Intune plays an important part in Microsoft’s modern desktop strategy, allowing organizations to deploy and manage Windows 10 without an on-premises Active Directory domain. Microsoft announced several new features that will make it easier to manage Windows 10 using Intune.
Currently in preview, Microsoft announced the ability to deploy ‘most’ legacy Win32 apps using the Intune Management Extension, including MSI, setup.exe, and MSP files. System administrators will also be able to use Intune to remove these apps. Intune already had the ability to install line-of-business (LOB) and Microsoft Store apps but this new capability will enable businesses to manage more legacy business apps using Intune. LOB applications are those that rely on a single MSI file with no external dependencies.
Microsoft says that this new feature was built by the same team that created the Windows app deployment capabilities in System Center Configuration Manager (SCCM) and that Intune will be able to evaluate requirement rules before an app starts to download and install, notifying users via the Action Center of install status and if a reboot is required. Legacy Win32 apps are packaged using the Intune Win32 application packaging tool, which converts installers into .intunewin files.
If you want to go further, we invite you to check out our detailed guide on how to package and deploy Windows applications with Intune.
Microsoft publishes security baselines for supported client and server versions of Windows as part of the Security Compliance Toolkit (SCT), which replaced the Security Compliance Manager. But the baselines are provided as Group Policy Object backups, which can’t be used with Intune because it relies on Mobile Device Management (MDM) rather than Group Policy.
For more information on SCT, see Microsoft Launches the Security Compliance Toolkit 1.0 on Petri.
To help organizations meet security requirements when using Intune to manage Windows 10, Microsoft will be making security baselines available in the Intune portal over the next couple of weeks. The baselines will be updated and maintained in the cloud and have been developed in coordination with the same team that develops the Group Policy security baselines.
Organizations will be able to deploy the baselines as provided or modify them to suit their own needs. But the best news is that Intune will validate whether devices are compliant and report if any devices aren’t meeting the required standards.
Finally, Microsoft announced that third-party certification authority (CA) support is coming to Intune. Third-party CAs, including Entrust Datacard and GlobalSign, have already signed up to deliver certificates to mobile devices running Windows, iOS, Android, and macOS using the Simple Certificate Enrollment Protocol (SCEP).
Microsoft is planning to add many new features to Intune, including a public preview for Android Enterprise fully managed devices, machine risk-based conditional access with threat protection for Microsoft 365 users, and deeper integration with Outlook mobile controls. For a complete list of the new features and improvements coming to Intune, Configuration Manager, and Microsoft 365, check out Microsoft’s blog post here.