What Would It Take To Move From SCCM To Intune
Carli Barentine
The Microsoft Bitlocker Administration and Monitoring tools have gone out of mainstream support. And any cloud-first forward-thinking company will likely be looking to escrow the existing and future recovery keys for BitLocker to Azure AD / Microsoft Endpoint Manager Intune. Others might just be storing them in On-Prem AD instead, but that is not what I would suggest you do, as this limits your insights substantially when MBAM is removed.
Still not clear how it should work for the key rotation mechanism. Now we have MBAM with GPO in place an key rotation is being controlled by MBAM.
So we uploaded recovery keys to Azure AD and applied new Bitlocker policy from MDM.
But what is going on with the key rotation mechanism in this case?
MBAM stops rotation when Intune policies take precedence, right?
And it means that when someone obtains the key, the new one should be generated in Azure?
Seems the topic creates a lot of questions about how to correctly retire MBAM after that.
That would be a way yes, just note that not all Bitlocker settings from MBAM might revert properly (this has been my experience in some cases).
So if you are having big issues, try testing on a fresh machine that has never had the MBAM policy applied. Then you can start figuring out what policies you need to undo manually or with another GPO.
Autopilot
Part of the journey from classic to modern management is OS deployment. Traditionally IT departments would take new devices acquired from an OEM with Windows Pro preinstalled, wipe those devices and deploy their own, customized Windows image. This requires gathering correct drivers for all the different hardware platforms and manage and maintain multiple images, requiring a lot of manual work and maintenance.
Technology and Productivity Score
Do you know what the end user experience is in your business? How long does it take for their PC to start and how often do they have problems with the applications that they need to do their work? Most IT departments rely on helpdesk statistics for this insight, but it's a slow and expensive signal where it can take days for IT to grasp the magnitude of a problem. Additionally, users often "suffer in silence." The new Technology score service in MEM will give IT performance and reliability data from all devices, with analytics providing suggestions for improving boot times (replace HDDs with SSD, fix agents that slow down start-up and alter GPOs that take a long time to process). It'll also allow you to create (or adapt from the community) PowerShell scripts with remediations for particular issues that your helpdesk can run.
HI @bondy666 i'm happy to do a remote quickassist session to take a look if you want, and yes the djoin variables are for an on-premises account, ideally i'd like to remove that from the script altogether but haven't got around to that yet
In conclusion you can have the workload moved to Intune but still evaluate compliance from both to give a combined result. To get the most out of this you would also leverage conditional access to control access to corporate resources by only allowing compliant devices access.
You have two options to get the device back into compliance. The first, is obviously to do whatever it is that Configuration Manager is checking for to bring the device back into compliance. The second, is to just no longer require Configuration Manager compliance as part of your compliance policy. If you move that compliance policy setting to Not configured, then the device compliance status will go from Not Compliant to Not Evaluated until it can run the Intune-only compliance policy and return to a compliant state.
Other Announcements
Anderson said that Microsoft is planning to publish its best practices for desktop management as derived from what it has learned from its Microsoft Managed Desktop customers. The Microsoft Managed Desktop service, where Microsoft acts as a managed service provider and takes over a desktop management role of IT, got started last year.