ConfigMgr/Intune Service Engineering team structure and silos


Hello there. my name is Shitanshu Verma and I am the service engineering manager responsible for Intune and ConfigMgr service delivery to internal Microsoft IT. My team plays a critical IT Pro role for managing mobile devices and PC for all of Microsoft IT. One of the commonly asked queries I have been asked from many customers is how we operate and what are the defined roles and responsibilities across the team. This blog is focus on our team charter and team structure. From the organization perspective we are a service engineering or DevOps team within ConfigMgr and Intune product engineering family which gives us close proximity to all developer and features team for driving product improvements based on real world experiences. Microsoft IT is our internal customer whom we offer list of services for overall PCs and mobile device management with defined SLAs and OLAs (next blog topic for sharing how we measure and report SLAs for various services)

Before we go into more details for team structure and size, one of the key facts to mention is about the ConfigMgr architecture/scale and that we do many things which are quite different than many other customers. As we do multiple release of internal product for “dogfooding” which ends up deploying 2-3 release of different product in production. It help us in finding product bug which sometimes are usually found in production scale. This causes our team to be in constant churn of changes, deployment and validation so in conclusion one team size does not fit for all. It’s primarily driven by business goals and workloads. This blog is not necessarily to reflect as recommendations for team size or structure. But it’s just to share how we do it at Microsoft for managing ConfigMgr and Intune services.

ConfigMgr architecture/scale overview

Overall the team has a combination of full time employees (FTEs) and contingent staff for managing all service functions and delivery. We have categorized 4 silos in the team which are aligned with functional load such as Infrastructure and Client health, Application & OS deployment, Security and Compliance and the last one is SQL Administration and Reporting/BI. Here are more detailed list of responsibilities aligned with each workload. The key thing to call out that we don’t differentiate workload by product or platform such as weather its Intune or ConfigMgr or PC vs mobile devices, it’s all aligned with core functional area.

  • Security & Compliance Management (2 FTEs + 4 Contingent staff)
    • Monthly Security Patching and Anti malware definition update
    • Mobile Device Security Policy management
    • Conditional Access Policies management
    • Windows Hello for Business cert and policy delivery
    • Windows Information Protection Policy management (formerly EDP)
    • Internal Test Pass – Deployment and validation for pre- release security update
    • Device resource Access – Wi-Fi certs, VPN Profile deployment
    • Mobile Application Management (MAM) Policies
  • Application & OS Deployment/Upgrade Management (2 FTEs + 4 Contingent staff)
    • Application Packaging and Deployment
    • Windows 10 Operating System Upgrades
    • Mobile device App publishing automation/workflow
    • Setting Management
    • Company Portal & Software Center related services
  • Client/Device Health & Infrastructure Management (2 FTEs + 6 Contingent staff)
    • ConfigMgr Client health and reach
    • Device Health and Enrollments
    • Access mgmt. like RBAC etc.
    • ConfigMgr Infra health and uptime
    • Access mgmt. like RBAC etc.
    • Infra capacity and performance
    • ConfigMgr Infra Incident, Change, Problem mgmt.
  • SQL administration/Reporting and Asset Mgmt. (1 FTEs + 1 Contingent staff)
    • Custom CM Report and Power BI Dashboard/Reports
    • Hardware and Software inventory extension mgmt.
    • SQL Server administration – maintenance jobs (DBA)
  • Program and Service Management (1 FTE)
    • Project and service management
    • Service catalog and SLA review
    • Sprint Master

I hope this blog has helped in sharing how we have organized team roles and responsibilities for managing ConfigMgr and Intune service delivery. Stay tuned for next blog on how we measure and report our services SLA.

If you have any questions or feedback let us know in the comments below!


Comments (4)

  1. A55imilat0r says:

    nice overview. I would really like to know how this fits in with the internal ring deployment of windows 10 and then if there is a connection for business / consumer deployment of fast/slow/CB/CBB of win 10 enterprise ? We would really like to use SCCM Software Update method for bringing down insider for business windows 10 enterprise builds but this seems to be restricted to enrolling each end user devices to AAD for insider builds.

  2. Rajul says:

    Nice Blog Shitanshu.

  3. Karthik says:

    The Manged devices numbers look huge. Thanks for sharing Shitanshu 🙂

  4. Mukesh Magoon says:

    Hi Sitanshu
    Great Blog!

Skip to main content