Hey everyone! It’s been awhile since I’ve done one of these articles. With my hugely popular Workspace ONE UEM to Microsoft Intune Migration Guide, I thought it was time to create a fresh WS1 vs Intune Windows article that brought us up to current times. You can see some of my older ones below:

• Workspace ONE vs. Intune Windows Edition 2023 Part 1
• Workspace ONE vs. Intune Windows Edition 2023 Part 2: Apps
• Workspace ONE vs. Intune MacOS Edition 2023

Apparently, I never finished it fully in 2023 with so many things going on, but I guess it’s time to do things the RIGHT way. This is going to be a new 3-part series starting with UEM Core. Parts 2 and 3 will cover Apps and Security, which are major areas in their own right. In Part 1, we will cover:

• Device Enrollment
  • Workspace ONE
  • Intune
• Device Policies
  • Workspace ONE
  • Intune
• Device Compliance
• Device Integrations
  • Workspace ONE
  • Intune
• Who Won Part One?

Let’s get started with UEM core and do this! We’ll start with a quick recap on what is UEM Core.

A Small Recap on What UEM Core is

As I mentioned in the old article:

UEM core is your base for Unified Endpoint Management. When we talk about core UEM, we talk about the tent stakes of UEM, which will include device enrollment, CSPs aka profiles, device compliance, scripts, integrations and remote management. Many people regard UEM core as the minimal viable product for device management. Sure, deploying apps and security are very important, but you can run with a solid core.

That is a pretty good summary of what UEM core truly is. One of the main things that has changed in the last few years is the Intune Suite that has hit, which is Microsoft realizing people want a full suite of services. Integration is truly the name of the game at this point. With the huge assault of Zero Trust on the marketplace, there is a major focus on tying your enterprise products like SASE, Network Virtualization, etc. all together to secure the edge and protect users/company data.

Windows Device Enrollment in 2025

As in previous years, the concept is the same. How does each vendor handle/deliver device enrollment capabilities. Before, we go too deep, I’d like to call out the MVP of all device enrollment in “Automatic MDM Enrollment” that lives inside of Entra. This capability is the foundation both WS1 and Intune leverage. This capability automatically enrolls a Windows device in its respective MDM during the Entra join:

We will focus on each vendor and how they handle the ways you can enroll, automated provisioning options, and enrollment restrictions. Let’s start with Workspace ONE!

Workspace ONE UEM Device Enrollment Capabilities

Like we mentioned earlier, we are going to focus on a few key areas:

• Device Enrollment Options
• Automated Provisioning
• Enrollment Restrictions

Device Enrollment is where the user experience starts and is incredibly important. There has been some significant growth in this area overall, so let’s see where Omnissa’s Workspace ONE has grown here.

Workspace ONE Device Enrollment Options

Since it’s been awhile, I decided to refamiliarize myself with their docs around this.

Workspace ONE UEM offers a few different enrollment options, which are the same as in the past:

• Enroll via the Intelligent Hub
• Automated Enrollment
• Access Work or School
• Command Line Enrollment
• Device Staging via “Manual Enrollment”
• Bulk Provisioning
• Windows Autopilot (User-Driven, to be discussed more in the Microsoft section)

These are the same enrollment methods as we’ve always had with Workspace ONE UEM. They do appear to have their own flavor of preprovisioning now, which I think is interesting where users can import serial numbers into WS1 and perform a staged enrollment, which will enroll as a staging account, but then flips over once the user logs in that first time.

With the methods above, pretty much all of them are Microsoft staples, with the exception of what I believe is their gold standard with a command line Intelligent Hub enrollment.

Typically, I use something like this code:

##Download Intelligent Hub## Invoke-WebRequest -Uri https://packages.omnissa.com/wsone/AirwatchAgent.msi -OutFile C:\temp\AirwatchAgent.msi

##Perform Silent Enrollment## msiexec /i c:\temp\AirwatchAgent.msi /qn ENROLL=Y SERVER=ds.awmdm.com LGNAME=mobilejon [email protected] PASSWORD=Password

I’ve always been particularly fond of their enrollment experience as a whole:

Workspace ONE Automated Provisioning

The WS1 automated provisioning hasn’t seen any changes. They still have the Dell Dropship Provisioning solution that I spent many years being fond of:

You were able to build unattend.xml and PPKGs that Dell would load in their dark sites somewhere overseas so that apps and configurations would be preloaded before leaving the factory.

You can see a video demo here:

Their other solution for automated provisioning is basically a carbon copy of Windows Autopilot. This is primarily geared at other vendors where you create “tags”, build groups on those tags, and add the payloads you want to be pre-loaded by those tags.

That way a vendor like HP or Lenovo can deliver a nice dropship solution, which works fairly well. Pound-for-pound, I still think Dell’s Dropship Provisioning is the best experience today (even moreso than Windows Autopilot). The big issue with Dell’s solution is that your talent needs to know how to build offline apps, which can be really complicated (spoken as the first US customer to ever do it circa 2018).

One thing that I do deduct points for is that to provision existing stock, you need to use their Workspace ONE Provisioning Tool. In my experience, the tool is hit or miss sometimes also.

Workspace ONE Device Enrollment Restrictions

WS1 has a few options around device enrollment restrictions.

Firstly, you can restrict enrollment to specific users/groups along with setting up device enrollment limits, which is always good.

Additionally, they have enrollment restriction policies that give you a bit more granularity:

One other lesser-known option they offer is the ability to leverage registered devices. With this mode, you can only enroll a device if you have registered the device already.

Workspace ONE UEM Enrollment Score: 8.5

Microsoft Intune Device Enrollment Capabilities

Similar to WS1, we will focus on the same categories:

• Device Enrollment Options
• Automated Provisioning
• Enrollment Restrictions

Unlike WS1, Microsoft Intune has made some advances here in the last two years, but some of those advances are still a Work-in-progress, which we will discover in more detail. Many of the capabilities that WS1 leverages today are staples that Microsoft created and made available to everyone. Let’s go!

Intune Device Enrollment Options

This is an area I’ve written a ton about like when I wrote Windows 11 Best Practices Part One: Onboarding. With Microsoft Intune, we have a few viable pathways you can take. The real key is whether that enrollment method makes your device employee-owned or corporate-owned:

Enrollment Method	Ownership Type
Windows Autopilot	Corporate
GPO Enrollment	Corporate
Automatic Enrollment via SCCM	Corporate
Bulk Provisioning Package	Corporate
Enrollment via Device Enrollment Manager	Corporate
Connecting via Access Work or School	Personal
Company Portal	Personal

We’ll cover the Autopilot options in the next section, but overall most organizations should adopt a methodology of Autopilot for net new, GPO for devices connected to AD/leveraging co-management when SCCM is in play.

The options are straightforward, and work out well, but can get a little tricky when it comes to device restrictions.

Intune Automated Provisioning

When it comes to automated provisioning, the vehicle to get us there is Windows Autopilot.

Windows Autopilot comes in 4 main flavors, which we will discuss very briefly. For more details, you can look at my article mentioned in the previous section:

• User-driven mode (Windows Autopilot user-driven mode is one of the most recognizable options. Basically, it’s where the device is delivered to an end user from OEM, they power it on and sign in to their Entra account. The device will automatically enroll. Nothing is pre-staged, the device will enroll in Entra, Intune, and push your apps/policies down to the device)
• Pre-provisioning (This mode slices the user-driven mode into two halves: technician and user. You can think of it like stuff scoped to the device and stuff scoped to the user. Your MSP or OEM will enroll the device as headless device and push all things scoped to the device before it comes to you. This can reduce your onboarding by up to 70%)
• Self-deploying (Designed for kiosk and shared device deployments. You can’t assign users, only supports Entra join and its very simple. All it does is Entra join, Intune enroll, and push device-scoped apps and policies down. Compliance checks are also supported. One of the challenges is you need to procure Windows licenses if you have requirements for Win11 Enterprise.)
• Existing devices (ConfigMgr can even pre-install autopilot profiles via JSON. This automates the importing of the device and assignments usually needed in Intune. The JSON method doesn’t work with self-deployed or pre-provisioning. I often do not recommend it as it has had some security challenges in recent years.)

A new entrant to this arena is Device Preparation, which I won’t spend too much time on as it’s still very new at this point. Commonly known as APv2, some have aspirations it will replace Autopilot at some point, but for now all it does it usually confuse Intune Admins. I wrote Windows Autopilot V2 Device Preparation: Is it Ready? last year, but its still too new and doesn’t support preprovisioning. One of its many goals is to eliminate the need to import hashes and make the user experience better, which it does. However, it doesn’t support pre-provisioning, hybrid, and much else. Check out my video demo of Device Preparation here:

Intune Device Enrollment Restrictions

The enrollment restrictions with Intune are a bit restrictive.

For the most part, you can block whether you can enroll personal devices and control enrollment based on OS version.

Otherwise, we have policies to control whether devices can be enrolled or registered to Entra and whether during those actions if you need to use MFA. The other aspect that plays into this is the Autopilot registration. For a device to enroll in Autopilot, you must import the hardware hash. You can read all about that on my friend Michael Niehaus’ blog article Breaking down the Windows Autopilot hardware hash – Out of Office Hours.

One other item to mention are various scenarios where blocking personal devices can wreak havoc.

First, in these scenarios without Autopilot your device will get blocked from enrollment if you block personal Windows devices as you should be:

• Automatic MDM enrollment with Microsoft Entra join during Windows setup.
• Automatic MDM enrollment with Microsoft Entra join from Windows Settings.
• Automatic MDM enrollment with Microsoft Entra join or hybrid Entra join via Windows Autopilot for existing devices.

Intune will also block personal devices using these methods:

• Automatic MDM enrollment with Add Work Account from Windows Settings.
• MDM enrollment only option from Windows Settings.
• Enrollment using the Intune Company Portal app.
• Enrollment via a Microsoft 365 app, which occurs when users select the Allow my organization to manage my device option during app sign-in.

Intune Enrollment Score: 9.5

Windows Device Enrollment Final Thoughts

The two of them are fairly close. You could say its pretty subjective. After running both platforms now for 3+ years each, I found that I prefer leveraging Autopilot because it just scales better for people. WS1 can be very powerful but also requires some decent talent. It probably depends on if you prefer Dropship Provisioning or Pre-provisioning.

I know that many people may not love that I ranked Microsoft about Omnissa in this area, but truthfully how do you give WS1 full credit for implementing Autopilot and MSFT-backed stuff. I happen to also know on good authority that they could have implemented the ESP (Enrollment Status Page), which is a good standard with strong APIs but chose to do their own thing. Overall, it really is Apples and Apples whether people like it or not.

I learned that I like not having to constantly update the packages that I had to do with Dell, and I really love how easy it’s been to manage enrollment in the Microsoft stack.

Windows Device Policies in 2025

Windows Device Policies are what drive everything. We’re talking about the things that configure a Windows device to connect to a network, use their VPN, customize the user experience, and enforce security settings that align with an organization’s security strategy. Both are doing a nice job in both of these areas so it will be interesting to see how they have grown. Let’s start with Workspace ONE.

Workspace ONE UEM Device Policies

In this section, we will cover device policies overall. We will cover the pieces of MDM that configure a device, set its security posture, and leverages scripts to fill the gaps that exist today in the MDM protocol. There are a few areas we will focus on:

• Configuration Policies/Profiles
• Windows Baselines
• Scripts (being moved this year for better synergy)

Workspace ONE UEM Profiles

First, we will start with my favorite thing about WS1 (the ability to specify a device or user profile). Intune separates this by assigning it to a user or a device, which I can see some people preferring. WS1 let’s you simplify select that first:

User Profiles	Device Profiles
VPN Credentials Windows Hello Single App Mode Web Clips Exchange ActiveSync SCEP Exchange Web Services Custom Settings	Password Wi-Fi VPN Credentials Restrictions Defender Exploit Guard Data Protection Windows Hello Firewall (Legacy) Firewall Anti-Virus Encryption Windows Updates (Legacy) Windows Updates Proxy OEM Updates SCEP Application Control Windows Licensing BIOS Kiosk Personalization Peer Distribution Dynamic Environment Manager Managed Resources Custom Settings Intel vPro®

Amusingly, still in BETA they have basically a CSP creation tool (this has been in BETA for a LONG time). Actually, it was released in June 2023, so yeah far too long.

Looks like they’re also a little behind on updating some of the newer CSPs in there like:

• AttachmentManager
• Desktop
• DeviceGuard
• EnterpriseCloudPrint
• EventLogService
• Feeds
• FileSystem
• LanmanServer
• Multitasking
• SpeakForMe
• Sudo
• WindowsAI

I would say that maybe its time to move this out of BETA, as that is Omnissa’s calling card. They take WAY too long to execute and bring things to production. Intune isn’t always perfect with that either, but  over two years is pretty extensive. One other comment I would make is their CSPs should actually FOLLOW the CSP names themselves found here. Consistency is very important and I found some gaps overall. A full list of the CSPs supported by WS1 can be found below:

AboveLock	DeviceHealthMonitoring	Messaging	SmartScreen
Accounts	DeviceInstallation	MixedReality	Speech
ActiveXControls	DeviceLock	MSSecurityGuide	Start
ApplicationControl	DeviceManageability	MSSLegacy	Stickers
ApplicationDefaults	DevicePreparation	NetworkIsolation	Storage
ApplicationManagement	DiagnosticLog		SUPL
AppRuntime	Display	NetworkListManager	SurfaceHub
AppVirtualization	DMAcc	NetworkProxy	System
AssignedAccess	DmaGuard	NetworkQoSPolicy	SystemServices
Audit	DMClient	NewsAndInterests	TaskManager
Authentication	DnsClient	NodeCache	TaskScheduler
Autoplay	Eap	Notifications	TenantDefinedTelemetry
BitLocker	Education	Office	TenantRestrictions
BITS	EnterpriseDesktopAppManagement	PassportForWork	TextInput
Bluetooth	EnterpriseModernAppManagement	Personalization	TimeLanguageSettings
Browser	ErrorReporting	Power	Troubleshooting
Camera	eUICCs	Printers	Update
Cellular	EventLogService	Privacy	UserRights
CertificateStore	Experience	Reboot	VirtualizationBasedTechnology
ClientCertificateInstall	ExploitGuard	RemoteAssistance	VPNv2
CloudPC	FederatedAuthentication	RemoteDesktop	WebThreatDefense
Connectivity	FileExplorer	RemoteDesktopServices	WiFi
ControlPolicyConflict	Firewall	RemoteLock	WifiPolicy
CredentialProviders	Games	RemoteManagement	WindowsAutopilot
CredentialsDelegation	Handwriting	RemoteProcedureCall	WindowsConnectionManager
CredentialsUI	HealthAttestation	RemoteShell	WindowsDefenderApplicationGuard
Cryptography	HumanPresence	RemoteWipe	WindowsDefenderSecurityCenter
DataProtection	InternetExplorer	RestrictedGroups	WindowsInkWorkspace
DataUsage	Kerberos	RootCATrustedCertificates	WindowsLicensing
Defender	KioskBrowser	Search	WindowsLogon
DefenderPolicy	LanguagePackManagement	Security	WindowsPowerShell
DeliveryOptimization	LanmanWorkstation	ServiceControlManager	WindowsSandbox
DesktopAppInstaller	LAPS	Settings	WiredNetwork
DevDetail	Licensing	SettingsSync	WirelessDisplay
DeviceGuard	LocalPoliciesSecurityOptions	SharedPC
	LocalSecurityAuthority	SmartScreen
	LocalUsersAndGroups	Speech
	LockDown	Start
	Maps	Stickers
	MemoryDump	Storage

I do want to note that they have something on its way to technical preview, but it’s still VERY early (not gated in any of my tenants thus far: Announcing Windows Administrative Template (ADMX) Profiles – Omnissa technical blog

I will admit that what they’re doing is interesting. Basically, these ADMX profiles cannot leverage the OMA-DM protocol (its being built for their Windows Server management that is in BETA at the moment). The Intelligent Hub will manage these profiles and configure settings for you in that capacity.

I like this graphic they have as well showing the differences:

The more interesting thing to me will be when this ACTUALLY escapes technical preview since their old settings catalog features were stuck in BETA purgatory for 2 years.

Workspace ONE UEM Baselines

Workspace ONE does a really nice job with baselines and in my opinion much better than Intune does. You can see below, you can leverage custom baselines, CIS L1/L2 baselines, and Windows Security baselines.

The part they really get right is the ability to add additional settings to an existing baseline that you build. This helps with some of the fragmentation that happens with Intune but overall is a nice experience. I’ve also found over the years that making changes to baselines replicate faster and more effectively.

Workspace ONE UEM Scripts

The script support on both platforms is a wash. They both handle scripts the same way, so we will just cover it here. The ONE thing that WS1 does better is you can just paste in the code into their GUI, whereas you need to upload a file on Intune. That’s mostly irrelevant but is a literal difference:

Workspace ONE Device Policy Score: 8

Intune Device Policies

Intune does a great job when it comes to device policies, but it’s not frictionless. Similar to WS1, we will focus on those same categories:

• Configuration Policies
• Security Baselines
• Scripts

Intune Configuration Policies

Intune similar to Workspace ONE has two main buckets that they use. We have “templates” which are for specific purposes and the “Settings Catalog” which lets you leverage the many CSPs that Microsoft has to offer. The Settings Catalog isn’t perfect and does occasionally make you need to use custom policies instead, but overall is very good.

Their templates are as follows below:

• BIOS configurations and other settings
• Custom 
• Delivery Optimization 
• Device firmware configuration interface 
• Device restrictions 
• Device restrictions (Windows 10 Team) 
• Domain join 
• Edition upgrade and mode switch 
• Email 
• Endpoint protection 
• Imported Administrative templates (Preview)
• Kiosk 
• Microsoft Defender for Endpoint (Desktop devices running Windows 10 or later) 
• Network boundary 
• PKCS certificate 
• PKCS imported certificate 
• Properties catalog 
• SCEP certificate 
• Secure assessment (Education) 
• Shared multi-user device 
• Trusted certificate 
• VPN 
• Wi-Fi 
• Windows health monitoring 
• Wired network 

In addition, they have their biggest benefit is their GPO import capability. You can check out the video below, but basically you can take 3^rd party GPOs and import them to Intune to extend capabilities and make configuration/security of certain apps much easier:

Importing 3rd Party ADMX to Intune

The final aspect of their policies the Settings Catalog you will notice has Windows AI support, which is missing in WS1:

Intune Baselines

Intune Baselines leave a ton to be desired. You do get a large variety of them:

Overall, they’re fairly rigid unfortunately. You can’t add to them, they create a ton of conflicts, and the overall guidance is to avoid them.

For the most part, people use James Robinson’s Open Intune Baseline or use the GPO import tool to import the full security baseline and manage it like a Settings Catalog policy with much more success.

Intune Device Policy Score: 8.5

Workspace ONE Device Compliance

Workspace ONE’s device compliance is fairly straight forward. We can use the following aspects of Windows 10 to perform compliance tasks:

• MDM Terms of Use (within a certain period)
• Antivirus Status (Good, Not Monitored, Poor, Snoozed)
• Automatic Updates (Install Auto, Check but Choose, Never Check, etc.)
• Device Environment Status (Boot Debugging Enabled, OS Kernel Debugging Enabled, Safe Mode, Test Signing Enabled, VSM Enabled, WinPE)
• Device Last Seen (within a certain period)
• OMA DM Client Last Seen (within a certain period)
• Encryption (not encrypted)
• Firewall Status (Good, Not Monitored, Poor, Snoozed)
• OS Version (within a certain version)
• Passcode (not present)
• Roaming (is roaming)
• Compromised Status (compromised or not)

Based on what you choose, you can take an action:

• Block/Remove All Managed Apps or Specific Apps
• Wipe or Force Device Check-In
• Block/Remove All Profiles or Specific Profile
• Send Notifications
• Overall it’s very effective traditionally, you can also leverage the native mail app using ActiveSync to enforce email compliance policies (but not many people aren’t using Outlook if we’re honest).

One other neat thing they support is the ability to set devices as compromised based on health attestation settings:

• Secure Boot Disabled
• Attestation Identity Key (AIK) Not Present
• Data Execution Prevention (DEP) Policy Disabled
• BitLocker Disabled
• Code Integrity Check Disabled
• Early Launch Anti-Malware Disabled
• Code Integrity Version Check
• Boot Manager Version Check
• Boot App Security Version Number Check
• Boot Manager Security Version Number Check
• BIOS Verification
• Software Version Identifiers
• Code Integrity Policy Hash Check
• Secure Boot Config Policy Hash Check
• PCR0 Check

Workspace ONE’s Compliance Score: 9.5

Intune Device Compliance

Intune focuses on different areas for device compliance:

• Device Health (BitLocker, Secure Boot, Code Integrity)
• OS versions and builds
• SCCM Compliance
• System Security (Password enabled, Encrypted, Firewall, TPM, AV, Antispyware, Defender Antimalware, Defender update status, Defender real-time protection)
• Defender ATP Risk Score Threshold
• Windows Subsection for Linux (WSL)

The new big addition are custom compliance policies:

You can read more about it here in a fellow MVP Peter’s blog article: All about Microsoft Intune | Working with custom compliance settings

Basically, you’re now able to build your own compliance policies for anything running on your PCs like CrowdStrike for example. You can see what it looks like:

Intune’s Compliance Score: 9.5

Windows Device Integrations in 2025

When we talk about device integration, we’re talking about the things that complement the core features of MDM platforms, like a capability that makes everything better.  It could be from 3^rd parties or just things that pull it altogether. We’ll cover the integrations that make some magic happen on both platforms.

Workspace ONE Windows Integrations

When we talk about integration, we talk about one of the few competitive advantages that WS1 still has: Freestyle Orchestrator. We will cover a few items:

• Freestyle Orchestrator
• Sensors
• Workspace ONE Intelligence

Freestyle Orchestrator

Freestyle Orchestrator, which I’ve written a ton about like Transitioning from Products to Workspace ONE Freestyle Orchestrator for Windows 10/11 is that Intune Admin’s dream come through. A symphony of control where you say when profiles, apps, and scripts are executed as part of a workflow.

Truthfully, there’s still gaps like files, but overall it is a pretty nice product that Omnissa would be smart to license to 3^rd parties. An example can be seen below:

You can also check out this demo of Freestyle Orchestrator in action:

Workspace ONE Sensors

Workspace ONE Sensors are basically scripts that execute on the enrolled device, collect data, and write it up to Workspace ONE intelligence to fire off automations. You can access many of the sample scripts here. One that I wrote you can see here:

# Returns the current O365 Version

# Execution Context: System

$key = [Microsoft.Win32.RegistryKey]::OpenBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, [Microsoft.Win32.RegistryView]::Registry64)

$subKey = $key.OpenSubKey("SOFTWARE\Microsoft\Office\ClickToRun\Configuration")

$regkey_value = $subKey.GetValue("ClientVersionToReport")

return $regkey_value

You can build an automation with this that will take an action in the event your sensor tells you that they are on an old version of Office for example:

Workspace ONE Intelligence

Workspace ONE Intelligence is the main automation framework and data lake for Workspace ONE. They have their own flavor of Freestyle Orchestrator in there that is more API driven. For example you can see below:

Another neat one is this automation that fixes Secure Boot issues:

There’s much more to Workspace ONE Intelligence, but that’s the main scope of what we’re looking at. This is another product I would love to see licensed to 3^rd parties because it’s powerful. The idea is that data is pulled into the data lake at intervals, and you can action on that data with IFTTT statements (e.g.) if this device didn’t install the 24H2 update, execute this script, install that profile, etc.

It’s a nice iteration of driving a solid user experience and the epitome of integration. The 3^rd parties they integrate with out of the box are:

• ServiceNow
• Lookout
• Netskope
• Carbon Black
• BETTER Mobile
• Check Point
• Dell
• Pradeo
• Wandera
• Zimperium

One thing to note is the WS1 Intelligence automations require their Enterprise license, which is more expensive than the standalone Intune license that many people love to bring up.

Workspace ONE Integration Score: 9

Intune Integrations

We don’t have the same level of integration with Intune fundamentally, but they do handle things in different ways. Intune’s 3^rd party integration partners are:

• TeamViewer
• SeviceNow
• Lookout
• Symantec Endpoint Protection
• CheckPoint
• Zimperium
• Pradeo
• BETTER Mobile
• Sophos
• JAMF Trust
• Trellix Mobile Security
• CylancePROTECT
• Trend Micro
• SentinelOne
• CrowdStrike Falcon for Mobile

They don’t specifically have things like WS1 Intelligence or Freestyle Orchestrator. There are a few things that they do offer that I wanted to note:

They have Intune Device Query and Multi-Device Query, which will let you query data off devices in REAL time (not something you can do with WS1). I wrote about it more on Intune Device Inventory Provides Windows Hardware Analytics. You can see for example:

I also have a nice video on it here:

One other thing that I wanted to callout are Intune Remediations, which work off the idea of a “check” script and a “remediation” script and it runs either once or at a set interval. I covered a fun use case here with device renaming in Leveraging Intune Remediations to Enhance Windows PC Names

My example detect script is:

##Define the Computer Name Prefix to Check For##
$Prefix = ""
Write-Host $Prefix
$details = Get-ComputerInfo
if (($Prefix -ne "") -and (-not $details.CsName.StartsWith($Prefix))) {
    Write-Host "Device name doesn't match specified prefix, time to update!"
    Exit 1
}
 else {
    Write-Output "$details.CsName is the current hostname."
}

My fix script is here:

    # Construct the updated computer name
      $updatedComputerName = "SYN-$numbers-Corp"

    # Set the computer name
    Write-Host "Renaming computer to $($updatedComputerName)"
    Rename-Computer -NewName $updatedComputerName -Force

    # Make sure we reboot if still in ESP/OOBE by reporting a 1641 return code (hard reboot)
    if ($details.CsUserName -match "defaultUser") {
        Write-Host "Exiting during ESP/OOBE with return code 1641"
        Exit 1641
    } else {
        Write-Host "Initiating a restart in 10 minutes"
        & shutdown.exe /g /t 600 /f /c "Restarting the computer due to a computer name change. Save your work."
        Exit 0
    }
} else {
    Write-Host "No UPN found. Exiting script."
    Exit 1 # Exit with an error code
}

You can check out the video here:

Intune Integration Score: 7.5

Who’s the Winner for Part 1?

So let’s tally things up. You can see below who won overall across our 4 main categories.

Product	Enrollment	Policies	Compliance	Integrations	Total Score
Microsoft Intune	9.5	8.5	9.5	7.5	35/40
VMware Workspace ONE	8.5	8	9.5	9	35/40

The score is incredibly close and comes to show that there’s not much of a gap between this two in part one, which supports the logic that for customers where Intune comes with their existing license it’s a no-brainer! At least through PART ONE.

Hit me up with some comments, questions, requests, and anything you might want to see specifically in parts two and three!