Modern device management with a few twists
' My goal is to share my knowledge and experiences with community members on their own road to Modern device management. I love working with Microsoft technology and hopefully I can help a few people along the way.'
Author: Andy Jones
Filters were introduced to Intune around mid 2021 and for some reason have mainly escaped me up to this point. I like many have used Dynamic groups as the default approach when needing to narrow down the assignment of compliance policies, configuration profiles and applications. Filters however bring a number of welcome improvements to the table we will go through in this blog.
Filters introduce a way of applying advanced targeting and in some scenarios performance benefits to help you replace the use of dynamic group assignment. When it comes to defining and applying Filters you typically need to make the right architectural decisions for your own Intune deployments but filters add a new layer of targeting definitely worth considering. The natural way of structuring your users and devices hasn't changed by creating Azure Active Directory 'Groups'. By creating these you are defining a hierarchy and structure that reflects your organisation which may be through specific teams of people such as the 'Sales team' or device types 'Windows 11 devices'. These are still relevant and provide the baseline for assignment to your applications, policies and profiles. For each of these groups where Microsoft have added the option for filters, you now have the ability to narrow the assignment scope that best fits your needs.
We do need to mention 'Virtual Groups' as these include 'All users' and 'All devices' and by default they don't have any management overhead meaning there is no need to first create or make changes for these. Its worth noting that every time you create a new group (one that has never been used before in an Intune assignment) they go through a first-time setup process together with a membership sync. This first sync will always take longer than subsequent (incremental) syncs. The upside to these virtual groups is that they are stable and highly optimized for assignment. The use of these may be few and far between so most admins will break down all users and all devices into sub groups. As a result the groups you create need to be synchronized from Azure AD and evaluated for assignment. And therein lies the major benefit for me, the performance of assignment. I have seen technical community requests for information when it comes to dynamic group assignment for example. The underlying issue is it sometimes takes longer than expected especially on larger group assignments to verify the members that apply to the dynamic groups which can then delay an app or policy being deployed or even delay an enrolment.
Author: Andy Jones Date Published: 09/08/2022
Expedite built from Windows Update for Business (WUfB)
I first want to provide some background to this blog topic. If you're familiar with the Windows Update for Busines (WUfB) service you'll know this is the main channel for updating your Windows 10 or later devices with the latest security defenses, bug fixes and Windows features. Once you switch from Configuration manager workloads to WUfB your devices can be updated with policies defined with cloud-based management using Intune. There are four key management policies provided by WUfB which include:
So What is Expedite for Quality updates
Expedite for quality updates were introduced to quickly maintain the productivity of devices. Originally released in May 2021 this option is still in preview at the time of writing, so please be aware of this when deploying on your production paltform.
PLEASE NOTE: Its important to know also that Expedite only includes security updates right now but could see this being expanded in the future.