Forum Discussion
MDE deployment with Intune and SCCM client
Hello All, We want to deploy MDE with Intune. All devices are having SCCM client installed and configured. In this scenerio, enabling co-management is a must? Please guide. Thanks
rahuljindal
Since they are using proxy, we have already allowed the urls. They had issues with internal url access for many of their applications.
Since they are using proxy, we have already allowed the urls. They had issues with internal url access for many of their applications.
Have you looked at streamlined connectivity for onboarding on Defender? https://learn.microsoft.com/en-us/defender-endpoint/configure-device-connectivity
- rahuljindal
We are configuring tenant attach. As part of the prerequisites, it requires administratio service to be setup and functional in config manager.
https://learn.microsoft.com/en-us/mem/configmgr/tenant-attach/prerequisites
In the article to setup administration services, it mentions, "Some scenarios require access to the administration service from the internet, such as tenant attach".
https://learn.microsoft.com/en-us/mem/configmgr/develop/adminservice/set-up#enable-internet-access
Does it require internet access just for administration purpose or which other functions? Is is must to provide internet access to the administration service?
Please guide if you can. Thanks. - rahuljindal
As part of the co-managment config, hybrid aad was setup and since they are using proxy, we had to configure winhttp. With configuring winhttp, they had issue accessing several internal application urls/applications. - Then co-management should work as well. Is it setup correctly?
- rahuljindal
Manual workplace join is working and devices in AAD is Microsoft Entra hybrid joined type.
We have allowed Microsoft Defender for Endpoint URL list for commercial customers (Standard) via proxy, as per this link: https://learn.microsoft.com/en-us/defender-endpoint/configure-environment - That is where co-management comes in handy. Is manual work place join working for you and allowing the devices to hybrid join? If proxy is blocking hybrid join in general, then I don't expect the manual process to work either. All of this will require unrestricted access to Azure cloud services so unless that is sorted, I am afraid you will continue to face issues.
- rahuljindal
Thanks and i agree to addressing the proxy issues. Most of the methods require hybrid entra setup which requires WinHttp and we are facing issues there.
Can you please guide on the below as well,
While trying to enroll to Intune with Group Policy, (as per below link: https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy), the device must be registered to Azure AD.
We can manually add the Work/School account and do that, but is not practical. Can you guide, if there is a better approach to register all domain joined devices to Azure AD in bulk?
Many thanks. - My advice will be to address your proxy first. Regardless of which enrolment method you take, endpoints will need unrestricted access to Intune and Defender Cloud URLs.
- rahuljindal
Please excuse for not able to respond yesterday. We have tried this approach but did not work for the client. They are using proxy for internet.
Currently we are configuring tenant attach in the config manager. As per one of the pre-requisite for tenant attach is to setup administration service and requires access to it from the internet.
https://learn.microsoft.com/en-us/mem/configmgr/tenant-attach/prerequisites
https://learn.microsoft.com/en-us/mem/configmgr/develop/adminservice/set-up
Do we need to enable internet access from SCCM server only or for all devices?
Can you please confirm whether we need to enable internet access for tenant attach from SCCM server only or all the devices, as per following link?
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/network/internet-endpoints#tenant-attach
Thanks.