MDE deployment with Intune and SCCM client

Brass Contributor

Hello All,

 

We want to deploy MDE with Intune. All devices are having SCCM client installed and configured. In this scenerio, enabling co-management is a must? 

Please guide. Thanks

15 Replies
Not a must, but one of the recommended paths. Sorry, I believe you asked the same question earlier in another thread and I forgot to come to you. Have you looked at the official docs for setting up Co-management? https://learn.microsoft.com/en-us/mem/configmgr/comanage/overview

@rahuljindal-MVP

 

Thanks for taking your time and response.

 

We attempted co-management setup but faced issues with WinHTTP due to proxy settings, leading us to proceed with tenant attach without co-management.

For configuring tenant attach in SCCM, we should set policies in Intune under "Windows 10, Windows 11, and Windows Server (ConfigMgr)," correct? Policies labeled without "ConfigMgr" won't apply, right?

 

Please share your thoughts on this approach.

Thanks.

That is correct. What is the issue involving winhttp? You also have the option to use security settings management in Defender which doesn’t require hybrid join or enrolment of devices in Intune.

@rahuljindal-MVP
Many internal urls were not opening due to winhttp. We want to use Intune to get most of its features. If we can utilise all features of Intune, while using security configuration management in Defender, can you please share some useful links to achieve it.
Thanks
Did you whitelist the urls for Defender and Intune in winhttp?

As for Security settings management, here is the official link - https://learn.microsoft.com/en-us/mem/intune/protect/mde-security-integration
@rahuljindal-MVP
Since they are using proxy, we have already allowed the urls. They had issues with internal url access for many of their applications.
Have you looked at streamlined connectivity for onboarding on Defender? https://learn.microsoft.com/en-us/defender-endpoint/configure-device-connectivity
@rahuljindal-MVP
Please excuse for not able to respond yesterday. We have tried this approach but did not work for the client. They are using proxy for internet.

Currently we are configuring tenant attach in the config manager. As per one of the pre-requisite for tenant attach is to setup administration service and requires access to it from the internet.
https://learn.microsoft.com/en-us/mem/configmgr/tenant-attach/prerequisites
https://learn.microsoft.com/en-us/mem/configmgr/develop/adminservice/set-up
Do we need to enable internet access from SCCM server only or for all devices?

Can you please confirm whether we need to enable internet access for tenant attach from SCCM server only or all the devices, as per following link?
https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/network/internet-endpoints#tenant-a...

Thanks.
My advice will be to address your proxy first. Regardless of which enrolment method you take, endpoints will need unrestricted access to Intune and Defender Cloud URLs.
@rahuljindal-MVP
Thanks and i agree to addressing the proxy issues. Most of the methods require hybrid entra setup which requires WinHttp and we are facing issues there.

Can you please guide on the below as well,
While trying to enroll to Intune with Group Policy, (as per below link: https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically...), the device must be registered to Azure AD.
We can manually add the Work/School account and do that, but is not practical. Can you guide, if there is a better approach to register all domain joined devices to Azure AD in bulk?
Many thanks.
That is where co-management comes in handy. Is manual work place join working for you and allowing the devices to hybrid join? If proxy is blocking hybrid join in general, then I don't expect the manual process to work either. All of this will require unrestricted access to Azure cloud services so unless that is sorted, I am afraid you will continue to face issues.
@rahuljindal-MVP

Manual workplace join is working and devices in AAD is Microsoft Entra hybrid joined type.

We have allowed Microsoft Defender for Endpoint URL list for commercial customers (Standard) via proxy, as per this link: https://learn.microsoft.com/en-us/defender-endpoint/configure-environment


Then co-management should work as well. Is it setup correctly?
@rahuljindal-MVP
As part of the co-managment config, hybrid aad was setup and since they are using proxy, we had to configure winhttp. With configuring winhttp, they had issue accessing several internal application urls/applications.
@rahuljindal-MVP

We are configuring tenant attach. As part of the prerequisites, it requires administratio service to be setup and functional in config manager.
https://learn.microsoft.com/en-us/mem/configmgr/tenant-attach/prerequisites

In the article to setup administration services, it mentions, "Some scenarios require access to the administration service from the internet, such as tenant attach".
https://learn.microsoft.com/en-us/mem/configmgr/develop/adminservice/set-up#enable-internet-access

Does it require internet access just for administration purpose or which other functions? Is is must to provide internet access to the administration service?
Please guide if you can. Thanks.