Evaluating Microsoft Intune against Workspace ONE UEM: Windows Edition 2023 Edition

Evaluating Microsoft Intune against Workspace ONE UEM: Windows Edition 2023 Edition

Evaluating Microsoft Intune

Well, this has been long overdue. A few years ago, we had a three-part series, and we will do the same this time around. It’s an easier format to digest and this week we will start with Workspace ONE Core. You can reference the old article here. We will be covering UEM Core, Application Management, and Security in each part. So, let’s get started talking about UEM core with Microsoft Intune vs. Workspace ONE UEM.

A Small Recap on What UEM Core is

As I mentioned in the old article:

UEM core is your base for Unified Endpoint Management. When we talk about core UEM, we talk about the tent stakes of UEM, which will include device enrollment, CSPs aka profiles, device compliance, scripts, integrations and remote management. Many people regard UEM core as the minimal viable product for device management. Sure, deploying apps and security are very important, but you can run with a solid core.

That is a pretty good summary of what UEM core truly is. One of the main things that has changed in the last few years is the Intune Suite that has hit, which is Microsoft realizing people want a full suite of services. Integration is truly the name of the game at this point. With the huge assault of Zero Trust on the marketplace, there is a major focus on tying your enterprise products like SASE, Network Virtualization, etc. all together to secure the edge and protect users/company data.

What has Changed with Device Enrollment?

Device Enrollment is an area of major focus as it’s the first impression that your users have. As before, we slice up device enrollment into a few different areas: enrollment options, dropship provisioning/Autopilot, and enrollment restrictions. Lets talk about enrolling devices with Workspace ONE.

WS1 Enrollment Options

As we mentioned in the past, people are typically enrolling devices in one of 3 ways:

  • Command Line enrollment
  • GUI-driven enrollment
  • Dropship Provisioning

Most of this has stayed the same, but there have been a few advancements as of late.

With Dropship Provisioning you can now build Offline or Offline Encrypted Packages for your manual builds, which is pretty easy luckily still:

Additionally, they now support 4 different AD types:

  • Workgroup
  • On-Premises AD
  • Azure AD with and without AAD Premium

Outside of that the configuration is essentially the same. The major enhancement that hit shortly after my last article is the new “Dropship to Home Provisioning” where they introduced a really neat concept of Offline Domain Join. Essentially, this empowers you by letting a VPN domain join your device remotely. A capability that Autopilot has had for quite awhile.

Overall, not much has changed when it comes to enrollment, but not much really needed to. One last thing to point out is their nice advancements on the Post Enrollment Onboarding Experience, which Autopilot also has:

Workspace ONEs Enrollment Score: 9

Microsoft Intune Enrollment Enhancements

Microsoft does a great job on their enrollment user experience in general. They did add a few items to their enrollment status page configuration:

  • customizing the message when OOBE errors out
  • enabling log collection and diagnostics page for end users

So, overall still a good experience. As I mentioned previously, this is the Microsoft documentation on enrollment methods, but they do a really good job here.

Update: After some feedback from a few community friends, I wanted to call out that despite it not being well-publicized there is now Windows Autopilot for Preprovisioned Deployment which we should cover a bit.

Windows Autopilot for Preprovisioned Deployment

Basically, it’s a bit more decoupled than VMware’s solution that runs through their console, but the end result is the same.

Essentially you have this flow:

The Microsoft documents are a bit vague, but basically each vendor has a page covering how to onboard into this system. Here are a few of the links:

Conceptually, it’s simple. The OS will be imaged, your 3rd party or OEM will prep the machine with apps, settings, etc., and then the rest will be handled by OOBE. It would be nice to see Microsoft endorse certain partners on this, but it just takes a little homework to achieve. My thanks for Intune Reddit for making me dig a bit deeper on this for everyone.

Microsoft Intune Enrollment Restrictions

A great move they have done since I just evaluated things is split platforms into their own restrictions sections, which I think makes it more pliable.

Really simple like before, but split out (no changes have been made from a settings perspective):

Intunes Enrollment Score: 9

Workspace ONEs Device Policy

When we discuss profiles, its really more about policy. In Workspace ONE, we cover policies with Windows 10 Profiles a.k.a. CSPs (Configuration Service Providers) and Windows Baselines. Both will be discussed as in the spirit of profiles, we are focused on deploying configuration to devices to take the concept of group policy to the cloud. Let’s discuss what changed.

Workspace ONE Profiles

On user profiles, you can’t do User Data Sync aka Common Folder Sync

On device profiles, we have a few new enhancements:

  • BIOS profiles are now available similar to Dell Command Update, which I wrote about before. which lets you configure settings at the BIOS level like power management, smart reporting, connectivity, and more
  • Managed Applications profile will let managed apps persist a device unenrollment, which is interesting
  • Support Dynamic Environment Manager, which would be primarily for persistent VDI

The other thing that has to be brought up with this is VMware’s integration with Intel vPro which is REALLY cool. With Intel vPro, which I haven’t dug too deep into yet you can basically manage PCs at the BIOS level and do stuff like fix machines that are broken that cannot reach the OS level. It is a new level of integration and manageability that is sensational.

Another huge advancement for WS1 Profiles is the VMware Policy Builder, which will let you build virtually any profile that is available via CSPs, which helps to bridge the gap (despite the fact it would be nice if more were in the GUI).

Shared Device Models Rolling Out to Both Platforms

Both VMware and Microsoft have embrassed shared device models as well with the Shared PC CSP.

VMware has documented it here, which is in Public Preview as of version 2210+. These new capabilities will let a user log into an enrolled PC, which will switch to the current user. In their Phase 1, they are supporting apps, profiles, and baselines. For simplicity, they are recommending apps to be assigned to the device so things don’t fall off the rails. The requirements for this with VMware are:

  • Azure AD Premium Licenses
  • WS1 UEM 2209+
  • Intelligent Hub is published from “Intelligent Hub Application” section in Settings

That’s the extent we will cover this, as I will be covering and demoing this in a later article.

For Intune, you will just need to configure the new profile, Microsoft has had this functionality for awhile, slightly after my previous article was released.

Workspace ONE Baselines

Baselines haven’t really changed that much. One new option is the ability to create your own baselines, which I am a big fan of:

You can literally build your custom policy using the VMware Microservice that works relatively smoothly. I DO wish that it had access to some of the common 3rd party GPO objects like Google Chrome/Horizon (LOL) but overall it does its job.

Workspace ONEs Policy Score: 8

Microsoft Intune Device Profiles

Just like when I checked this out last, they are STILL putting stuff into two buckets which sort of drives me crazy. Let’s cover what new stuff has showed up:

  • You can now import ADMX templates and then use the “Imported Admin Template” profile type which is a HUGE deal.
  • Kiosk Profiles (Don’t recall those before)
  • Secure Assessment profiles which help enable students take tests and deploys the “Take a Test App”
  • Shared Device profiles
  • Windows Health Monitoring which is really neat and couples with their new endpoint analytics platform that has been growing exponentially:

The Settings Picker, which is basically the same thing as the VMware Policy Builder is still there and working its constant magic as a huge backbone for Windows 365 and Intune Devices.

Microsoft Intune Endpoint Security

Inside of Endpoint Security, they continue to grow with new features:

  • Defender AV configuration, EDR, Attack Surface Reduction, and Firewall support that covers Windows 10, 11, and NOW Windows Server
  • As part of the new Intune Suite, you can leverage their EPM (Endpoint Privilege Management) platform. I know it has a cost, but its such a smart play by Microsoft.
  • Introduction to their major game changer (LAPS) aka Local admin password solution, which is only available with Intune.
  • Enabling Windows Hello/Credential Guard and enabling security keys

Just to touch on the ASR (Attack Surface Reduction), it is really sweet. You can leverage those profiles to do stuff like:

  • Block Adobe Reader child process creation
  • Block Win32 API calls from Office macros
  • Block all Office Apps from creating child processes
  • USB protection
  • Ransomware protection and much more

I strongly recommend people reading about LAPS because it’s a huge new feature that is available from 21H2+ and you can read about it here.

Similar to WS1 MacOS DEP enrollments, it will automatically manage and backup the admin account on a AAD-joined or AD-joined machine. Anoop Nair also wrote a great article on it if people want to read more.

Another sensational improvement they introduced is the Group Policy analytics capability which can analyze your on-prem GPOs and see how supportable they are with CSPs that I love:

Microsoft Intune Baselines

Microsoft continues to rely heavily on their settings catalog, but their security baselines have grown to support their new Edge browser, Windows 365, and more as you can see below:

The thing you don’t want to miss is Settings Catalog is not the same as baselines. Baselines have some specific capabilities missing from the Settings Catalog like:

  • App Runtime
  • App Management
  • Autoplay
  • Credential Delegation
  • Credentials UI (Enumerate admins)
  • Blocking Hardware Device Installation
  • Event Log
  • Internet Explorer
  • Microsoft Defender for Endpoint (MDE)
  • MS Security Guide
  • MSS Legacy
  • Remote Assistance
  • Remote Desktop Services
  • Remote Management
  • RPC
  • Windows Connection Manager
  • Windows PowerShell

It sort of drives me crazy that the two are inconsistent. I would much rather pull the two together and get a consistent UI/textual experience. I think it honestly make it confusing for administrators. The good news is the content itself is solid and helps to protect your machines like you intended.

Intunes Policy Score: 10

VMware hasn’t changed in two years.

Microsoft has added a new toggle to mark a device as non-compliance if the MDE security intelligence isn’t up to date.

Additionally, they now have custom compliance policies. Basically, you upload a script to collect some information like this:

$WMI_ComputerSystem = Get-WMIObject -class Win32_ComputerSystem
$WMI_BIOS = Get-WMIObject -class Win32_BIOS 
$TPM = Get-Tpm

$hash = @{ ModelName = $WMI_ComputerSystem.Model; BiosVersion = $WMI_BIOS.SMBIOSBIOSVersion; TPMChipPresent = $TPM.TPMPresent}
return $hash | ConvertTo-Json -Compress

Then you create a JSON policy to check against that script:

             "Title":"BIOS Version needs to be upgraded to at least 2.3. Value discovered was {ActualValue}.",
             "Description": "BIOS must be updated. Please refer to the link above"
             "Language": "en_US",
             "Title": "TPM chip must be enabled.",
             "Description": "TPM chip must be enabled. Please refer to the link above"
             "Language": "en_US",
             "Title": "Only Inspiron is supported.",
             "Description": "Only desktop model Inspiron is allowed."

It’s a little tricky, but it does provide greater granularity than you get in Workspace ONE. That is a huge + in the win column for Microsoft, despite the learning curve.

Note that your JSON sets “must be higher than this” and it does a nice check condition there.

Workspace ONEs Compliance Score: 9.5

Intunes Compliance Score: 9

Workspace ONEs Script Support

Workspace ONE has exploded onto the scene in the last two years (despite REALLY slowly) with Freestyle Orchestrator. Here’s some good reasons as we won’t go too crazy deep here:

These Intelligent Workflows are a brilliant way for VMware to catch up to Microsoft Intune provided you can get the hang of them. Essentially, leverage check conditions to do things. Those things are great! It is really a major emphasis for VMware right now and is probably the main difference maker against Intune right now:

Coupled with that, their new Script objects make life much easier provided you are using PowerShell (Python should probably be added given its popularity):

It’s a huge improvements over Products and just requires some creative scripting to fill the gaps. As an example, I have to use code to create XML files vs. uploading them now:

##Create the XML File##
New-Item C:\temp\SkypeSettings.xml -ItemType File -Force
##Sets the XML File with Baseline Settings##
Set-Content C:\temp\SkypeSettings.xml '<SkypeSettings>

##Stores the Username in a text file from the config.json settings file##
$Username = Get-Content C:\Users\Skype\AppData\Local\Packages\Microsoft.SkypeRoomSystem_8wekyb3d8bbwe\LocalCache\Roaming\Microsoft\Teams\desktop-config.json
$JSONObject = ConvertFrom-Json -InputObject $Username
$Username = $JSONObject.upnWindowUserUpn
$Username | Out-File C:\temp\username.txt

##Updates the SkypeSettings.xml file with the username out of the desktop-config.json file##
$SkypeSettings = Get-Content C:\temp\SkypeSettings.xml
$SkypeSettings = $SkypeSettings -replace "<ExchangeAddress></ExchangeAddress>", ("<ExchangeAddress>" + $Username + "</ExchangeAddress>") -replace "<SkypeSignInAddress></SkypeSignInAddress>", ("<SkypeSignInAddress>" + $Username + "</SkypeSignInAddress>")
$SkypeSettings | Out-File C:\temp\SkypeSettings.xml -Force

Workspace ONEs Script Score: 9.75

Microsoft Intunes Script Support

Honestly, I don’t mean to beat up Microsoft here, but this is still all they can support:

Honestly, I need a little more context to play with on this. I’m glad they support scripts, but I can’t get where I want to go with things like this currently. It’s been two years, please give me something to work with here.

Intunes Script Score: 5

Workspace ONE Intelligence Integrations

None of VMware integration partners have changed, but one major thing has. The single most important technology in EUC right now is DEEM (Digital Employee Experience Management).

I would recommend checking out my video introducing you to DEEM:

The idea behind DEEM is pretty simple. The agent collects user telemetry data and uses that to do “things”

So this can drive automations like this:

  1. Application crashed 3 times in one day
  2. Automatically opens a ticket for the user
  3. Captures application version and updates application if applicable

That’s the power of DEEM driven on proactive support and guided root cause analysis.

Workspace ONE Integration Score: 9.5

Microsoft Intune Integrations

Microsoft crushed this section over the last few years. Let’s cover them real quickly. We’ll start with the Microsoft Intune Suite.

Microsoft Intune Suite

Similarly to VMware, Microsoft has identified the need to extend their UEM portfolio to be a full suite of services.

We now have:

They also mention stuff like Microsoft Tunnel, but that has been here for a bit.

Endpoint Analytics gives you anomaly protection which detects problems proactively:

Additionally, it provides you with an advanced device timeline and lets you slice up devices into custom scopes for stuff like remote workers, startup performance, and application reliability. It’s definitely made some big advancements on their DEEM solution, but still has a long way to go.

Another capability they have with endpoint analytics are some proactive remediation scripts, which you can access here. The current supported scripts are:

  • Notifying users of expiring certificates
  • Deleting stale certificates
  • Updating stale Group Policies

UPDATE! I found a better repro thanks to someone on Intune Reddit (yeah I know it’s a theme now). Check this Repo which is way more effective and offers some interesting remediations, but they probably need some work. Some of the remediations they can do (but need improvements on their check conditions)

  • Clear Teams Cache
  • Clear Outlook Cache
  • Disable JavaScript on Adobe Reader
  • Clear DNS Cache and much more!

As I said the check conditions need some work, but I think this will give you a good starting point. I still don’t think PowerShell from start to end is easy for alot of people so better get that ChatGPT subscription going!

EPM is a huge area that Microsoft just built a nice advantage on here, which lets standard users elevate to do specific tasks like installing apps, updating, drivers, etc.

I recently touched on Remote Help, which I am using for Windows 365. Check the demo below, which is the only way to do this justice. I’m so happy to finally see Microsoft rolling out their own app for this:

Intune Integration Score: 10

Whos the Winner in 2023?

So lets tally things up. You can see below who won overall across our 5 main categories.

ProductEnrollmentPoliciesComplianceScriptsIntegrations/Remote SupportTotal Score
Microsoft Intune910951043/50
VMware Workspace ONE989.59.751046.25/50

I think this score is even more misleading than 2021. I still think Microsoft beats them when it comes to Windows, but there are a few areas that VMware is just much stronger. Freestyle Orchestrator and DEEM are two major areas that REALLY matter right now. Microsoft needs to build out that script library and really expand the proactive remediation. Writing PowerShell scripts off the cuff isn’t everyone’s strong suit. VMware definitely closed the gap on some areas, but for me at this point this is all about automation/scripting. I think both platforms are fairly even-matched despite what Gartners said in 2022/2023.

It’s clear that VMware has inspired some of Microsoft’s engineering efforts on Intune and because of that we ALL win. Sure, many people are complaining about the $10 price tag, but the VMware/Microsoft competition is leading to some nice advancements on both sides. Like I always say, this entire debate is all about skillsets. If you have good PowerShell admins, you won’t notice a huge difference on one vs. the other, but Intune is much easier to roll out and manage with junior engineers and that matters.



Social Media

Get The Latest Updates

Subscribe To Our Weekly Newsletter

No spam, notifications only about the latest posts and updates.