Moving away from CM to Intune

Brass Contributor

Hi Tech community


Was wondering if I could get other's views on best way forward for my company. Looking to bounce some ideas. 


Currently working with a local government customer who has configuration manager and wants to move to a cloud based model. Their environment is very much focused around corporate network. Since COVID they found numerous issues with their security posture and trying to find ways to resolve this, prevent users coming in and IT want to manage their endpoints through the cloud. The customer has invested in EMS E3 and Azure P2 premium. 


They have a number of domain and non domain computers, most working off site through a Always on VPN.


Have recently started the journey to Intune and have co-management setup. 


There Goals are:


1. On-premises data centre disappearing. Want to leverage cloud wherever possible. 

2. Want an easier world of device management.

3. Want to be evergreen and use pilot rings for update management.

4. want to manage devices using Intune rather than Group policy as they want to remove active directory and group policy. 

5. They are on Windows 10 1709 so cannot leverage Autopilot yet....They want to rollout new version of Microsoft 365 asap. 

6. Currently having difficulty querying network locations in configuration manager. Collections vs boundaries. Is there a query available for boundary groups? Can this be managed using Intune. 

7. Use NIST guidelines for policy management. All information stored on endpoints is encrypted. 

8. About to start on journey using Defender ATP to replace legacy on-prem AV enterprise solution. 


So looking at the environment I have come up with the conclusion that the following is required but wanted to bounce some ideas with others more experienced in this field.


  1. get current with CM, check Co-management settings and check current Azure AD connect settings.
  2. Accelerate deployment using Intune. First build an image in CM for newer version of Windows 10, once rolled out and Hybrid AD joined take advantage of AP and manage in Intune. 
  3. Want to manage workgroup devices - Feasibility of tenant/cloud attach vs CMG Cloud management Gateway.
  4. Intune setup for automatic enrolment.
  5. Enable co-management automatic enrolment from pilot to All , Decide what Intune and what CM will manage

Any ideas on how to resolve some of the pain points would be appreciated.












2 Replies
Hey, quite a lot to cover in this but my first question is, if the first objective is to go cloud-only with no datacentre, why not go for Azure AD Joined via Autopilot instead of Hybrid Azure AD Joined? What do you need using ConfigMgr/on prem Domain Services that AAD and Intune can't do?

@Ru Thanks for the response.


I suppose its the ideal way but the way I understand it for a short time they going to need to run both CM and Intune using Co-management/cloud attach sort of makes sense as it then means they can begin to make that transition. 


For existing devices on 1709, would AP make sense using AP for existing devices (I didnt think it was supported on 1709) or wouldn't it be better to deploy a new image from CM, hybrid AD join and then move that device as Intune managed going forward with future deployments through AP. 


The reality is this organisation has 5000 users and is on a transformation programme which means moving from one identity in AD to AAD would mean a lot more work to ensure users can access both legacy systems and modern. 


I am open to suggestions if there is a better way for them to move devices to Intune only, ditch CM and use only AAD but concern is what about legacy apps and system to run on-premises?


I know the customer is keen for client management over the intranet as its like that working remotely for their workforce will become the norm.