Jun 15 2020 05:44 AM - edited Jun 15 2020 05:46 AM
Hi Tech community
Was wondering if I could get other's views on best way forward for my company. Looking to bounce some ideas.
Currently working with a local government customer who has configuration manager and wants to move to a cloud based model. Their environment is very much focused around corporate network. Since COVID they found numerous issues with their security posture and trying to find ways to resolve this, prevent users coming in and IT want to manage their endpoints through the cloud. The customer has invested in EMS E3 and Azure P2 premium.
They have a number of domain and non domain computers, most working off site through a Always on VPN.
Have recently started the journey to Intune and have co-management setup.
There Goals are:
1. On-premises data centre disappearing. Want to leverage cloud wherever possible.
2. Want an easier world of device management.
3. Want to be evergreen and use pilot rings for update management.
4. want to manage devices using Intune rather than Group policy as they want to remove active directory and group policy.
5. They are on Windows 10 1709 so cannot leverage Autopilot yet....They want to rollout new version of Microsoft 365 asap.
6. Currently having difficulty querying network locations in configuration manager. Collections vs boundaries. Is there a query available for boundary groups? Can this be managed using Intune.
7. Use NIST guidelines for policy management. All information stored on endpoints is encrypted.
8. About to start on journey using Defender ATP to replace legacy on-prem AV enterprise solution.
So looking at the environment I have come up with the conclusion that the following is required but wanted to bounce some ideas with others more experienced in this field.
Any ideas on how to resolve some of the pain points would be appreciated.
Thanks
Jun 17 2020 01:39 PM
Jun 18 2020 07:00 AM
@Ru Thanks for the response.
I suppose its the ideal way but the way I understand it for a short time they going to need to run both CM and Intune using Co-management/cloud attach sort of makes sense as it then means they can begin to make that transition.
For existing devices on 1709, would AP make sense using AP for existing devices (I didnt think it was supported on 1709) or wouldn't it be better to deploy a new image from CM, hybrid AD join and then move that device as Intune managed going forward with future deployments through AP.
The reality is this organisation has 5000 users and is on a transformation programme which means moving from one identity in AD to AAD would mean a lot more work to ensure users can access both legacy systems and modern.
I am open to suggestions if there is a better way for them to move devices to Intune only, ditch CM and use only AAD but concern is what about legacy apps and system to run on-premises?
I know the customer is keen for client management over the intranet as its like that working remotely for their workforce will become the norm.
Thank