Sunday, 1 October 2017

Comanagement and migrating from ConfigMgr hybrid to standalone Intune

Comanagement has arrived. It was announced by Microsoft last week at Ignite so we can finally talk about it publicly. This is one of the most important features to be delivered by Microsoft in recent years and will eventually cause a shift in the way that enterprises manage their devices. It is inevitable.

So, what is comanagement?
Quite simply, it is the ability to manage Windows 10 devices with ConfigMgr and Intune AT THE SAME TIME.

Why is comanagement important?
The majority of organizations use Active Directory (with GPO) and ConfgMgr to manage their on premise devices. The Microsoft vision is to manage Windows 10 devices using modern management with Intune. It is expected that comanagement will create a bridge between the two to simplify and reduce the risk of transition to modern management. The expectation is that organizations will transition in a phased manner as they move workloads one at a time (e.g. device compliance).

Some additional jargon: 

Modern management: managing Windows 10 devices using Intune MDM and Configuration Service Providers (CSPs).

Intune Management Extensions: codename Sidecar, these will add to Intune's MDM capability. The first extensions expected will allow administrators to run PowerShell scripts on managed devices and also manage Win32 and .exe applications.

Microsoft 365 Powered devices: these are Windows 10 devices running Office 365 Proplus which are managed by Enterprise Mobility + Security. This is a complete integrated solution and is the future direction for Microsoft.

Windows 10 Autopilot: could replace traditional imaging methods. Users will be able to self-provision their devices simply by authenticating with Azure Active Directory. Intune policies will then be automatically deployed to the devices during provisioning.


Note that comanagement is only supported for organizations that use standalone Intune. Therefore, to avail of this feature, organizations that have a ConfigMgr hybrid must first migrate to standalone Intune. I was very curious to test how much was involved in this.

Migrating from ConfigMgr hybrid to standalone Intune

Step 1 - import ConfigMgr data to Intune.

The Data Importer Tool is an awesome tool that collects data about the objects in your ConfigMgr hierarchy (1610 or later). It then allows you to import your selected objects to Microsoft Intune.
  • Configuration items
  • Certificate profiles
  • Email profiles
  • VPN profiles
  • Wi-Fi profiles
  • Compliance policies
  • Apps
  • Deployments
Download the tool (Microsoft Intune Data Importer.exe, it's less than 5MB) and extract the files.



The first task is to give the Data Importer tool permission in Azure to access resources.



Execute "intunedataimporter.exe -GlobalConsent"


Enter your Global Admin credentials.



Accept the resources that the tool needs access to.



Now launch the tool (intunedataimporter.exe). Start the process.



Review the information that you should be aware of when using the tool.



Enter the ConfigMgr details.


The ConfigMgr objects data is collected.



There are some errors. It will not be possible to import some objects. You can choose to fix the issues or ignore these objects.



This is a summary of the objects to be imported.


Sign in to Intune.



The objects are imported into Intune.

Step 2 - prepare Intune for user migration


This includes-
  • fixing issues discovered during the data collection and import
  • verify the imported objects
  • assigning Intune licenses to migrated users
  • verifying Intune user groups
  • configuring RBAC
  • configuring Exchange Connectors (if required)
Step 3 - change MDM authority to Intune standalone

(Note: before you change the MDM authority for the tenant you should test the process for a subset of users. Follow this process to exclude users from the ConfigMgr collection for testing).

Navigate to Administration > Overview > Cloud Services > Microsoft Intune Subscription


Right click your subscription and select Delete.


Select to Change the MDM Authority to Microsoft Intune.


Accept the warning.


Sign in to Intune.


The subscription has been removed and the MDM Authority has been changed to Intune. Note that it can take up to eight hours for a device to connect to the service after you change to the new MDM authority.

I hope this information was helpful. Until next time.....


4 comments:

  1. Hi Gerry, thank you for this post. I have a question please:
    Does this mean that we must start today on an Intune standalone solution with our customers owning SCCM?

    ReplyDelete
    Replies
    1. Yes, Intune standalone is now the recommended strategy.

      Delete
  2. In an environment where the scep certs are issued by an onprem ndes server, what additional steps are required when migrating to Intune Standalone ?

    ReplyDelete
    Replies
    1. Yes Steven, you will have to configure a new NDES server and install the NDES connector on it. The server that hosts the NDES connector in Intune cannot be the same server that hosts the NDES connector in ConfigMgr. Then you'll have to modify the imported SCEP profiles to reference the new server URL. You'll find all this in the docs.

      https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-prepare-intune

      Delete