Inside Intune: The architecture behind the scenes
Introduction
Intune has been on the market for over 10 years and has undergone constant innovation. In the early days, everything was different: the name, the technology, the endpoints it could manage, its general capabilities, and the way customers used the product. In 2024, Intune has become a powerful, cloud-powered, cross-platform endpoint management and MDM solution that, in my opinion, has reached a level of maturity where every organization should consider trying out its features.
What to expect
I often hear from customers that they are not satisfied with either the performance or the offerings of Intune. I listen to their concerns with an open mind, but I also try to balance their expectations against the reality of what Microsoft (can) deliver in terms of services, features, or products. This post will summarize some of the architecture behind the scenes to help customers:
- 🧠Understand the complexity and orchestration amount behind the scenes that Microsoft invests and is responsible for to ensure industry-leading security
- ⚠️ Raise customer awareness and explain why some things in Intune are sometimes not satisfying
- đź’ˇ Get inspired by this fascinating technology and get teased on what's next
There is not much public information about what's happening in the background. For us as customers it is often a "black box". Rudy Ooms blog is probably the best community source, but I also want to shout-out and thank the Intune engineering team for sharing information and help us better understand of their daily work and the incredible things they build. ❤️‍🔥
How Intune is run
Server-side
Let’s first look at the server-side. All components here are managed under Microsoft's responsibility. The computing power that runs the service is hosted first-party on Microsoft’s own infrastructure within Azure. Intune operates globally, distributed across various Azure regions and in sovereign clouds. In each region, multiple Azure Scale Units (ASUs) are deployed, hosting the Platform as a Service (PaaS) Intune itself. These ASUs encompass all the microservices, from the initial customer touchpoint on the UX, to the business logic and storage components behind the scenes. Billions of transactions are happening daily on the service endpoints of Microsoft. (Device check-in, admin action or scheduled task)
A critical component in this architecture is Microsoft Graph, which operates under the hood of the user interface, handling HTTP methods (GET, POST, etc.). Through Graph and its API, IT administrators can manage and customize their Intune service instances/customer tenants.
You can look up in Intune > Tenant administration > Tenant details in which tenant location (ASU) your tenant is hosted.
Client-side
The counterpart to the service is the client—in this case, a managed Windows device or endpoint. Keep in mind that depending on the operating system involved, the technology and communication stack can vary.
When the Intune service delivers a payload, a lot of things come to play. This is also why things go wrong mostly at this stage. Now we have to deal with different technologies, latency, payload delivery technique, translation between protocols and client-side performance. The most critical aspect is the secure connection between the server and the client. To establish it, they perform a handshake and start exchanging data, only when the security requirements are fulfilled. Depending on the content (relevance, type, occurrence or schedule) which is delivered, different communication channels are utilized. There are traditional protocols like OMA DM or the Windows Push Notification services for fast communication, other channels to support certain scenarios like the Intune Management extension and the future looks bright with WinDC with its declarative, efficient and reliable and of course state-of-the-art approach.
As soon as a command is retrieved by the client through a channel, the next step is to convert, translate, or process the message to determine how to act on it. Windows utilizes various agents, and the command needs to be parsed correctly to interact properly with the system interfaces. In theory, this is where the Intune process ends, as the OS provides its own methods for configuration and reporting, independent of Intune. (For context, some Intune functionality relies on the configuration service providers CSPs native to Windows the same way other MDM vendors rely on these CSPs to configure Windows and some Intune functionality has no such dependency) After the client processes the changes or reports during a check-in, the status is sent back to the service and displayed for the IT admin.
đź”® Bonus tip: Oliver Kieslbach's SyncML viewer is a great tool to analyze client-server communication in Intune.
Takeaways
Microsoft is constantly optimizing the service behind the scenes and is dedicated to bring innovation through the latest technology, ensuring the Intune platform is ready for future horizons. Quality of Service (QoS) remains a top priority, with a strong focus on security and continuous improvement through initiatives like SFI.
Significant investments are being made to deliver more customer value and make Intune better and better. Enhancements are rolled out across the entire stack, from technology and capacity allocation to service design, architecture, communication, client-side and user experience, latency, notifications, transparency, and predictability. But it needs time! The deployment of new features is carefully planned to avoid negative customer impact at all. Each feature update undergoes multiple testing cycles, and telemetry is painstakingly monitored. The same level of attention is given to already operational features. The engineering teams monitor service health and operational graphs to ensure smooth operation.
Feedback is listened to! Whether it's through the feedback portal, direct communication with the product group, the customer experience team, or within the community, customer voices are heard.
The scale and complexity of the service must not be underestimated. When I speak with the product group and engineering teams, I have a deep appreciation for their work. The service they are building is incredibly complex and is impacting hundreds of millions of devices and people and organizations. Operating a globally leading MDM platform requires hundreds of people—from those writing the code and maintaining the infrastructure, to those bringing it to customers and gathering feedback on features and support. There is a shared mission among all teams: to deliver the best possible product and continuously improve for the future.
I hope this post gave you a glimpse into what goes on behind the scenes. While some of the technology might always remain a bit of a "black box", due to its complexity and intangibility for the average customer.
I am confident and excited about the future evolution of Intune!
powered by Oceanleaf