What needs improvement with Microsoft Endpoint Manager?

At the moment, we need more flexibility. We have some offices migrating to Windows 11 remotely. Sometimes, it is difficult to manage image installation because we have to collect some information before starting image deployment. Currently, Intune cannot collect the information needed for deploying new images.

They are always rolling out updates. You get more and more possibilities to enroll devices and configure their settings and security. I have confidence in the setup they have provided so far. I, as such, do not have any specific inputs or needs. However, there is always room for improvement when it comes to scalability.

Setting up Intune Autopilot can be a little complicated.

Intune needs to incorporate more tools to reduce the number of third-party applications we rely on. For instance, I currently use PatchMyPC to package new applications for Intune and then deploy them to endpoints. If Intune offered this functionality natively, we wouldn't need to rely so heavily on third-party applications.

Intune has all the features enabled for Windows devices but needs to be improved on iOS and Apple devices.

Although Intune is from the same provider, its integration with other Microsoft products, like Microsoft Defender or Microsoft Purview, could be improved. Regarding synchronization, there are occasional delays in updating a device's status. Integrating Microsoft products, such as Microsoft Purview, Microsoft Defender, and Entra, requires enhanced synchronization capabilities.

One issue that Inutune can improve is password integration with the BitLocker key option. Another issue is assigning licenses. We can assign the licenses for some users on the BPM side, and our BPS users work on Outlook 365 but cannot access it there. A BPS person can go to the company portal and download Outlook 2016. They could improve the NDIS part to assign a license directly to the BPS person that allows them to install the Intune device manager directly on our system.

The reporting causes problems because we're trying to gather data to present to the management, but we can't get the data they request. If a user has removed an application from his device, but it won't report it at exactly the right time. It takes time to sync from the device to the portal. Let's say we are preparing a list or deck for the number of compliant devices that meet all of the organization's requirements. In a real-time scenario, that device could be compliant, but it is showing as non-compliant on the portal. It sometimes hampers the overall decisions that we make on our end.

Microsoft currently restricts deployment to PowerShell or XML scripts, so it would be beneficial to support additional scripts such as command scripts, C languages, or TypeScript to enhance systematic compliance. While the UI has been updated, it could be made more accessible. Navigating to a specific section in Intune requires multiple clicks through different areas before arriving at the intended destination, indicating the UI could benefit from further improvement. The process of application discovery and deployment is relatively seamless. Nonetheless, there is room for enhancement in the reporting aspect. Intune still lacks comprehensive reports, and notably, its failure reporting does not succinctly communicate the full extent of an error.

Sometimes, the process is unsuccessful when we attempt to reset a device and wipe the data using Intune. This inconsistency requires improvement.

There are specific devices we can focus on. For example, due to GMS restrictions in China, we face limitations. However, BlackBerry UEM can enroll Android devices as Android Enterprise, though the exact method is unclear. We could explore whether Intune can replicate this functionality. Since GMS is unavailable in China, we currently rely on device administrator enrollment for managing Android devices there. This suggests potential opportunities to develop solutions or collaborate with Chinese partners to create new features within Intune for managing Android devices in the Chinese market.

We are facing issues with Apple products. With macOS and iOS, there are some difficulties with the updates because we cannot get full control of Apple products. In the case of Windows, it is fine, but in the case of Apple, we have some difficulties. We cannot control everything through Intune. It can be improved in terms of UI, user productivity, ease of use, performance, customization, and flexibility. It has all of these capabilities, but they can be better. Reporting, analytics, and integration with third-party solutions can also be better.

Improvements can be made by allowing server integrations since it is an area where the product currently has shortcomings. Currently, it is just endpoints, Windows, and mobile devices, but we would like to see the servers integrated into the tool as well so that the product covers everything. The product currently lacks any features. For most of what we can't do with the features available in Microsoft Intune, we use PowerShell to address such areas.

Applying security recommendations can be difficult in Microsoft Intune. Sometimes, they give you recommendations, but you need a different server to manage the pieces, or you have to go to each device individually. However, it has been improving. Before, there were certain policies you could not implement directly in Intune, but now I see progress. I would like to see more improvement in policy management, similar to how we used group policies on-premises.

The solution needs to improve reporting. Sometimes, it shows double or triple entries of the same thing, which affects the count's accuracy. Also, some applications onboarded in Microsoft Intune do not get updated. When we look for solutions online, there is often no clear answer. Microsoft Intune has no automatic cleanup option for devices that haven't been used for over 90 days. It would be beneficial for Microsoft to add such a feature.

The information we receive at the device level needs improvement. For instance, we can gather data on 10K devices but not 4K ones. I want to access information about devices that currently aren't included. Twenty percent of the workload integrated into the cloud from collected data represents inapplicable scenarios. I want Intune to decrease this by at least ten percent.

The interoperability or communication with a different platform can be better. It is a two-way street. It is not only about Microsoft. The other platforms also have to be willing to share some information, but that absolutely can be improved.

Manually syncing devices to enforce policies is cumbersome. Automating this process in Intune would significantly improve efficiency. The licensing cost has room for improvement.

There are a lot of features that need to be released. There is no copy-paste or fie transfer. There's more work to do. They don't live up to my expectations anymore. Microsoft has a history of releasing features that are not completely finished. Remote help needs to be better. Reporting needs improvement. It's still lacking. The built-in reporting is pretty basic. In managed services, we have a lot more reporting. However, we had to develop it ourselves.

I would like them to stop making changes and not tell people they have already made the changes. I know that their AI pieces are at the infancy stage, but allowing users to do more tagging for information would be an interesting thing because Intune also directly integrates with Azure. Because a lot of the devices are hosted with that, you also get a lot of tagging of user data and other things like that. Tagging is still at more of an infancy set. You get a lot of false flags. There can also be a more simplified use case for app deployment. They leverage MSIs and WIN32. I am having a more washed-out EXE process. Rather than having to build the script sets yourself, having them autogenerated script based on you uploading in a default location would be nice.

I would like to see easier pushdowns. Currently, we have to package our own software and then push it. Intune can make that way easier and integrate applications, such as Zoom and Adobe Acrobat, that are used by a lot of enterprise or corporate organizations. If they can integrate all the applications in their Intune system and allow all the IT admin to see any vulnerability upgrades or any feature upgrades required, that would be great. Currently, we do not have this kind of information proactively showing up in the admin dashboard. The UI is very difficult to navigate around. You have to click multiple times. For example, you have to click four or five times to get to the BitLocker key. If something is missing or something is not installed properly, you get the same error every time. Behind the error message, there is a lot of meaning to it. The user interface and the way Intune shows the errors for troubleshooting do not make it very useful for me. We can only get a glimpse of the error, but you have to figure out the rest of the things on your own. You have to go to Google, or you have to go to GitHub or another forum to find any related information.

We package Win32 applications and import existing packages using solutions like SCCM or third-party tools. While Intune doesn't currently offer third-party application patching, we rely on third-party solutions for that functionality. A new Intune feature - Enterprise App management allows to deploy Microsoft and Third party apps and keep them up to date but it incurs additional licensing costs. Ideally, this feature should be included in the base license. Similarly, the privilege endpoint management feature also requires additional licensing. Intune would benefit from offering some core features at no extra cost. The most valuable improvement, in my experience, would be the ability to identify inactive devices through reports. Customizable reporting capabilities within Intune would simplify overall management and allow us to track device activity and inactivity more effectively.

There is room for improvement in integrating additional features such as Purview and SharePoint activities into Intune, which would enhance its functionality.

There are lots of areas. The backend of Microsoft Intune needs to be improved. We have seen a little bit of delay as compared to other MDM solutions. That needs to be improved. A little bit more granularity should also be added.

Areas for improvement in Intune include expanding support beyond Samsung devices to accommodate other Android manufacturers like Redmi and Motorola. Additionally, there is a need for better support for Linux operating systems, as patch management for Linux is currently not managed by Intune, unlike for Windows devices.

The current Intune reporting functionality could benefit from some improvements. Specifically, a report that tracks patch deployment status would be valuable. Ideally, I'd like a report that provides device-level details on applications and controls deployed. However, it seems like other organizations might be more interested in control-centric reports, showing details like what control was deployed, the number of devices affected, and other relevant device data. Overall, reporting is the area where we're encountering the most challenges with Intune.

There can be more logs. I do not have any other requirements. I am very satisfied with it.

I would like some integration with the Microsoft reporting platform Power BI.

I would like the ability to install the agent on devices from suppliers, which would enable us to implement a zero-trust strategy for guest devices.

Some of the security posture limitations are not brilliant; they're not ideal, but they're not causing us a problem at the moment. It's the granularity: "Is your firewall on? Is BitLocker on?" It's not amazing granularity. But I've looked into other products, like Duo, and they're all similar.

The policies we had in SCCM and AD offered features that are missing from Microsoft Intune.

We faced issues with macOS support. The product should have better inventory and asset management.

I have a lot of Apple products in my environment. It would be nice to have an improved integration of Apple products with Microsoft Intune without Jam.

There is room for improvement in integration and security as well. Those are areas that clients are always concerned about. So, in future releases of the product, I would like to see better integration as well as enhanced security.

Integration with Mac devices requires some improvement.

Unlike VMware Workspace ONE, which provides system configuration and endpoint management, Microsoft Intune is not a standalone application. This is a limitation of Microsoft Intune because it does not provide all the information we need or the application details of the devices connected. Microsoft Intune's support for Mac devices is lacking and could be improved.

When somebody has a customized application or their own company's application, we cannot deploy that application. For that, Microsoft has to change some tools, such as the launch tools, so that we can deploy those applications as well.

Integrating certain group policies can be challenging and may necessitate using on-premises systems to integrate them with Microsoft Intune. I am encountering challenges integrating with multiple domains outside of my own due to unsupported Active Directory extensions.

For mobile device management, especially for the Windows operating system, it's quite impressive. But it would really be helpful to have the option to manage server operating systems as well, like Windows Server, at least. That way, we could scrap the use of SCCM, which requires a lot of on-premises infrastructure. Another area for improvement is the reporting structure. For example, currently, when deploying Windows 10 or Windows 11 updates, I don't get any detail or structured reports showing which updates are installed on the devices. It only gives me information on whether the update policy has been successfully deployed on the device or not. That type of installed-updates detail would be helpful.

Sometimes, customers compare it with AirWatch, but the concept of Intune is different from other solutions. It's an application management app. It gets a bit difficult to explain it to customers, but it's not a product limitation. It takes a presale document or presentation to explain it to customers.

Microsoft needs to enhance device-level security, as sometimes when using Microsoft Intune, the device's operating system becomes stuck and requires a full uninstall to remove the Intune bug. The price of the solution has room for improvement.

Due to the abundance of features, there's a lot to organize, which makes managing and setting up the solution challenging. The setup is immense, and it would be good to see improvement in this area. The stability could be improved.

Deploying an app can be a complex process due to dependencies. For example, I have a package with three files that need to run, but one of them has a dependency on another one. This can be challenging to manage with the Intune app deployment and has room for improvement.

I'd suggest adding more features for macOS in Intune. There should be more functionality for managing macOS. There should be a better capability for pushing things down on macOS. Currently, Intune is not capable of managing macOS at the same level as Windows.

The solution could be improved by the opportunity to connect third-party application databases, such as Chocolatey or another setup store, to Intune.

We need the capabilities of the Cloud Management Gateway (CMG) to be enhanced through Intune instead of Azure. I suggest that Microsoft consider this. If the user already has a subscription to Intune, they should not need to buy an additional subscription for Azure services. The support needs improvement. When we need support, we don't get a response within the SLA because the support has been outsourced.

A few of the options are a bit hard to understand. As compared to on-prem services such as AD, it's a bit different. For example, group policy objects have different names. It takes some time to find out where various options are available. I wanted to check if there is any provision at the Intune level to restrict certain things, such as a website, but unfortunately, that feature is available only in Microsoft Defender. Intune has web filtering capabilities, but they are only useful for protection from malicious websites, whereas we would like to be able to restrict a website. For example, YouTube is a clean website. No one would identify it as a malicious website, but if we want to stop the end-users from going to that website, we have to go for another product, such as Microsoft Defender or another third-party proxy solution. It would be great if this capability is included in Intune.

It should enable remote connection without involving any third-party application tools. Currently, if we connect another PC or any other machine, it requires a third-party integration to connect to it through Intune. That should not be the case. The UI also needs improvements because it is complex for end-users. We have had feedback from a few users in our organization who found the UI is not feasible for tracking and analyzing all the processes and monitoring all the devices.

Reporting in Microsoft solutions is pathetic. With Intune, I'm getting a free inventory tool, but I don't get a reporting tool. When I go to Intune, I can see one machine's entire data in terms of the hardware and the software running on it, but I cannot generate a report for all the machines in the organization. The reporting is the only feature holding back the functionality that is already there. All the other third-party tools are doing the same thing, whether Atlassian, ManageEngine, or Ivanti. They all install an agent on your system. Intune also has an agent on your system collecting inventory details and sending them across the central console, but Microsoft doesn't have the reporting capability there. That is the only drawback I see.

It would be nice to have a location tracker for the mobile device management tool. I'm not sure if it exists but hasn't been configured or if it's missing, but we've been unable to utilize the location features.

It's really matured and improved over the years by assimilating competing products. There are a lot of things that used to be better than Endpoint Manager or not available in Endpoint Manager that were absorbed or purchased and placed into this product. From a deficiency perspective, I can't recall coming across anything substantial. I'm trying to think of a weakness. I compared it to Ivanti. From a new user's perspective, it may be a little overwhelming because there are quite a few things to look at in the console, however, once you are sort of acclimated and are familiar with your core functions, it's fairly simple and straightforward. You can modernize the UI a little bit, however, change for a sake of change isn't always a good thing.

The installation could be improved to be simplified.

It's only good for a Microsoft environment. While it works very well for Microsoft users but if you have other kinds of operating systems, it's very painful to use. They need to take into consideration the Linux operating system and not only the Microsoft operating system. The solution needs better patching across applications.

It should be easier to define policies and comply with those policies. The initial setup is complex. We aren't lacking any features at this point.

The product needs better management support, for sure, especially between non-Microsoft applications. It would be good, for example, to have some Chrome OS support. The solution requires baselines within the web console. That's something that is missing. They need better delegation capabilities in the reporting. The solution requires Mac support.

No tool is 100% perfect. An issue we have run into with Microsoft Endpoint Manager is that we cannot patch third-party products like Adobe and Chrome with it.