MEMCM - Migration from On premise to Intune - Part 6 - Migration of Policies

D Walsham • 10 April 2021

Planning for Client & Endpoint Security Policies

Introduction

The last part on this series will now focus on the various policies within MEMCM, mainly the client policies and the Endpoint/Defender policies.

There is an interesting split as to how client policies can be migrated over but due to the various categories which are displayed in both policies for your MEMCM & then the profiles within Intune will make an interesting exercise to explore the overall mapping.

For Defender policies we will also dive into the migration of these policies and how they fit into a profile around the Endpoint Security area of Intune and how they will all fit overall in your Modern Workplace Management.


( Note: When performing migrations of policies in general its best advised to testing these first on machines which your policies that are controlled on-premise to be turned off so that you able to obtain a true baseline of working policies once migrated into Intune for your Modern Workplace Management. Then once happy with the testing you can make the transition of it being controlled only by Intune )

Client Policy Mapping

Various settings are set by default within your Default Client Settings policy in your on-premise MEMCM. So for all of the settings which are not only applicable but also can be configured within Intune will be explored even further.

The migration of these specifics are not as straight forward as the other parts in this series due to the fact that a lot of the policies have a primary focus on the on premise client settings which utilise the communications & polling methods, however there are some which provide a more overall configuration of the whole Intune/Modern Workplace Management experience.

Computer Agent

The computer agent has settings specifically for your on premise SCCM.For example, if we take the Computer Agent policy as seen below in my default settings.

These settings control the overall branding of the MEMCM environment which you have. So you would expect to see these around your Software Centre & some cases your Application Catalog.

Now within your Modern Workplace Management your Software Centre is essentially your Company Portal whether that be the actual windows application or the web based version. Also not to mention your Auto Pilot/Enrollment/White Glove process as well. So these settings are then migrated into the Tenant Admin End User Experience Section.

Enrollment

Where enrollment is concerned these are covered within the MDM settings, Enrollment Profile pages and also the Auto Pilot provisioning section of your Intune Device Management.

Enrollment settings of course vary from device type, where Android, iOS and MacOSX have their own enterprise level methods of enrollment where you might have a PKI topology and authentication roles defined within MEMCM if you are managing these on premise. There maybe situations in which you were an early adopter of going to the MDM when Intune was transitioning into the Intune Standalone a couple of years back.

Having said that if we look into the enrollment settings on your on premise MEMCM there are options such as allowing users to register devices, now these specific settings are a bit spread out and can be controlled within administrative permissions using RBAC (Role based access control) within your Intune Tenant admin settings.

Hardware/Software Inventory

Unlike the on premise MEMCM settings there are no policies within Intune which can actually set a polling interval to collect the information as this is done in a more hardcoded way.

When devices enroll areas such as Discovered Apps (equivalent to Software Inventory) will collection information ranging from 24 hours (win32 apps) and 7 days for all of the rest. The Hardware Inventory follows the same type of polling. Below are some ideas on how the actual inventory looks like for both hardware and software.

It is to note that the Intune Data Warehouse can also pull down the exact same kind of information for both inventories if you choose to build a custom report or Power BI dashboard from the same information.

Remote Settings

In your On Premise MEMCM you would be able to use the remote control application which will enable you to remotely connect and control a managed asset within your on premise estate.

Intune currently does not have an equivalent as such. But there is a Teamviewer connector which can integrate with your Intune Device Management and this can therefore provide the same service as well as compensate for the policy settings as well.

Other Policy Settings

Other areas such as the following;

  • Background Intelligence Transfer Service
  • Computer Restart
  • Power Management
  • Windows Updates
These can be controlled from Configuration Profiles especially through the settings view where you can get a comprehensive list of policy categories as seen below

Defender/Endpoint Security Mapping

This section is actually less complicated to migrate over in the sense of that the sections for Endpoint Security settings are situated in one area when it comes to Intune. The policies for this in your On Premise MEMCM however can be somewhat spread but they are still close knit logically within the console it self.

So if we look into the Assets and Compliance - Endpoint Protection section in the MEMCM console we have the following categries;

  • Antimalware Policies
  • Bitlocker Management
  • Windows Defender Firewall Policies
So the mapping side between them to Intune so for example;


Antimalware Policies have the scheduled scan and scan details performed on each device with an agent, in this case we would migrate this into the EndPoint Security - AntiVirus Policies where we can dedicate settings specifically around scans, real time scanning.

As bitlocker was covered in the one of the earlier parts of the series this also has a straight forward migration mapping into the EndPoint Security - Disk Encryption Policies.

And for the Firewall Policies, whether you use these in the perspective of them being mainly controlled via MEMCM , or firewall policies which are controlled from a GPO level and distributed to all of your endpoints, these can also be mapped across to EndPoint Security - Firewall policies within Intune.

These are split up where you can define the settings for your actual firewall profile, and then another one specifically for firewall rules where you can configure the inbound and outbound traffic as seen below.

MDM Security Baselines

These baselines are set by default to add a foundational layer of security for all managed devices within Intune. Now where your policies are concerned within your On Premise MEMCM you may have some configurations which may either overlap, or perhaps be inconvenient to you where your other settings are concerned.

They provide a compliance standard for all devices globally within your Intune, so its best to proceed with caution when defining other policies within your Intune which may conflict with the security baselines.

Below is a screenshot of my MDM Security Baseline (December 2020) which is currently applied to all devices. Now as I have showed I had created a firewall policy it may not override this one, so if specific changes need to be made then you can change the distribution settings of where the security baseline has gone to if you want to build your own custom settings and baselines.

You do have the ability to create your own Security Baseline as well and define very similar settings which would be within policies which you are looking to migrate over into Intune. But please do so with care (Disclaimer at the top of the article)

End of the Series

Thanks again for looking through all six parts of this series and will be creating more around these areas soon which may give a more technical step by step approach on how to achieve these areas of migration.

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side Part 4 - SQL Server Requirement Analysis

by D Walsham 13 December 2021
Looking through the current SQL Server topology and how it affects our decision

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side Part 3 - Current Branch Upgrade Approaches

by D Walsham 19 November 2021
Impact of Current Branch Upgrades

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side - Part 2 - Operating System Considerations

by D Walsham 29 October 2021
Introduction

Microsoft Endpoint Manager: In-Place Upgrade or Side by Side

by D Walsham 7 October 2021
Introduction

Endpoint Manager: Device Estate Cleanup

by D Walsham 6 October 2021
Introduction

Modern Workplace Management: Creating Applications Common Practices - LOB vs Win32 Package

by D Walsham 3 September 2021
Introduction

Modern Workplace Management: Build Endpoints Without SCCM Part 6

by D Walsham 12 August 2021
All the parts of the series we went into great detail about how we analyse an end to end solution and how we would design a solution in which would allow us to build endpoints without SCCM being a dependency. Whilst we did this, there is another scenario which we have not touched on yet, which is the hybrid scenarios. In a perfect world ideally you would have your Azure Active Directory within the cloud, every machine meets the recommended requirements for Windows 10, everything is imported into Intune/Autopilot and everyone is happy. But we know this isn't realistic in all cases. Many organisations cannot just simply up and go from on-premise into the cloud therefore the checkpoint here is of course getting into hybrid solutions such as; Co-Management Between Intune and SCCM Hybrid AD with Azure AD and On-Premise AD syncing together These things can play a very interesting part in how you would tackle this if you envisage the next step in the blueprint is to be in a position in which you can build and manage endpoints soley within Intune. With this final part of the series we will go in-depth in how the common hybrid setups look like and how we go about moving into the next step of being able to manage and build devices without SCCM.

Modern Workplace Management: Build Endpoints without SCCM Part 5

by D Walsham 29 July 2021
In continuation from the previous part where we had discussed how we create the "on site" piece of the solution, this was the part which would allow us to get our endpoints into a state in which they would essentially be ready to go through the Autopilot process. Which leaves our next piece of the puzzle, to begin the configuration of the actual backend side that resides within our Endpoint Management console. And you will see how everything ties up together to satisfy the full end to end process of getting an unknown (or known) device to proceed thorough the whole workflow to be finally managed by Intune without the aid of SCCM taking part in any of the prerequisites or preparation at hand.

Modern Workplace Management: Build Endpoints without SCCM Part 4

by D Walsham 15 July 2021
In this part we are now going to look into the technical step by step points on how we put everything together. In the previous part we spoke about the structure of how we would asses whether a machine was actually ready to be built with Autopilot or not with a build checklist process which would step through all areas which would cover an endpoints eligibility. Now with everything planned out we finally want to step into making things reality by putting everything together.

Endpoint Manager: Find machines not in Autopilot

by D Walsham 2 July 2021
When it comes to managing your endpoints in endpoint manager, one of the things you may be looking to do is to get all of your Intune registered machines to also be enrolled as Autopilot devices. Now we can of course just have the deployment profile deployed to all machines and then hit the "Convert targeted machines to autopilot" but this might not necessarily be feasible for every client. We may want to perform some due diligence first so we can at least understand what devices in Intune are not in Autopilot.
Show More