How to Change SCCM MDM Authority to Intune Standalone

With the release of SCCM 1710, one of the key new features is the Co-Management possibility with Intune. Going in the direction of the Co-Management would eventually allow to offload some management task to Intune and be more aligned with the concept of Modern Management for Windows 10.

One of the main requirement to enable Co-Management is to have Intune as the MDM Authority. This goes against what many SCCM admins have done over the past few years, by enabling the Intune Connector in SCCM to manage mobile devices from the SCCM console. This is called Intune in Hybrid mode.

Microsoft has come up with a solution to bring back Intune as the MDM authority, which is the Standalone mode. All this without impacting the end-user with his enrolled devices.

In this post, we will detail how to move Intune from Hybrid mode to Standalone.

Prerequisites to Change SCCM MDM Authority Intune Standalone

• Account with Global Administrator role in Azure portal for the first run of the Import tool
• Account with Global Administrator role in Intune portal to import data
• SCCM 1610 or higher
• Intune configured as Hybrid mode with SCCM
• Intune License for users

Import SCCM data to Intune

The first step, which is not mandatory, is to bring policy, apps and deployment from SCCM to Intune. This is optional because it could be all recreated manually.

The idea here is the publish the exact same configuration as in SCCM. This will lead to a smooth transition without impacting the end-user.

First run of the Microsoft Intune Data Importer

The first run must  be done by an account member of the Global Administrator role in Azure to allow import of content into Intune

• Download the Intune data importer

• Extract the content

• Open a Command Prompt as administrator and run the following command:
  • Command line : intunedataimporter.exe -GlobalConsent

• This prompt for credentials. Enter the Global Administrator credentials

• Confirmation

Import data

This can be achieved by an Intune Admin or Global Admin.

• Start the intunedataimporter.exe by double-clicking on it

• Click Next

• Specify the SCCM server FQDN and Site code. Select which data should be imported
  • You can always come back to that screen if you choose not to import discovered data.

• Discovery will take a couple minutes to complete

• Next, the tool will list all of the selected components it found, by categories of the item

• Note that some items will not be importable

• This happens for many different reasons. Scrolling to the right will give the reason

• One likely error would be that the value in ConfigMgr for setting … is not supported in Intune
• Another common error you might get is related to having a collection with a query or manual membership that are not supported for Intune. The only collection that can be converted to Intune is the ones with a simple query for AD group membership. This would allow having the SCCM deployment transferred automatically to Intune, and targeted to the right user group

• Once items are selected, click next on the Summary

• Sign in with Intune Admin or Global Admin rights

• Sign-in

• Once logged in, the import process starts automatically.

• Click Next

• Review errors as those will need to be addressed before moving user/devices to Intune

• Go to Portal.azure.com, under Intune / Device Configuration / Profiles, the policies are imported

More information about the Import data is available on Microsoft Documentation

Prepare Intune for User Migration

Before going forward with users and devices migration, here are some validation that should be done.

• Assignment of apps and policies must be done to groups like they were done to collections in SCCM
• Ensure users that have enrolled devices have Intune license assigned to them

Depending on your setup, additional validation could include  :

• Configure the role-based administration controls(RBAC) in Intune
• Migrate the Exchange connector configuration from SCCM to Intune
• Migrate the Intune Certificate connector from SCCM to Intune

Migrate Users’ Devices

Once the data is imported and all validation is done, it’s time to migrate a group of test users to their devices to see how it goes.

The process is quite simple for users devices. Devices enrolled by users that are no longer allowed to enroll devices into SCCM, are automatically redirected to Intune.

This means, that users must be excluded from the collection defined in SCCM Intune Subscription, to allow users to enroll devices.

• To find the collection that is used to allow users to enroll devices, go to Administration / Cloud Services / Microsoft Intune Subscriptions and select Properties on your Microsoft Intune Subscription

• Create a user collection that will be used for migration
• Add this new collection as an Exclude Collection Rule on the collection used to allow users to enroll devices

• Add test user to Migration collection
• Go to Portal.azure.com, under Intune / Devices / All Devices, migrated devices should show up about 15 minutes later

• At this point, the device is managed only by Intune, even if the device is still visible in SCCM

• Remaining devices in SCCM are still managed by SCCM only. This is called Mixed MDM Authority, as both Intune and SCCM are managing devices
• The Terms and Condition policy configured in SCCM, is automatically migrated to Intune when the Mixed Mode is enabled

• The Terms and Condition are not automatically assigned. Go to Intune / Device Enrollment / Terms And Condition

• Select the policy and set the Assignments  to the user group of your choice

Before moving all users, testing should be done to ensure that your mobile devices are correctly managed.

Once tests are completed, we can move on using the same method to migrate all other users and devices.

Change MDM authority to Intune standalone

After all users devices are migrated, it’s time to set Intune to standalone.

• In SCCM, go to Administration / Cloud Services / Microsoft Intune Subscription, and delete your existing Intune Subscription

• Select Change MDM Authority to Microsoft Intune, click Next

• Select Yes

• Sign in to Intune

• Provide credentials

• Click Next

• Summary, click Next

• Successful!

• MDM Authority is now set to Intune

Post change after MDM authority tasks

• If you are using Device enrollment managers, they must be reconfigured at this point.

More information on how to change the MDM authority on Microsoft Documentation

Hope this post helped! 🙂

[ratings]