Nearly 50% of Microsoft-managed endpoints are now cloud-connected, compared to less than 20% in 2020. Because of the growing demand for the cloud endpoint management solution, Microsoft promotes the idea to move to the cloud for its new and on-prem customers.   But it does not mean that Configurator Manager is dead. It will remain a part of Microsoft Intune product family and continue to be updated on the regular basis. But if you want to enjoy all the features coming from Intune, you have to move to the cloud. If you are interested in connecting your tenant to the cloud, Microsoft’s FastTrack can provide deployment assistance at no additional cost for eligible Microsoft 365 customers.  To manage application installations and updates on Intune-managed devices in a new way, use Scappman. Scappman is a third-party application patching solution that automates the patching process for Intune-managed devices. Scappman eliminates the need for manual patching and provides a more efficient way to keep your third-party applications up to date.  Read more about how to get started with Microsoft Intune: How-to guide: Getting started with Microsoft Intune (part 1) How-to guide: Getting started with Microsoft Intune (part 2) How-to guide: Getting started with Microsoft Intune (part 3) How-to guide: Getting started with Microsoft Intune (part 4)

Microsoft Intune is a cloud-based mobile device management (MDM) and mobile app management (MAM) service for businesses ready to take on challenges to productivity, security, and compliance in this modern era of BYOD (bring-your-own-device). It’s affordable and easy to use, and best of all, it’s wholly extensible and flexible. This guide will take you through setting up Microsoft Intune, show you how to enrol devices, and, most importantly, demonstrate how to deploy your supported apps. If you’re switching to Intune as your MDM and MAM platform, you’ll find this guide especially handy. Part 2 – User and Group management in Microsoft Intune, assigning licenses Part 3 – Setting up a configuration policy, Company portal and application management in Microsoft Intune Part 4 – How to configure devices in Microsoft Intune Before you start with Microsoft Intune Before setting your Intune account up, let’s review some technical requirements. Supported licenses. To use Intune, you need a Microsoft 365 subscription. Intune is compatible with the following licensing plans: Microsoft 365 E5 Microsoft 365 E3 Enterprise Mobility + Security E5 Enterprise Mobility + Security E3 Microsoft 365 Business Premium Microsoft 365 F1 Microsoft 365 F3 Microsoft 365 Government G5Microsoft 365 Government G3 It’s also possible to sign up for a free 30-day Intune trial. Supported OS and Browsers. Intune is an MDM service. Thus, it supports different operating systems: Vendor OS Apple Apple iOS 13.0 and later, Apple iPad OS 13.0 and later, macOS 10.15 and later Google Android 6.0 and later Microsoft Windows 11 (Home, S, Pro, Education, and Enterprise editions), Surface Hub, Windows 10 (Home, S, Pro, Education, and Enterprise versions), Windows 10 and Windows 11 Cloud PCs on Windows 365, Windows 10 Enterprise 2019 LTSC, Windows 10 IoT Enterprise (x86, x64), Windows Holographic for Business, Windows 10 Teams (Surface Hub), Windows 10 version 1709 (RS3) and later, Windows 8.1 To perform Intune tasks, you must use Microsoft 365 admin center or Azure portal. To gain access to these web portals, you have to use the latest version of the following browsers: Microsoft Edge Safari Chrome Firefox. After confirming you have Intune-supported OS and browsers, you can set up Microsoft Intune tenant. Sign up to Microsoft Intune Before using Microsoft Intune for your organization, you must first configure Microsoft Intune tenant. If you do not already have access to Intune portal, you can sign in for a free 30-day trial. If you’re using a work or school account to access the trial, use it to sign in and add Intune to your subscription. Otherwise, you can create a new account to use with Intune. To sign up, go to the Intune set up account page, enter your email and click Next. Add your name, business phone number, company name and size, and country. Click Next. Add your business entity’s domain name and check for its availability. As you can see, now your domain consists of your company name and onmicrosoft.com. Later we’ll discuss how to set up a custom domain. And finally, create your username and password and click Sign in to complete setting up your Intune account. Once subscribed, check your email, and verify your account using the provided link. Usually, after verification, you’ll be redirected to the Endpoint Manager Admin Center. If not, here’s the link. To sign in to Microsoft Endpoint Manager, your account must have either Global Administrator or Intune Service Administrator (aka Intune administrator) permissions in Azure AD. Intune as MSM authority Immediately after signing in, you must configure mobile device management (MDM) authority to Intune. This configuration may occur automatically. You’ll see an orange banner indicating whether this is the case. The MDM authority setting defines how you manage your company devices. Important note: You must set the MDM authority before enrolling devices. To choose MDM authority, click on the orange banner or go to Tenant Administration > MDM Authority. Check your MDM Authority set under Choose MDM Authority, and then you can set MDM authority to Intune MDM Authority. Add custom domain in Microsoft Intune (optional) When your organization subscribes to Microsoft Intune, you get a unique domain name hosted in Azure Active Directory. Your new domain will follow this format: your-domain.onmicrosoft.com. your-domain is the company name you chose when you signed up, and onmicrosoft.com is the standard suffix assigned to your account. Instead of using this domain name provided by Azure Active Directory to access Intune, you can configure a custom domain for your organization. Sign in to your Microsoft 365 admin center account to configure a custom domain name. On the navigation panel, choose Setup > Domains. Choose Add domain, type your custom domain name, and click Next. Next, verify that you are the domain owner as indicated in the previous step. You can do this by sending a verification email or adding a TXT record. Once the domain is verified, you can check your default domain. Now you’ll see that your domain is listed as Healthy.

In the last part of our guide “Getting started with Microsoft Intune” we’ll walk you through the process of device configuration in Microsoft Intune. Part 1 – How to sign up for Microsoft Intune, configure MDM authority to Intune, and create a custom domain Part 2 – User and Group management in Microsoft Intune, assigning licenses Part 3 – Setting up a configuration policy, Company portal and application management in Microsoft Intune Configuring devices in Microsoft Intune Now everything is ready to enroll a device to Microsoft Intune. As previously stated, it’s possible to enroll corporate and BYOD devices with various OS (Android, iOS, macOS, Windows). Let’s take the enrolling process of the Windows device as an example. There are three ways to enroll a Windows device in Intune: Automatic enrollment. CNAME registration. Windows Autopilot. Automatic enrollment Automatic enrollment lets users enrol their Windows 10, 11 devices in Intune. For this, users must add their work account to their BYOD device or join corporate-owned devices to Azure AD. In the background, the device registers and joins Azure Active Directory. Once registered, Intune manages the device. To enable automatic enrollment, login to Microsoft Endpoint Manager admin center; go to Devices -> Enroll Devices -> Windows enrollment -> Automatic Enrollment. Next, configure MDM User scope and/or MAM user scope: None – MDM automatic enrollment is disabled. Some – groups are selected for automatic enrollment. All – all users can automatically enroll their devices. Once done, click Save. CNAME To enroll a Windows device using this method, you must create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. To put it differently: In trying to connect to Intune, users must enter the Intune server name. The first step is to create CNAME DNS resource records for your company’s domain. For example, for the domain contoso.com, we would make a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com. If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and connect each to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use these formats as their email/UPN: [email protected]. [email protected]. [email protected]. It might take up to 72 hours to process the changes to DNS records. Once all the changes are processed, you must verify CNAME – go to Devices -> Windows -> Windows enrollment -> CNAME Validation. In the Domain box, enter the company website and then choose Test. Windows Autopilot configuration Windows Autopilot makes enrollment of devices simple. With Microsoft Intune and Autopilot, you can give new devices to the ned users without building, maintaining and applying custom OS images. The enrollment process with Autopilot consists of 3 main steps: adding a device, creating of autopilot device group and autopilot deployment file. 1. Adding a device Firstly, you have to create a CSV file to identify Windows devices and import it into Intune. In the Microsoft Endpoint Manager admin center, go to Devices -> Windows -> Devices (under Windows Autopilot Deployment Program -> Import. Under Add Windows Autopilot devices, import your CSV file. It can take several minutes. Once import is complete, go to Devices -> Windows -> Windows enrollment -> Devices (under Windows Autopilot Deployment Program ) -> Sync. A message displays that the synchronization is in progress. The process might take some time to complete, depending on how many devices you’re synchronizing. 2. Autopilot device group The next step is to create a device group and put the Autopilot devices you just added. In the Microsoft Endpoint Manager admin center, choose Groups > New group. In the Group blade choose Security for Group type, enter Autopilot Group for Group name, and choose Assigned for Membership type. Afterwards, choose Members and add the Autopilot devices to the group and click Create. To know more about Group management in Microsoft Intune read this blog. 3. Create an Autopilot deployment file Now you must create a deployment profile so that you can configure the Autopilot devices. In the Microsoft Endpoint Manager admin center, go to Devices -> Windows -> Windows enrollment -> Deployment Profiles -> Create Profile. On the Basics page, enter Autopilot Profile for Name and Test profile for Autopilot devices for Description. Set Convert all targeted devices to Autopilot to Yes. This makes sure that all devices in the list get registered with the Autopilot deployment service. Allow 48 hours for the registration to be processed. Select Next. On the Out-of-box experience (OOBE) page, for Deployment mode, choose User-driven. Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device. In the Join to Azure AD as box, choose Azure AD joined. Configure the following options: End-user license agreement (EULA): Hide Privacy settings: Show User account type: Standard. Click on Next. On the Assignments page, choose Selected groups for Assign to. Choose Select groups to include, choose Autopilot Group. Select Next. On the Review + Create page, choose Create to create the profile. Now you can now distribute the Windows devices to your users. When they sign in for the first time, the Autopilot system will automatically enroll and configure users’ devices.

In this blog, we’re going to talk about how to set up a configuration policy, Company portal and application management in Microsoft Intune. We’ve already discussed how to start with Microsoft Intune, user and group management in Microsoft Intune, assigning licenses. Create a Compliance policy The next step is to create device compliance policies for all the devices. Compliance policy in Intune defines the rules and settings that a device must comply with to be considered compliant by conditional access. To create a new Compliance policy in Microsoft Endpoint Manager admin center, go to Devices -> Compliance policies on the pane. Then, click Create policy and specify Name, Platform and Settings. Once you’ve configured all the settings, click OK to save the policy. Once the policy is created, you can assign this policy to devices or users. Company portal configuration Intune Company Portal allows company employees access to internal applications, resources, and data. As an administrator, you can customize the appearance of your Company Portal app, edit default settings, and create group-targeted policies. To do this, go to Microsoft Endpoint Manager admin center, select Tenant Administration -> Customization. It’s possible to add branding customization elements to the Company portal as follows: Organization name. Color. Theme. Add Organization logo and name in the header, etc. Application management in Microsoft Intune In Company Portal administrator, you can push, install, uninstall, and make available applications for all the users in the organization. The Company Portal will only display applications relevant to the type of device they’re on or the platform they’re using. Company portal supports Office 365 apps, Microsoft Store apps, iOS apps, or creating a custom Win32 app for deployment. There are five types of apps supported with Intune to add and manage. App type Installation process Update Store apps (Microsoft Store, AppStore, Android Store) Intune installs the app on the device Automatic Custom app (line-of-business – LOB) You must supply the installation file and then Intune installs the app on the device You must update the app by yourself Built-in apps Intune installs the app on the device Automatic Web-apps A shortcut of the app is created on the device home screen Automatic Apps from other Microsoft services (Azure AD, Office Online) Intune creates a shortcut to the app in the Company portal Automatic In Microsoft Intune, you can modify deployable applications to align them with your organization’s compliance and security policies. Modification options include Restricting copy-and-paste and save-as functions. Configuring web links to open inside the Microsoft Edge app. Enabling multi-identity use and app-level Conditional Access. In this way, you can protect your company’s data. Pro Tip: To save your time, Scappman automates the process of packaging and deploying custom apps ? Intune provides 2GB of cloud-based storage during the trial. With a full subscription, storage is unlimited. Important: LOB apps have a maximum size limit of 8GB per app. Pro Tip: With Scappman, you can deploy applications of any size Add application To add the application to your Intune portal, log in to your Endpoint Manager Admin Center. Go to Apps on the pane, then All apps. In the All apps menu, select Add and select App type. In this example, we’re going to add a custom LOB app. In Select app type, choose App package file. .msi, .appx, .appxbundle, .msix, and msixbundle are supported. When the package is uploaded, click OK to add the app. On the App information page, you can enter the following: Name Description Publisher App install context Commands Category Information URL (optional) Privacy URL (optional) Developer (optional) Owner (optional) Notes (optional) Logo When you’ve finished, click Next. On the Scope screen, you can determine who can see the app information in Intune. The Assignment tab allows you to assign the app to the group. With the Review + Create tab, you can review all your settings, then click Create at the bottom. When created, you’ll see the confirmation banner. To know more about how to manage applications in Microsoft Intune and how Scappman can make this process easier read the article “How to manage private applications in Microsoft Intune?” .

How to sign up for Microsoft Intune, configure MDM authority to Intune, and create a custom domain read here. User and group management in Microsoft Intune To manage devices using Intune, you first need to create users who will utilize these credentials to connect to Intune. You can create users in Microsoft 365 admin center or Microsoft Endpoint Manager admin center. In this example, we’ll create users in Microsoft Endpoint Manager. After signing into Azure portal, on the pane, choose Users -> All users -> New user -> Create user. While creating a new user, indicate the Username (the name used to sign in to Azure AD), Name (user’s given name), the Job title, Department, Company name, and Location. Here, the user’s password can be auto-generated, or you can choose your own. If you want to assign a user to groups, go to Groups on the pane and select the group you’re assigning to the user. Click Select. By default, the role of the newly created user is User. To assign a new role to the user, select User -> Assigned roles -> Add assignments. In the Directory roles menu select a role you want to assign to the user and click Select. Following all these steps, click Select to create the new user in Microsoft Intune. Creating a new group You can create groups in Microsoft Endpoint Manager admin center to organize users and devices by different criteria, such as location, department, hardware characteristics. To create a group in Microsoft Endpoint Manager admin center, go to Groups on the pane and select New Group. There are two types of groups in Microsoft Intune: Security group defines who can access the resources in Intune (recommended). Security groups can contain users (excl. financial department employees) and devices (excl. All Windows 10 devices). Microsoft 365 group provides collaboration opportunities by giving members access to a shared mailbox, calendar, files, SharePoint site, etc. It’s used for collaboration between users, both inside and outside your company. Enter a Group name and Group description. Select one of three Membership types for the group. There are three types of Group Membership: Assigned: You can manually assign/remove users and devices to/from the group. Dynamic user: You can assign the user to the group based on the assignment rules (e.g., department or location) that automatically add or remove the user. Dynamic device: The user will be added or removed automatically based on the device type, OS, etc. Group type Membership Types Assigned Security group Dynamic user ​ Dynamic device Microsoft 365 Group Assigned ​ Dynamic user In this menu, you can add the group owner and group members. Except for the authority to add and remove group members, Group owners have special permissions to manage the group, such as changing group settings, renaming the group, updating its profile image and description, etc. Members have access to everything in the group, but they cannot change the group settings. To create the group, click Create. Now you can see your group on the list. Assigning licenses to users in Microsoft Intune The next step is to assign each user an Intune license (and other licenses if needed) before enrolling their devices. In this example we’ll explain how to assign an Intune license to the user in Microsoft Endpoint Manager admin center. On the pane, select Users -> All Users -> pick a user -> Licenses -> Assignments. Select the box Intune (and other desired licenses) and click Save. Now you can enrol users’ devices into Intune.

Available apps in the Company Portal is one of those features you really want to use, but can’t, because you lose control. Until now. From a user’s perspective, available apps in the Company Portal are awesome! Your computer isn’t bloated with unnecessary apps, but at the same time you do have the freedom and flexibility to install apps that have been approved by your IT-department, without having to create a ticket and waiting a week or two to get the app. And it’s super easy, you just open the Company Portal app, select the app you want to install and a short while later you’re good to go! But there’s a catch. Available apps are just that, available to be installed. That means that when it’s time to update that app, the new version is also just available. It won’t update itself for the users that have already installed it. Add a few versions and you end up with an application landscape that is completely out of control and super insecure. There are some complex workarounds out there with adding users to groups and using different types of assignments, but none of those are really reliable. So, how can you keep available installations in check? Create a PowerShell script that will detect if the application is installed and returns true or false. This can be as simple as testing if a registry key exists: Test-Path ‘HKLM:\SOFTWARE\Scappman’ Create your application as you would otherwise, but on the Requirements page, click Add in the scripts section. Upload your freshly created requirement script. In our example, the script would return true if the key is found, so we configure it as a boolean that equals yes. The next time a device checks in, the requirement script will run and if it returns true the application will automatically be updated, if the detection rules are not present. In the status overview the devices that have been updated will be reported as installed, while the devices on which the application was not detected will be reported as Not Applicable. The easy way Don’t want to spend time on creating all those scripts, but you do want the awesome Available apps feature in Intune? Check out Scappman! Not only does Scappman enable you to use Available apps for the predefined apps in the App Store, it also allows you to upload your own app, provide the name that it uses in the “Apps & Features” settings page and keep your own custom apps in check. Find out here how we do it for you

Trend 1: Further integration of Apple products in Microsoft Intune  One thing that was on the roadmap for already December 2021 was Management of user-installed apps on iOS. Intune can manage previously installed iOS applications in this update once they’re synced with Intune. As a result, previously installed applications do not need to be deleted and re-issued onto devices enrolled in Intune using device enrollment.  These applications might have been distributed using different MDM’s previously, or they might have been personally installed. This feature simplifies the configuration management process for both required and available applications when enrolling devices to Intune.  The second integration is getting the defender for MacOS policies in Settings Catalog, also previewed in the release of Jan 2022.   The third thing on the roadmap and where Microsoft is working is enrolling BYOD or personally owned devices by Apple. This was already possible for Android devices in the Microsoft Intune environment since April 2021. In 2022 it will be possible if Microsoft sticks to the roadmap, of course, to “Enroll devices into Intune through Apple account management.”   The last thing in this trend is adding DMG type app management for MacOS and extending app deployment and management to include the exe-version of Apple apps – DMG for MacOS.  The cool thing is that if Microsoft continues this way, there should be no reason for companies not to accept Apple products/devices in their Microsoft Intune environment.   Trend 2: Microsoft Intune and Microsoft Endpoint Manager also integrate on the server-side of things Linux Ubuntu still has the highest percentage of servers running in the world. There’s even an article about it, “Can the Internet exist without Linux”? In the enterprise world, this means that they will be able to register and manage and secure Linux Ubuntu desktops and laptops and use conditional access for compliance. Microsoft will start with “Ubuntu,” but support is on its way towards Redhat, Centos, and Fedora.   As part of that move, IT administrators will now be allowed to create Azure Active Directory conditional access policies for Linux machines, just like they do for other Windows, mobile, and Mac machines, to ensure that only Linux equipment that isn’t in violation of the policy can gain access to corporate resources such as Microsoft Office 365 applications.  Microsoft Endpoint Manager’s team said that in addition to adding custom management and security capabilities to the platform, these additional features would be beneficial for verifying the encryption status for detecting any issues that result from BitLocker and Windows Defender Firewall settings or regularly comparing the security score in Defender for Endpoint to guarantee that any security flaws are detected and fixed.  Trend 3: Moving from SCCM to Microsoft Intune or doing Co-Management We even wrote an article, “From SCCM to Microsoft Intune.” Many companies with SCCM, better known as System center configuration Manager, formerly known as SMS, Systems Management Server, are moving towards Microsoft Intune. The most significant difference between these traditional methods and the new Microsoft Intune is that SCCM is image-based management and Microsoft Intune is profile-based management. Brad Anderson, CVP Microsoft, predicted that the penetration of Intune in the market would be 50% of Intune on January 1st, 2022. Still, a lot has changed in the last two years, especially in security and the modern workspace. We’re not going down that road, but Covid-19 kickstarted the adoption of Microsoft Intune. Because during Covid-19, we saw an increase of Bring-Your-Own-Device or Use-of-own-Device, working from home, etc., all with the necessary critical security flaws. These reasons meant Intune rapidly got more market share.   In August of last year, Gartner acknowledged that Microsoft was the ultimate leader For Unified Endpoint Management Tools. We don’t know the exact number of companies using Microsoft Intune, but some internal sources say it has increased by 240%. This means that Chris probably didn’t undersell the 50% adoption of the software.     The problem is that Microsoft Intune can’t do all the things that SCCM can do and that SCCM, even with Microsoft Intune, can’t do all the things that the full Microsoft Intune manager can do. So, some companies that are switching from SCCM are doing the CO-Management. We will explain CO-Management in a different blog post. What you need to remember is the following image. Sidenote by Microsoft: When you manage devices with both Configuration Manager and Microsoft Intune, this configuration is called co-management. When you contain devices with Configuration Manager and enroll in a third-party MDM service, this configuration is called coexistence. So, unless you have co-management, Configuration Manager, and Intune in place, you can’t balance the workloads, resulting in conflicts. This interaction is not available with third-party integrations, and therefore there are restrictions on the management capabilities of coexistence.

Choosing mobile device management (MDM) and mobile application management (MAM) solutions for your company can be challenging. With ‘bring your own device’ (BYOD) on the rise, MDM plays a crucial role in controlling corporate data on devices by configuring accessibility policies and data security. Here, the eternal dilemma arises: Should you go with Microsoft System Center Configuration Manager ConfigMgr (SCCM) or Microsoft Intune? Both solutions are parts of Microsoft Endpoint Manager – a single, integrated platform for managing all the endpoints in the organization. Intune is a cloud-based solution that allows you to manage company-owned and personal devices, while SCCM is a more traditional on-premises solution. Let’s look at both solutions, evaluating their pros and cons. What is SCCM / ConfigMgr? According to Microsoft, “SCCM is an on-premises solution to manage desktops, servers, and laptops that are on your network or internet-based.” Originally released in 1994, now part of Microsoft Endpoint Manager (MEM), it focuses on managing Windows devices across the enterprise (300+ devices). SCCM’s functionality includes: SCCM Pros: SCCM Cons: What is Microsoft Intune? Microsoft identifies Intune as a “cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).” Being a cloud-based application, Intune has a simpler architecture than SCCM because it does not require on-premises infrastructure to operate. One of the main aims of Intune is to create a secure work environment by controlling device usage and designing customized access policies for devices, including BYODs. Intune can separate corporate data from employees’ personal data on BYODs, which is convenient as they will no longer need several devices. Moreover, with Intune, it’s easy to make sure that all devices are compliant with enterprise requirements. Intune’s additional features are: Intune Pros: Intune Cons: SCCM vs. Intune – Overview Feature SCCM Microsoft Intune Positioning On-prem Cloud Costs Subscription Subscription (price depends on the used data) Software updates Supports updates, patches, and software Supports updates, patches, and software Servers Servers required No physical server is needed – requires Internet access Remote features VPN, Wi-Fi Remote deployment Summary Microsoft Intune and System Center Configuration Manager offer various features, but it’s up to you to decide which best suits your business. Intune is a cloud-based solution accessible anywhere, making it perfect for remote workers. As a result of the ongoing COVID-19 pandemic, employees are working outside of protected corporate networks, using their own devices, and thanks to Intune, corporate data is safeguarded. Furthermore, Intune supports limited monitoring and managing of non-Windows systems. SCCM is a potent tool that can manage a variety of endpoints and has rich functionality. However, it can be complicated to work with and expensive.

For a company, applications can be challenging to manage. They need to be installed on computers and regularly maintained afterwards. When a new application update is available, the IT department needs to reinstall them on all computers. Note: All applications need to be up to date, so hackers cannot abuse vulnerabilities in the software! On average, an application needs updating once a week, and the update takes around four hours to package and test. By multiplying this by the number of applications in your company, you’ll know how much precious time IT spends on this process. The bigger the company, the more control you need. Installing a conflicting update to more than 1,000 users can be a disaster for your business. For this reason, it’s essential to roll out updates in waves. In IT terminology, this process is called “update rings.” With update rings, IT can install updates to a limited group of users (pilot group). Once IT has confirmed no issues or conflicts, they can advance the update to a larger user group. If there are no issues or conflicts for this group, they can update for another group, and so on. Thus, the bigger the company, the more rings. IT needs to manage and monitor this update process for every update of every application. This activity is not the most thrilling task for a professional IT team, which is one of the reasons why companies don’t always have the latest applications versions. How to manage application update rings in Intune? There are different ways to manage application update rings in Intune. Changing the sources of an application. Changing the assignments for an application. Changing the sources of an application In this scenario, you created an application for each update ring. The sources and settings are the same for all the applications, but the assignments are different. As an example, let’s take three update rings. Application_Group_Fast Application_Group_Slow Application_Group_Release At creation, all applications have the same version but different assignments. When a new version of the application is released. IT can change the .Intunewin file containing the new sources, commands and configuration settings. Members of the Group_Fast will get the update and can validate it. After the testing period is finished, IT can change the .Intunewin file for the next group. A lot of manual work is involved in these actions if you don’t have an automation tool for it. Changing the assignments for the application Another way to use update rings is by changing the assignments for the application. In this case, IT creates a new application for each version. The first version will have the three groups assigned for installation. With a new application version, IT creates a second Intune application, assigning the Group_fast to this version. After testing and validation, IT assigns the next group to the new application. This process is then repeated until all groups have been assigned to the new application. Afterward, the initial version can be removed from Intune.