If you have Config Manager today and if you are thinking or planning on moving the devices and the workloads to Intune, this article is for you. If you are in that state today, chances are you have a stable (or near stable) method of managing the devices, patch updates, and GPOs. Moving the capabilities to the cloud makes your life easier as you know. Chances are you have the Enterprise licenses (M365 E3 as an example) and you are finding ways to fully utilize it. Using the Microsoft Intune components opens the world to a lot of opportunities.
By now you may have seen a lot of blog posts about this. I hope this will be another article that helps you to plan your move into a fully Intune-managed state in the new year (2024).
This article is a high-level overview of moving to that Intune-based solution and what things you need to look at when planning.
An easy way to breakdown the tasks 👇🏽
- Understanding and discovery of your current setup
- Planning for the move
- Get Set, Co-Managed
- Go Fully Intune
- Wrapping Up and Next Steps
In a nutshell,the below diagram can be taken as a high-level idea of the process.
Understanding and discovery of your current setup
Discovery plays a huge role in mapping the current status of your environment for a successful cloud journey. This should be a collaborative effort between IT teams. Examples are the Helpdesk team, the Infrastructure team, and the Security team. Why I’ve added the helpdesk team because they will hear from the users if something goes wrong.
GPOs
Legend says if the GPOs are working as they should, you should never touch them. If that breaks no one in the organization knows the history of the policy and the person who created the policy is no longer working there. Sound familiar? Well, this is the situation in 99% of organizations as the IT team refrains from making any changes to the GPOs. Chances are a lot of GPOs are outdated, not used, or not applying.
However, for a successful GPO cleanup, every policy needs to be investigated. In that way, you can make the decision of keeping it or deleting it. Also, if keeping, this means you have to make necessary plans to move the capability to Intune.
Windows Updates
Windows updates are pushed via WSUS which is a part of your Config Manager solution, if you are not using a different product to do so. Understanding the difference between approving patches and using Windows Update for Business (WUfB) or Windows Autopatch that does everything for you. Understanding the methods of moving from WSUS/ ConfigManager to WUfB is important as some significant changes need to be made. Ideally for WUfB and Windows Autopatch, the same change path will be applied.
I have explained this under Moving from Config Manager to Windows Autopatch in the below blog post.
Current Config Manager Settings (Config, Compliance, and Endpoint Protection)
Understanding the current settings used in Config Manager is important as they need to be re-created in Intune if you need to re-use them. Configuration settings, Compliance policies, and Endpoint protection policies need to be checked.
Device Collections – If you have the policy settings applied, the device collections will be an important factor as that’s the boundary when creating policies in Intune. Make sure you have a clear understanding of the device group/s against the policy.
Apps
Apps play a significant part in Config Manager. Pushing apps to devices is something the IT teams are heavily depending on the Config Manager and that needs to be carefully investigated. Some questions you can ask to make the discovery process easier.
What are the apps?
In-house apps, Microsoft apps, and popular ISV (Independent Software Vendor) apps are some types of apps. Some apps have dependency apps and prerequisites to go in before the installation. How would you tackle that?
Win32 Apps
There are some apps that come in the .EXE format. For those, if you are unable to find the .MSI version, then you might need to use the MS Win32 App Prep Tool to convert the exe to an .intunewin file.
If you are unable to find Install and Uninstall commands for those Win32 apps, reach out to the app vendor and most of the time they have their documentation on silent/ unattended install commands that can be used.
Below is the process taken from this link to show you the high-level steps of converting an app to a .intunewine file
Introducing the new Microsoft Inrtune Enterprise App Management
This is a cool new feature that will be generally available soon so the popular (and most) Win32 apps can be easily searched and selected from an App Catalog. The best part of this is the install/ uninstall commands, detection methods will be all prefilled and IT admins don’t need to do anything.
🔗 More info can be found here
New Microsoft App Store
A lot of apps from ISVs can be found in the new Microsoft Store app option in the Intune Apps section. With this, it is just a matter of selecting the right app and assigning it to the device or the user group. This will save a lot of time preparing apps to be able to push to the devices.
Who are the users? What apps can be made available via the Company portal?
Some base apps need to be installed as always, but there can be apps that need to be installed depending on the user department or the type of work they do. App assignments can be done according to the user or the device and can make the app available in the company portal so it will not be installed until the user actually requires it.
Below is a snippet of the app assignment options. Uninstall is also an option if you need to remove apps from the devices.
What are the devices?
Same as above, if the app doesn’t have a user dependency, you can use device groups and the apps will be installed on those specified devices.
For this to work and apps to be installed, Client Apps workload needs to be switched to Intune for the intended set of devices.
SOE
One of the great advancements of Microsoft Intune is Windows Autopilot. Also, this is something a lot of IT admins get the terminology wrong.
No – Itnune does not store an image to push to the devices
No – It will not be done via local LAN
Yes – The device needs to have a vanilla OS (Win 10/11) to run the Autopilot
The concept is simple. IT admin will create the configuration policies, Endpoint protection policies, Compliance Policies, Device Restriction policies, and Apps > IT admin will assign the policies and apps to the users or to devices > When the Autopilot is running, it will pick up the assigned apps and policies accordingly and will run according to the Autopilot Deployment profile and the Enrollment Status Page settings.
So, Yes – Intune requires an Internet connection and Line-of-sight access if you are planning on the Entra Hybrid Joined option.
As you can see, it’s a big jump from running Task Sequences and Imaging via Config Manager. But the great thing is the device can be SOE’ed from anywhere depending on anywhere.
Above are the main things that you need to discover, identify, and make a plan on how to move them to the Intune side of things. This is also a great opportunity to remove what’s not needed. That being the outdated/ untouched GPOs, old apps that can be replaced with new apps or versions, etc. Also, a great opportunity to learn the ways of managing endpoints in a secure way with less hassle.
Planning for the move
Once you are done with the discovery, you can move on to the planning phase. Again, this is a well thought out process as this is where you do a lot of exciting work. I’ve pointed out some action items below and I will expand on them separately.
Licenses
You have to make sure at least the Microsoft Intune Plan 1 is there with the M365 Licenses. This will mainly cover the main Intune features and anything else can be covered with the Intune Plan 2 or the Intune Suite later.
Proper Network access – https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints
This is huge! The idea behind this is that the Intune-related endpoints need to be whitelisted or have proper access from your Firewall or Proxy. This is one one the main things you need to add to your planning and get the necessary teams involved for the changes. Refer this guide for the full set of Endpoints.
Entra Hybrid Joined
Or as formally known as Hybrid Azure AD Joined. This is the very 1st step towards moving your endpoints to Intune. This always gives you the best of both worlds. This is a quick win and can easily enable the endpoints in Intune. You can either go for a controlled deployment or all synced devices to be Entra Hybrid Joined.
🔗 More can be found here
Group Policy Analytics
This is one of the best features in Intune according to my ratings. Because, this has made the On-premises GPO moving so easier and chances are, you don’t need to re-create the same policy again in Intune and it will take care of it. Now when I say “Chances Are”, there is a catch to this. We earlier looked at how the GPO settings can be legacy or outdated or simply created to manage old Windows settings or Operating Systems. Well, if you analyze a GPO like that in Intune, you will see the settings are probably unknown to Intune. This is no surprise as Intune is made to manage modern endpoints using modern settings and policies. However, I have seen sometimes, the policy settings can be found if you search for them by using some keywords but not using the same setting as it is in the GPO. Most of the time wording can be a bit tricky. Also, I must agree that Intune is an ever expanding eco-system and the settings that are not available today may be available next week. This has been the case sometimes.
While some settings have the MDM Support as below
Some settings are either not available in Intune or Intune has already deprecated the settings
Once you are done with the settings you can either migrate them into a single Intune Config policy or create separate policies.
I will be looking at the Settings Catalog next as that will have a direct correlation with the Settings.
Understanding Intune Settings Catalog
Intune has a lot of policies that are coming up as Templates which makes everyone’s life easier. Those templates can have a direct connection with the Config Manager policies. However, the Settings Catalog holds all the settings that can be found in Intune. You can customize your settings and create policies around it. As I mentioned above, this can come to your help if the Group Policy Analytics can’t find the specific setting in the imported GPO.
In the previous section, you identified the policies that you need to move to Intune, and using the Group Policy Analytics, you can understand the Intune support for those settings.
Entra ID Groups
The main thing to understand here is the Assignment is done to either Device groups or User groups. GPOs have the OUs, and Config Manager has the Device Collections. But for Intune, its always the Entra ID groups. You can easily create groups as you wish and according to your environment and assign the Intune policies. Why I wanted to mention such a simple thing because, in the field, I’ve encountered many questions as to how can we do the like-for-like in Intune. The thing is there are some things you can do like that but the whole idea is Modern Device Management. This goes beyond the legacy management methods.
With Entra ID groups, you can bring awesome capabilities like Dynamic Groups. Let your rule base manage the group rather than you manage them manually. Dynamic Device Groups is a great way to manage your Autopilot devices. Dynamic User groups are a great way to manage App assignments when needed. The list goes on, but the idea is to use the Modern Device Management features.
WUfB or Windows Autopatch? What about Device Drivers
As I have initially mentioned, it is essential to plan out the Windows Updates management using Intune before you move the Windows Updates workload into Co-Managed settings. If that’s moved, there should be a way for Intune to manage the updates seamlessly. Make sure the Windows Update for Business rings are created and have added the devices in the rings. If you are planning on using Windows Autopatch, make sure the tenant has been onboarded to use the feature. Device preparation for WUfB and Windows Autopatch are pretty much the same and once the WSUS remnants are gone, the device will get the proper updates using the Update Rings.
This is valid for Microsoft 365 Apps as well. With Autopatch those policies will get created for you. Please check my full Windows Autopatch Guide to understand more about this technology.
Device Driver updates on the other hand are also done via Intune now. this is great as this now helps the IT admins to manually approve the drivers or auto-install them depending on the policy settings selection and the best this is the drivers are straight from the device manufacturer and not the generic drivers. How cool is that?
Implementing Autopilot
Simply put, this eliminates the process of running a Task Sequence and Imaging devices using Config Manager as the Autopilot feature starting to play a big role in Intune. This helps you to quickly cater to the device requests from the users and the process is easy to follow. The good thing is the Policies and the Apps you created can be set to go in during the Autopilot process and the device will be fully compliant in no time.
Creating the Autopilot Deployment policies is important. For the Autopilot to pick the devices, those devices should be registered in Intune 1st. Either a reseller uploads the device hashes to Intune or you upload them manually will register the device in Intune and with the help of the Dynamic device groups, they will be added to the necessary Autopilot profiles.
Config Manager’s CCM Client
Planning to remove the device from the Config Manager and uninstallation of the CCM client is important and then the device will be fully Intune managed. This can be done using a GPO or a Startup script or any other effective way.
Setting up RBAC
Do not forget that the Intune Administrator role has FULL ACCESS to Microsoft Intune. You may need to properly segregate access for your IT teams so they can perform the intended tasks. This is a planning of its own because handing out a privileged account to everyone who requires managing devices is not recommended. Also, this is best to plan out sooner rather than later.
Get Set, Co-Managed
Co-Managed State should be a temporary state. Yes, it should be. This is where you Pilot things out and understand the behavior of the workloads. Once the Pilot is done, it’s time to get all the devices enrolled and managed via Intune.
Once the devices are set to All and Workloads set to Intune, the Config Manager dependency is pretty much gone and you can start planning to decommission the servers.
🔗 More info can be found here
Device Enrollment
As a part of the Co-Managed setup, this is the next thing you need to look at as the endpoints will enroll in Intune when you have set the necessary settings. However, the Cloud Attach feature itself gives you the option to auto-enroll the Co-Managed devices in Intune. This allows you to enroll the devices as they are presented to Co-Managed. Here you have the option of trying out for a Pilot batch and moving to All. The idea is not to add devices to the Pilot batch. Once the Pilot is done, move to All devices to be automatically enrolled in Intune.
Go Fully Intune
Get to the Fully Managed Intune Mode
As I mentioned earlier, once the Pilot is done, once you are satisfied with what you will be getting in Intune, it is time to flick the workload switches to Intune with the Automatic Enrollment set to All. As a good practice, please don’t add devices to the Pilot batch, in this way the Config Manager will never be decommissioned. Instead of that, change the options as I’ve explained.
CCM Client Removal
Once the device is no longer managed by Config Manager, it is a good idea to remove the device from Config Manager and remove the CCM client from the endpoint so the device will not have any attachments to Config Manager.
Wrapping Up and Next Steps
Doing your due diligence ahead of time and understanding how Intune works will greatly help you to make the move soon and more importantly accurately. This will remove on-premises footprint which is a great thing.
If you start your planning now, you can achieve some small wins soon, which will add up to the final goal of getting rid of Config Manager.
As some next steps, you can look at how to move devices from Entra Hybrid Joined to Entra Joined. This is what I like to call God Mode. It’s hassle-free and risk-free. No need to depend on a sync engine, On-premises AD, or other factors and can get the full benefit of the cloud.
Hopefully, I’ve covered all the required factors for the move. Hope this will help you to plan out the move easily and in 2024 without the Config Manager in the environment😊
Check out my clickable infographic on Microsoft Intune where I have added items from Microsoft Learn.
Discover more from EMS Route
Subscribe to get the latest posts to your email.
EMS Route 
One thought on “From ConfigMgr to Fully Intune Managed in 2024. Let’s Make That a Reality”