Update 2018/08/14Microsoft has announced that on September 1, 2019, they will retire the hybrid MDM service offering. If you have SCCM in Hybrid mode, plan your migration to Intune Standalone
With the release of SCCM 1710, one of the key new features is the Co-Management possibility with Intune. Going in the direction of the Co-Management would eventually allow to offload some management task to Intune and be more aligned with the concept of Modern Management for Windows 10.
One of the main requirement to enable Co-Management is to have Intune as the MDM Authority. This goes against what many SCCM admins have done over the past few years, by enabling the Intune Connector in SCCM to manage mobile devices from the SCCM console. This is called Intune in Hybrid mode.
Microsoft has come up with a solution to bring back Intune as the MDM authority, which is the Standalone mode. All this without impacting the end-user with his enrolled devices.
In this post, we will detail how to move Intune from Hybrid mode to Standalone.
NoteIn the event that you configured the Intune connector in SCCM, but actually never used any of those features, changing the MDM authority to Intune, by removing the Intune Subscription from SCCM can do just fine.
Prerequisites to Change SCCM MDM Authority Intune Standalone
- Account with Global Administrator role in Azure portal for the first run of the Import tool
- Account with Global Administrator role in Intune portal to import data
- SCCM 1610 or higher
- Intune configured as Hybrid mode with SCCM
- Intune License for users
Import SCCM data to Intune
The first step, which is not mandatory, is to bring policy, apps and deployment from SCCM to Intune. This is optional because it could be all recreated manually.
The idea here is the publish the exact same configuration as in SCCM. This will lead to a smooth transition without impacting the end-user.
First run of the Microsoft Intune Data Importer
The first run must be done by an account member of the Global Administrator role in Azure to allow import of content into Intune
- Download the Intune data importer
- Extract the content
- Open a Command Prompt as administrator and run the following command:
- Command line : intunedataimporter.exe -GlobalConsent
- This prompt for credentials. Enter the Global Administrator credentials
When you click Accept, you give the tool permission to do the following:
- Read all groups
- Sign in and read the user profile
- Read and write Intune device configuration and policies
- Read and write Intune apps
- Read and write Intune role-based administration control policies
- Read and write Intune devices
- Read and write Intune configuration
This can be achieved by an Intune Admin or Global Admin.
- Start the intunedataimporter.exe by double-clicking on it
- Click Next
- Specify the SCCM server FQDN and Site code. Select which data should be imported
- You can always come back to that screen if you choose not to import discovered data.
- Discovery will take a couple minutes to complete
- Next, the tool will list all of the selected components it found, by categories of the item
- Note that some items will not be importable
- This happens for many different reasons. Scrolling to the right will give the reason
- One likely error would be that the value in ConfigMgr for setting … is not supported in Intune
- Another common error you might get is related to having a collection with a query or manual membership that are not supported for Intune. The only collection that can be converted to Intune is the ones with a simple query for AD group membership. This would allow having the SCCM deployment transferred automatically to Intune, and targeted to the right user group
- Once items are selected, click next on the Summary
- Sign in with Intune Admin or Global Admin rights
Microsoft does recommend to import content to a Trial Tenant before going into production. If the tool is run multiple time for the same tenant, you might end up with duplicate items.
- Once logged in, the import process starts automatically.
- Click Next
- Review errors as those will need to be addressed before moving user/devices to Intune
- Go to Portal.azure.com, under Intune / Device Configuration / Profiles, the policies are imported
WarningWe had issue with the migration of the deployments. The target group, that is a member of our collection in SCCM, was not found in Intune, so the tool was not able to target assignment correctly.
The group was well synced to AAD and was available to be assigned manually. The group name had spaces in it. That might have been the issue.
The end result is that we had to manually do the assignment for each policy and applications.
Note that rerunning the import data tool could lead to duplicate items in Intune, and importing only Deployment is not possible without selecting the desired item at the same time.
More information about the Import data is available on Microsoft Documentation
Prepare Intune for User Migration
Before going forward with users and devices migration, here are some validation that should be done.
- Assignment of apps and policies must be done to groups like they were done to collections in SCCM
- Ensure users that have enrolled devices have Intune license assigned to them
Depending on your setup, additional validation could include :
- Configure the role-based administration controls(RBAC) in Intune
- Migrate the Exchange connector configuration from SCCM to Intune
- Migrate the Intune Certificate connector from SCCM to Intune
Migrate Users’ Devices
Once the data is imported and all validation is done, it’s time to migrate a group of test users to their devices to see how it goes.
The process is quite simple for users devices. Devices enrolled by users that are no longer allowed to enroll devices into SCCM, are automatically redirected to Intune.
This means, that users must be excluded from the collection defined in SCCM Intune Subscription, to allow users to enroll devices.
- To find the collection that is used to allow users to enroll devices, go to Administration / Cloud Services / Microsoft Intune Subscriptions and select Properties on your Microsoft Intune Subscription
- Create a user collection that will be used for migration
- Add this new collection as an Exclude Collection Rule on the collection used to allow users to enroll devices
WARNINGFrom this point, users’ devices will be redirected to Intune. Make sure policies, apps and deployments are assigned.
If the configuration is identical from SCCM, this change will be 100% transparent for the user.
- Add test user to Migration collection
- Go to Portal.azure.com, under Intune / Devices / All Devices, migrated devices should show up about 15 minutes later
- At this point, the device is managed only by Intune, even if the device is still visible in SCCM
- Remaining devices in SCCM are still managed by SCCM only. This is called Mixed MDM Authority, as both Intune and SCCM are managing devices
- The Terms and Condition policy configured in SCCM, is automatically migrated to Intune when the Mixed Mode is enabled
- The Terms and Condition are not automatically assigned. Go to Intune / Device Enrollment / Terms And Condition
- Select the policy and set the Assignments to the user group of your choice
Before moving all users, testing should be done to ensure that your mobile devices are correctly managed.
Once tests are completed, we can move on using the same method to migrate all other users and devices.
Important NoteIf you have devices enrolled by Apple DEP program, devices can’t be migrated by their assigned owner. Those devices are considered user-less in Intune.
To migrate those, there is a PowerShell cmdlet available in the Intune data importer.
More details on how to migrate device without user affinity are available on Microsoft Documentation.
Change MDM authority to Intune standalone
After all users devices are migrated, it’s time to set Intune to standalone.
- In SCCM, go to Administration / Cloud Services / Microsoft Intune Subscription, and delete your existing Intune Subscription
- Select Change MDM Authority to Microsoft Intune, click Next
- Select Yes
- Sign in to Intune
NoteThe account provided to Sign-in Intune, must have a license for Intune assigned to the account.
- Provide credentials
- Click Next
- Summary, click Next
- MDM Authority is now set to Intune
Post change after MDM authority tasks
- If you are using Device enrollment managers, they must be reconfigured at this point.
More information on how to change the MDM authority on Microsoft Documentation
Hope this post helped! 🙂[ratings]
Share this Post
Share this Post