Intune admins - What are the key challenges / limitations on a day to day basis?

If I had to highlight anything you'll need, it'll be patience. Give Intune time to work. Trying to rush Intune just lands you in trouble.

Intune requires some patience. The UI will let you move through actions faster than the service can handle which can result in breaking the service or putting things in a bad state depending on the sequence of actions. Microsoft has slowly been making Intune more resilient to this but when it comes to things like unenrolling and re-enrolling you need to remember to do a self-imposed cool down after the unenroll to give the machine enough time to unconfigure itself before you attempt to re-enroll it. You also have to be patient when it comes to having a device that's been off for a long time come back online. Some admins wants to try to rush getting back to compliant or getting the user back into their e-mail and they end up making things worse. Be patient. Let Intune do its thing.

Upgrading apps that the user has installed but have only been made available (as opposed to required) is not quick and sometimes they never update. I still don't fully understand the mechanism.

Some of the baselines/policies/configurations templates Microsoft puts out don't correctly configure Microsoft Defender or don't properly disregard edition-only settings. E.g. If you try to configure WindowsSpotlight and apply it to a Windows Pro machine, it will report an error instead of considering it N/A.

You have to be very careful about layering your configurations as there are many templates where you can configure the same thing. The good news is that you can typically find conflicts easily.

The Company Portal app does not accurately report what stage it is in when installing applications even after refreshing. Sometimes it updates, sometimes it just reports whatever the initial status was. This is particularly annoying when it's a reattempt of a failed install and the status is "failed". The user has to know to pay attention to the toast notifications instead of what Company Portal's status field says.

On iOS, users can essentially break an app installation if they request to install a required app at the same time the required app is installing. I've never been able to get this to resolve without having to unenroll and reenroll the device.

Win32 applications can sometimes leave behind data in C:\Windows\IMECache and C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming that you have to clean up manually. I suspect this is caused by the machine losing connectivity before the automated clean up happens.

You can't layer policies you want to apply to specific users on but only while on specific devices. You can target users or devices.

I don't like that you can't really prevent global admins from logging into any random Azure AD Joined device. They shouldn't be caching those credentials on random computers. Would be nice if there was a hard stop to that.

Azure AD objects from dead/removed Intune devices are frequently left behind. You'll need to do some clean up here.

Android OS upgrades can sometimes leave you with duplicate AD device registrations. More clean up to do.

Selecting 'Manage' on an Azure AD object just takes you to the all devices list in Intune instead of to the specific device.

Unenrolling iOS devices may not actually revoke app licenses. You can manually revoke them later. It's just another thing to clean up. Remember to hit that revoke licenses button when you're unenrolling a device.

You can't hide store apps (Apple, Google, and Microsoft) when you no longer need them. They'll sit there forever.

There are many tables you can't sort or filter and the data that is exported isn't always nice to look at.

The Microsoft Defender reports only give you the last result of the scan. You don't get to see historical finds.

There is no built-in report to see where a group is being used in Intune (this isn't a unique problem to Intune).

There is no global report for software discovered on devices. You have to drill down to each device and look at it one at a time.

The Graphi API lags far behind feature releases/improvements.

/r/sysadmin Thread