Am I bad at my job, does my job suck, or is Intune & AVD just fucking horrible?
Posted by NLBlackname55NL@reddit | sysadmin | View on Reddit | 49 comments
Bit of a rant.
Moved to a new job, been in the support>jack of all trades>sysadmin game for 10 years.
Old job had so many "nice to haves" with third party softwares that dealt with Printing, App deployment/Packaging, end-user workspace, etc. They were all included in our "standard platform" and any client would have them/use them making us able to generate a nice, stable, easy to work with platform for any engineer.
Simple stuff like pushing printers had a couple third party solutions where we'd make sure drivers were uploaded/tested, and it'd deploy fine to end users.
Deploying new servers/AVDs were done through a standardized run through another thirdparty software and would come out fine on the other end, or have clear enough notes to where I'd be able to troubleshoot efficiently, then test efficiently by just kicking off another run.
New apps, same deal, package with psadt/intunewin with helperscript, push through a thirdparty software and deployed straight to server/endpoint with clear logging / auditing.
FWIW, I left old job due to company decisions such as stripping me of my colleagues, and switching up all my clients. Technically, great place to be, had it's own issues, but any frustration was with the people, not the tech.
New job is "Modern Workplace Engineer" at a CSP, and we do everything via "The official Microsoft -standard solution".
No third party tools for anything, and it sucks.
In the past two months, for many different types of clients, I've done shit like;
- Drivers through Win32 packages, while printers objects are through remediation scripts, or platform scripts that make scheduled tasks that run during logon. Neither provide centralized logging, barely ever run correctly, cause UAC prompts due to bad running order, etc.
- Dealing with the recent Adobe CVE & updating packages through Winget, Win32, MSI, all sorts of weird combinations depending on customer environment. None with proper auditing/logging, total set&forget&pray it runs as you hope.
- Getting FSLogix to work on (newly bulk enrolled) AVD's by using a platform script to deploy SAS key for systemwide access, firing under each user account using a scheduled task (as client's environment doesn't support seem to work with Entra Kerberos or AD DS and not enough hours have been sold to troubleshoot).
- Making and deploying remediation scripts for Windows Update because Windows Update Rings are deploying properly, but clients are just not triggering their updates automatically. Client devices showing >200 days since last attempt, with all relevant services running, even though they check in daily.
- Pushing BIOS passwords through Win32 apps & helperscripts, of course with no access to a physical test device, where the logging is only able to be placed locally on the device because client won't allow me to place logging in a storage account/table, etc. Meaning I can't troubleshoot anything remotely and constantly have to bug users for let me check their logging, only for it to fire just fine when tested on my end.
- Clients coming to new job's platform, and losing they previous development speed via third party stuff or even sccm / mecm, then getting frustrated when we're not able to move as fast on Intune.
None of it ever works properly/reliably/fast.
The culture here, and in a lot of other places from what I'm gathering, seems to be just applying random scripts they've found on Github etc. through Intune, or deploying non-standard solutions such as the systemwide SAS key -thing described above.
None of it ever works reliably and leaves tons of edge cases due to interactions on customer environments and/or Intune's quirks which they only discover when they sprint headfirst into them.
People here seem "fine" with this, as it's "The Microsoft way".
I'm fine with scripts/scripting to get regkeys set or do whatever on end user devices, but fuck me, Intune just does not give you the visibility you need to troubleshoot anything remotely.
My personal main thing; there's no "big red button" to test something. I've seen scripts run perfectly fine with Administrator / PSExec, but still fail when deployed through Intune, ofcourse after waiting 5+ hours for anything to show up in the portal. Syncing on an Intune device seems more like a suggestion to pull stuff, rather than actually forcing it to have a look.
I'm constantly at the mercy of Azure to wait for stuff, and it's completely killing my motivation to work. Any change/Incident I see in the queue just annoys me because I can see so many little speedbumps I have zero impact on.
Does this job suck, do I suck, does MS suck, or does anyone actually have advice for plugging the visibility / actionability -gap MS leaves us with?
BWMerlin@reddit
When I read post like this I am very glad that we don't use Intune and use a MDM that actually works.
Mechanical_Monk@reddit
"No non-Microsoft tools" seems pretty arbitrary, since it basically means you'll be building most of your own tools using PowerShell (or relying on PowerShell tools built by others which defeats the whole purpose).
So...
Does MS suck? Short answer, yes. Long answer, they suck at a lot of things, but PowerShell is actually pretty decent.
Do you suck? Depends how good you are at PowerShell.
Does this job suck? Depends on your career goals... If you learn to be a PowerShell expert, then the job might be pretty decent and leave you with a marketable skill.
cosine83@reddit
Deploying printers and their drivers can be wholly done in PowerShell fairly easily, too. I wrote a set of nice multi-site capable scripts that keeps printer drivers updated across file shares and installs the site-specific printers. Can be rerun if the user moves to another site to unmap the other site and map the new site. PowerShell is the backend of so much of Microsoft's stack that it's a requirement to be minimally proficient in it these days, imho.
PaddySmallBalls@reddit
Its a fair response. Much of what some 3rd party solutions offer can be re-created via PowerShell and public APIs.
metroid2k@reddit
I needed to read this today. Intune has being doing my absolute tits in lately, especially now we're rolling out more Mac and Linux machines. I thought it was just me not getting something when it comes to non-microsoft machines
Between your rant (which shares a lot of the pain points I've hit) and other peoples comments about MS being "Worst in class" I think I should start looking at alternatives.
mat-ferland@reddit
You’re not bad at your job, that sounds like an AVD build being run as scripts and hope instead of a platform. fslogix via SAS keys and giant logon scripts is exactly how “Microsoft-only” turns into unpaid custom tooling.
cheltamer@reddit
Intune is ass
matt0_0@reddit
Nerdio + Immybot is the way for AVD imo. The ONLY piece of software we use intune for is installing immybot (which is so dead simple even intune has yet to fuck it up). We've been doing more W365 licensing and leave the default naming convention in the intune provisioning settings, so they all start with CPC-xxxxxxx.
Then we target computers based on name with a subset of our desired state configurations in Immy, and the act of assigning the license to a user causes the cloud PC to spin up such that it shows up in Immybot ready for onboarding. We decided to add that non-automated step of a human being clicking "onboard now bitches" on purpose, but from there, we don't rely on intune for ANYTHING.
BeautifulAd704@reddit
Yeah, that approach makes a lot of sense.
From what I’ve seen, this is basically the common pattern once environments grow beyond a certain point — you stop trying to force everything through Intune and introduce a proper management/orchestration layer on top of AVD.
Otherwise, you end up exactly where OP is: lots of scripts, inconsistent behavior, and very little visibility.
I’ve worked with Hydra for Azure Virtual Desktop, for example, and it follows a similar idea — covering host lifecycle, scaling, and image handling, session insights, and providing a more structured operational model rather than stitching everything together.
Full disclosure: I’ve been in EUC/VDI since the early Citrix days and around AVD for \~7 years, and Hydra actually came out of trying to solve exactly these kinds of gaps. It’s now part of Login VSI.
Not saying one tool is better than another, but I’d definitely agree with the general direction — running AVD without something in that space tends to get painful pretty quickly.
Bubbly-Ad-4027@reddit
Intune is a new product, all those bugs will be ironed out in the coming months, Q3 shaping up to be bright lads.
Rude_Strawberry@reddit
How is it new or is this a joke
Master-IT-All@reddit
That's not the Microsoft Way. The Microsoft Way is to max out profits selling subscription based licenses. So yes, you should sell the customer Intune, but then also you should wrap that into your entire line of tools not try to use an MDM tool for RMM. That sounds like a really shitty place to work. So much wasted time from your description using the wrong tools.
Here's how it kind of is where I work.
So we might use Intune and Autopilot to deploy systems for a customer, but part of that deployment is to install our Remote Management and Monitoring service and Endpoint Protection.
So we'd receive forty new Lenovo laptops, scan in the serial numbers and use the Microsoft Partner Portal to register the devices for Autopilot in that customer's Intune/Entra/365 environment.
Often we actually don't deliver the laptop to the users but instead issue a Temporary Access Pass (TAP) for the user in Microsoft Entra. We use the TAP to sign in for the Autopilot workflow as the intended primary user. Autopilot works as great as a self-driving car. Perfect in the lab. Don't know if I'd trust even ten systems to go out the door untested.
As part of the Autopilot deployment our RMM and EDR are installed. The technician is complete the primary setup of the device and it should be good to go to the end users.
Most modern printers that you'll find in home and small office now works without a admin level install. It's really only the big dinosaur MFPs that require print servers, so I never really worry about printers now. Even so, a tech usually goes on site and is ready to install.
Through the RMM I have several remediation tasks running, for example on all customers I run a remediation to set the OneDrive client to always leave at least 10GB free. That along with the device clean up remediation pretty much eliminated the need to monitor and alert for disk space on end points.
GhostDan@reddit
You'll get the normal MS haters here, but Intune is pretty much a industry standard at this point, and replacing it would require multiple applications, which just doesn't make sense.
AVD can take a while to get going perfectly, but can work out of the box for most use cases. It's a lot easier than trying to get citrix in the cloud running, in my experience.
RikiWardOG@reddit
I mean I'd beg to differ. It depends how much you're already engrained in MS and how much of a hold they have on you already. But it's honestly not very hard to not use Intune especially for smaller companies. RMM tools are cheaper, faster, and more reliable than intune from all of my testing and have better reporting. Config profiles in intune are more or less just regkey entries. If you know what key you need to modify, it's easier to honestly no use intune. Intune is only the "standard" because management is cheap and intune gets bundled with w/e office licensing they purchased. When it comes down to it. I honestly thing Intune sucks at most of what it does.
Drakoolya@reddit
100% agree, I don't think this fellow has ever had a Zero Day event where something had to go immediately and was required to give an hour-by-hour report of compliance.
rsysadminthrowaway@reddit
This is like arguing that bacteriophages are the superior life form on the planet because they're the most numerous.
Intune is a turd that does a half-assed job at everything. The only reason it has seen success is the "it comes free with your license" bundling Microsoft is doing to ice out superior products.
It's not even as good as SCCM was. Machines checking in every eight hours is an absolute fucking joke, same with not having stats on your deployments until like 24 hours after they start.
Drakoolya@reddit
Intune as made my job and sysadmin work in general more terrible. It is a half baked product built by engineers that honestly don't fully understand how Sys admins and IT departments that need real time feedback work.
Regen89@reddit
Not normal but also not specific to Intune. Assuming by PSExec you mean running something as system. If the behaviour does not match what happens when being manually run as system you either have some security client causing problems or intune is farting out and not your actual script (or else you have a VERY interesting problem on your hands).
Kinda crazy, not sure why Intune would slow you down any besides the final smoke test.
Extremely not normal. Intune has lots of issues, but if the client is in working order it is usually super fast at picking up new apps -- otherwise you might be running into the default sync timer (8 hours), you can run this manually via Control Panel (Access Work or School -> Info button on your org) or Company Portal.
M$ does suck, not sure about you, but the job is usually what you make of it and just how ok you are with being passive about it if your job does actually suck.
tmontney@reddit
Over the last few years, I cannot imagine sticking strictly to the Microsoft solution. Many times, either their "solution" is half-baked or they don't have a solution at all.
I get the comfort in sticking close to the vendor, off-the-shelf mentality. But there's a point where it doesn't work and pretending otherwise will drive you mad. Your management lives in a fantasy.
RikiWardOG@reddit
I came from traditional MS tools for everything shops. They slowly moved away and the place I'm at now, we use as few of their tools as really possible. MS year over year gets worse and worse. Honestly, sometimes it feels like they're trying to get rid of customers.
tmontney@reddit
Just like Micron killing off Crucial or Broadcom's price hikes.
disposeable1200@reddit
A few things stand out.
Firstly - no non Microsoft tooling is insane. I've worked with partners of the year and leading partners - they all implement non Microsoft tooling where it helps or makes considerable time savings.
Secondly - your management or technical directors seem either inept or out of touch. You're deploying AVD but can't get a simple host join working? Manual scripts with SAS keys for FSLogix? Either someone is selling too few hours or you're not doing things properly.
Thirdly - just, everything you've said - this job sounds horrendous. I'd be looking to move regardless.
chesser45@reddit
SAS for profiles is weird. Now generally you’d use a GPO to push the FQDN of the storage account and share but permissions are RBAC assignment via the group giving AVD access.
screampuff@reddit
SAS for profiles is typically for Entra only AVD, so there is no GPO. But it should be baked into your session host deployment in Azure, not in Intune after the fact.
disposeable1200@reddit
Yup.
Exactly what we do - GPO with the azure files URL.
RBAC on azure files and connected to Entra and AD DS.
Works lovely, 0 manual anything and can spin up or down session hosts as you wish.
NLBlackname55NL@reddit (OP)
Default here is profilelocation via the vhdpath -regkey, and then access via SAS, both done during scheduledtask during logon. their "standard" script also includes the exclusions.xml which is pulled from the storageaccount, as well as some of the other regkeys.
Of course all in one big script, so impossible difficult to granularely asses failures remotely.
Identitybased access via ADDS / Entra Kerb isn't "preferred", I haven't heard a good explanation yet.
NLBlackname55NL@reddit (OP)
Thing is, main "Modern Workplace Architect" -guy seems capable and willing. We're trialing third tools for a project where we'll be mass deploying standardized environments regularely (through some whitelabelling). But for all the other stuff, he seems "content" with Microsoft.
Right before I joined, this place trialed a tool that I also happen to have used at my old place, that allows application pushing/pulling with some standardized GUI stuff for fonts/msi, and also has some nice-to-haves like creating desktop environments for users, editing taskbar, etc.
I didn't love it, but it worked reliably and allowed me to do some very direct testing rather than constantly waiting for syncs etc. We'd push that client via Intune, and the rest would go via that app.
The architect here called it "useless" and "an added cost" because "Microsoft also does it". Same time we're deploying AVDs from images on MS's store and running all packages/config profiles etc. over them each month as that's his idea of "Image management".
I'm on the fence. pay's good, but the way we do things here just really doesn't sit well with me.
MidnightBlue5002@reddit
i mean ... you did ask about how they run their shop during the interview process ... right?
DropTheBeatAndTheBas@reddit
yea theres guys who have the skills to automate everything themselves but someone/others has to manage it all , then theres tools like Nerdio that can help do it all
screampuff@reddit
.
This is what supercedence is for. Some folks also write dummy reg values like HKLM\Software\Contoso\Intune\jobname\yyyymmdd-jobrun and then check for them before doing certain things. I like to pull IPv4 subnet and then use logic based on that to install the appropriate printers.
.
Winget is a user context tool and it doesn't work with Intune without third party hacks. W32 and such is for deployment, not managing updates. You also should not mix LOB and W32 apps or it causes errors. Microsoft Store, or Enterprise Application Management are the official tools to manage app updates.
.
Azure Files supports Entra groups for NTFS now. Intune is also not the way to manage such a thing, it should be baked into your Session host deployment straight from Azure, or your golden image.
.
This is a weird one, WUfB or Autopatch is probably the best thing about Intune. We have 500 devices and at any given time like less than one percent are out of date on the default out of box setup.
.
Use Azure Monitor Agent and have the devices log to your SIEM. Your script can log to a custom event viewer application. Alternatively your powershell script could connect to an azure blob and drop a log file there in some bucket
.
Make sure you're following best practices like deploying apps/config/scripts to Device Filters and not dynamic device groups and stuff like that. And be aware that remediations always run on the next schedule, so they are not ideal for deployment. Some of my remediations are in conjunction with platform scripts designed for initial deployment.
MeetJoan@reddit
Frustration is real and you're not bad at your job. The Intune-only setup genuinely has the gaps you're describing.
Two things that help most: stop relying on the portal for troubleshooting and pull IME logs directly from
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs- the portal is theatre, the real signal is on the device. And the cultural problem (random GitHub scripts, no proper testing) isn't a Microsoft issue, it's a CSP-doing-Intune-poorly issue. Mature MEM shops use proper packaging (PSADT, Win32 Content Prep) and centralised logging via Log Analytics.Doesn't suck because of you. Mostly sucks because of how it's being deployed.
disposeable1200@reddit
Think you replied with the wrong account
unccvince@reddit
MS only shops are mostly based in the US, in my experience there is more diversity with tooling in Europe.
For example in France, WAPT deployment software is real good from a perspective of pricing and features, the software is effecive and easy to use, it is making US based UEM companies truely work real hard to gain marketshare there.
The poor guys at Tranquil IT, the maker of WAPT, are so swampsd with local demand that their most sane choice is to manage their international expansion, let's say "prudently".
notHooptieJ@reddit
Yes.
gumbrilla@reddit
You poor bastard. I'm sorry - I feel for you. That is not normal... and yeah, it's like throwing darts while blindfold, and then getting told you missed.
thirsty_zymurgist@reddit
More like needing to ask someone in another room if you missed.
IT2DJ@reddit
I worked at an MSP (before it was acquired) where management/ownership said If a tool helps you do your job better, then let's buy it.
So yeah, i don't think its you. :-(
thirsty_zymurgist@reddit
I'm more of the motto, "If we are going to have a lean staff... then we better have the tools in place to make up for it".
ncc74656m@reddit
It really depends on a lot of things. I've deployed specific drivers such as a non-Dell version of the AX210/211 driver to resolve known issues/crashes from those devices, and it worked fine. That said, we moved to Framework and FW devices bundle drivers only - you can't get them individually for some really stupid reason. (Framework, this sucks, fix this.) But for most other devices, we just deploy the Dell/HP/whatever support tool, sometimes with a "run on first boot" command or whatever, and then that applies drivers.
That said, spot on about the complete lack of a unified solution for printers (Microsoft is probably doing this on purpose to try to force Universal Print on everyone), and packages that don't deploy neatly (like the Framework driver package) are just awful.
Autopilot also gets really slow with very generic errors if you have some sort of problem with one of your scripts or packages. It almost always fixes itself after clicking "Continue anyway," but you have to be mindful to make sure your scripts are actually running right and not quietly erroring out.
Could it be better? Absolutely. Does it work well if you treat it right? Just like me, yes, usually. But sometimes we both still skip out for a coffee break.
7ep3s@reddit
intune is always out of tune
aes_gcm@reddit
Boooooooo
ApolloMorph@reddit
Its all a double edged sword. You have sysadmins that want everything now and have their own idea of how it should work and use 3rd party tools and automation scripts galore. Then you have sys admins who do everything using MS tools and by the book and just shrug at the limitations such as speed, immediate deployments etx. Almost always there is a way to make stuff work with just MS tools. For example i use remediation scrips for almost nothing and package them all up as win32 apps that leave markers, with another script to "uninstall" what i just did to back it out. You then get a clear installed or uninstalled result instead of wondering if your script ran. Throw that as available in company portal and you can run em on demand. etc You might like using 3rd party tools, or custom scripts for everything but then if its not working or you hit a weird edge case later you then cannot open a case with MS becuase what you did is not supported. If your working in an MSP it's actually probably a lot better to use the official supported tools for the most part for what you do, or at least use 3rd party tools that MS supports and that have their own good internal support mechanisms, so when the next guy takes a look their not clueless about what you did and wasting half a day of un-billable hours to untangle it. Becuase the next guy to get hired at that MSP is probably going to know how all the MS stuff works but not your 3rd party tools or custom scripts unless you document the living hell out of everything eli5 style. Just my two cents.
Fallingdamage@reddit
So you went from clickops to the actual engineering of solutions?
Yon can usually figure out how to capture logging on that stuff, even if you have to have the script itself write its own logs. I do this a lot.
Sounds like your machines need more than just updates. They need some policies to keep them working and installing updates on time.
Yeah, intune is nice for some things for sure, but Microsoft is pushing it as a single-stop solution like they did for sharepoint; shoehorning it into every need without thinking about overhead. Your clients have domains/DCs? Use Group Policy. Its fast
Sounds like a shitshow.
I pay for and run my own O365 tenant just so I can hack away at it and configure parts of it with impunity. When it comes to doing things in my work environment, I come across as clairvoyant after all my quiet testing and burning things down in my own Entra bubble.
wayfarerjones@reddit
Get Nerdio and stop sweating it
MyLegsX2CantFeelThem@reddit
Yes.
grubbypaws-@reddit
Also double yes.
Flaky_Key3363@reddit
All three can be true
theMightBoop@reddit
All of the above.
Just kidding.
We are kind of in the same boat. While we can use some 3rd party solutions those we purchase are at the whim of someone much higher than me.
I am basically top tech dog for my branch we fall under a larger corporate entity. So while our branch will approve and finance almost anything I request the parent organization will almost certainly deny or stonewall anything we ask for. It’s not a money thing, as I said we will pay for it but also I am not asking for anything crazy expensive. But the larger group will deny just about anything just because it’s not their priority and they don’t understand what we do.
Their concern is office workers who use standard off the shelf software and simple workflows. Spreadsheets and Word docs. I support scientists who use lab equipment. So trying to explain to people who have never stepped foot in a lab in their life why we need something different is my everyday challenge.
So yea, I have to end up using a bunch of shit Microsoft products that we get through M365 or copilot or whatever the fuck MS is calling it today.
chrono13@reddit
Every single solution that we try as an alternative to Microsoft's standard solution blows Microsoft out of the water.
Generally, we can't actually afford any of them past trial periods. But just know that Microsoft is absolutely terrible. They are attempting to build a cloud Monopoly, on top of an existing software Monopoly, on top of an existing OS Monopoly. And it's working.
Microsoft's solutions are almost always worst-in-class. As the old saying goes, no one ever got fired for buying IBM. They should have. The same. Is now true of Microsoft.