Really worried by our company policies on AD - AAD usage
Posted by Daxh64@reddit | sysadmin | View on Reddit | 25 comments
So we've started last year migrating all of our devices from SCCM to Intune, still in the process tho.
We also just started using Autopilot and we're doing Hybrid Azure Join because, our main engineer said he didn't have the time to migrate everything from local to the cloud. Even tho I read a lot of things saying that Hybrid is a mess.
He didn't have the time to manage the transition and the deployments config as he's still managing our On-Prem servers and has other tasks to do, so we're a small team of 3 that was tasked to create all config / deployments profile and scripting.
So my questions are :
- When all of our devices will be Intune compliant should we move to Entra Join only (will it be a pain in the a**) ?
- But, I'm at lost, how do you guys move your local GPO's to Intune what are your go-to tools or tutorials that I should look for ?
- And finally, how do you manage the transition of GPO and Policies when Hybrid (as it's our current state, and I feel it's going to be a mess soon!) ?
Thanks in advance guys.
ZAFJB@reddit
No. As long as you have on-premises servers and services, KEEP your hybrid join. Otherwise authentication to and permissions on those local devices becomes a nightmare to manage. Also, remember that you cannot Entra join on-prem Windows Servers.
Daxh64@reddit (OP)
Thanks for your time, so everything we read online (multiple forums, blogs) are false ? Why are IT so devised about that 😫
BlockBannington@reddit
We went from hybrid to Entra joined with exactly 0 issues. AD is still hybrid except for endpoints and everything can be reached via Kerberos cloud trust. Gpos I simply analyzed and determined that, holy shit, those haven't been touched in 20 years. I just recreated what we actually needed in Intune and that was basically it. There's a bit of a learning curve but it's absolutely doable.
iamLisppy@reddit
Did you ever an issue with a DC not appending DNS properly? By that I mean the machine on the local network couldn’t ping by name but FQDN worked fine. Currently battling this at one office and trying to pinpoint where to look to fix.
BlockBannington@reddit
Yeah, you need to add the dns suffix config!
iamLisppy@reddit
I added at our network level versus doing this! Just had a learning moment with this.
For everybody else could you give us the run down how you did what you said? If you dont mind, that is.
BlockBannington@reddit
There is a configuration profile setting to add a dns suffix (or a list of suffixes). You enter your domain and that's basically it haha. As soon as the config hits, it's appended and works instantly.
https://modernworkspacehub.com/set-dns-suffixes-via-microsoft-intune/#Create_the_Settings_Catalog_Configuration_Profile
Daxh64@reddit (OP)
That's the point we're taking the long path of learning and trying ourselves (the team of 3). And we've learned a lot but this looks promising thanks to your input 🤞
dylanimal@reddit
There is a tool in Intune that imports your GPOs and converts them to Intune Policies, but its very hit or miss and has less policies than GPO has. Also no custom / imported admx files.
In my opinion hybrid is fine. We are go full Entra only for remote workers and hybrid for our on prem devices.
BlockBannington@reddit
No imported admx files? Hell yeah you can
dylanimal@reddit
Oh you can now? Hell yeah! It has been awhile since I did the migration. Good to know.
Daxh64@reddit (OP)
I've no clue what is ADMX ( I've never implemented GPO's), could you explain how do you use them for replicating GPO's to Intune Policies ?
dylanimal@reddit
1) admx files (and adml files) are just template files that you can put in your sysvol (either locally on domain controller or the central store) to add additional polices to your GPMC. For example, Google has a package for Chrome policies that you can download.
2) I havent actually done this yet but from what the other user replied to my comment I guess you can upload them to intune or something similar. What I did the last time I migrated a client to Intune is a full GPO export/backup then uploaded it into Intune. It parsed the file and converted what it could into Intune policies.
Daxh64@reddit (OP)
Thanks for that, I will talk with our Sys Eng about that, not sure if he used it before.
CeC-P@reddit
The last place I worked tried hybrid with SCCM still active but Autopilot fighting with it and provisioning failed because of the SCCM checkin interval not being long enough. So they lengthened it and now new PCs only fail 10% of the time and had to start all over.
So their new computer deployment system was based on luck. On probability. On random chance. WTF is wrong with Microsoft?! Vibe coded garbage. I only heard about this secondhand and have no idea how the system works but people sure talked about it often. So it seems the consensus was don't run both side by side. Go 100% cloud-based and piss off every single e-waste company recycling your computers and then have ghost computers come back to life when they fire them back up to sell on ebay and the interns didn't release them from the Intune system properly.
Oh and not even divine intervention will help you if a motherboard gets swapped under warranty and the system has the same serial but different MAC address. That ccmputer just entered the Twilight Zone and can only be cleansed with flames or holy water at that point.
Daxh64@reddit (OP)
Haha, that sure looks like I've entered a hell hole in terms of computer management.
But we've ditched SCCM for good as and I'm glad we've made the decision to do that.
Glad you mentionned the e-waste situation as we do not have that problem yet. But I'll keep that in mind and talk with my manager about it. What are your recommendation on deletion policies in Intune ?
FatBook-Air@reddit
Some things to keep in mind:
A Hybrid-joined device is really just a regular AD-joined device but with some additional features. But at its core, it still has more in common with regular AD-joined than native Entra-joined. You still have all the normal limitations, like needing line-of-sight to a domain controller.
Whether you use GPO or Intune to manage a device is a choice you make: almost all devices, whether Entra joined, Hybrid, AD, or not joined at all, can be managed by Intune. Only devices added to AD can be managed by AD. A Hybrid Joined device can be managed by both.
To be clear, I do not like managing by both on the same device. Where I work, when we were migrating from AD to Entra, we kept AD and Hyrbid Joined managed by AD only; we managed Entra Joined by Intune only. You don't have to do this, but it might help you mentally delineate between the two.
Tessian@reddit
I've heard others around here bemone Hybrid join and always push Entra native, but I've only ever been at orgs with hybrid join and we never had problems. Hybrid is what you want until you can 100% get rid of on-prem AD, and for most orgs good luck on that.
Migrating to Entra joined later requires reimaging the PC, so take that as you will.
When a previous company migrated off SCCM/GPO to Intune we did it slowly over the course of a year. Move software installations first, then Defender/Firewall GPOs, Bitlocker, etc. We just did it manually and slowly there was no reason to rush and it gave everyone a chance to review the settings of those policies and make sure they're both still appropriate / needed and to take advantage of new features.
Daxh64@reddit (OP)
You make it reassuring for me 🙌 That's basically what we're doing also, we're doing the job of an engineer and don't have the experience imho, so we're moving steps by steps to make sure we don't mess this transition up.
Tessian@reddit
The biggest improvement I saw overnight was rolling out AutoPatch and stop patching Windows via SCCM. PCs falling multiple months behind on Windows updates stopped being a thing at all.
Daxh64@reddit (OP)
Yeah we're leaning towards AutoPatch, our SCCM patching was a mess because of a lot of our users are not using the VPN as they should (we do not always-on-VPN configured).
JwCS8pjrh3QBWfL@reddit
There is no supported method to move devices from Hybrid to pure Entra joined. Technically, they should be wiped and set back up.
You audit your GPOs, discover that 90% of them are irrelevant to either cloud managed devices or the way your company actually operates these days, and then you just move over the couple of them that remain by hand.
When you move a policy into Intune, disable the GPO. If you've got some kind of weird intermediate step where you don't want to totally disable the GPO and only do it for a group of devices, you can set up an AD group for your intune devices and add that as an exception to the GPOs as you go.
Daxh64@reddit (OP)
Okay it makes total sense and I think we're heading in the right direction thanks a bunch for this explanation.
We're struggling to find times with our sys eng which made the GPO in the first place to make the full transition. Even tho we're not disabling them rn I think we're in the sweet spot of it working like this for the moment.
Hunter_Holding@reddit
It really depends. Remember, there's a reason that Intune licensing includes free SCCM/MECM license too. To cover gaps Intune doesn't.
Co-management (part intune, part SCCM) is really the sweet spot right now, given the 'maturity' or lacktherefore of regarding intune in some areas/regards.
But if you have a lot of on-prem resources/servers/systems, it may be easier to maintain hybrid join.
I can't say I've ever heard of or saw it being a mess, if I have on-prem/traditional application infrastructure, that's right where I'd want to be intentionally. You can pick and choose the "best of both worlds" and if business needs/decisions change, you're not married intimately to solely any one system.
Intune can accept admx templates and set those kind of GPO settings and whatnot, so that's not really a concern.
For hybrid, though, I'd just manage what you need/want to for machines that are off network - update policies, perhaps, VPN config/compliance, security agent enforcement/visibility, etc. Basically, anything that'd need IBCM (internet based client management) with SCCM to keep delivering, so you can throw that piece out (or go CMG and keep it, but either way...)
Daxh64@reddit (OP)
We've ditched SCCM last month or so¯_(ツ)_/¯