Auto Enrollment Options - moving from Classic Client RRS feed

  • Question

  • Hope someone can help me! I'm trying to understand options for a client organisation.

    They are 100% Windows 10 Organisation now and do use ADConnect for User/Device Synchronisation to Azure also.

    They are currently using the Classic Intune Portal and deploy the Classic Intune Client via GPO for management of Windows 10 Pro workstations/laptops. There are around 250 devices managed this way and historically it's worked great for patch management, anti-virus and reporting. The only real pain has been Intune Classic not supporting Build Upgrades of Windows 10!!

    I'm very aware that the Classic Client is going the way of the Dodo but it looks like the options for migrating from the Classic Client are really limited and I don't really understand why.

    I guess the thing that really gets me is that in the Classic InTune Portal, you can configure your policies, deploy the Classic Intune Client via GPO and that's it. With the reporting and notifications you could practically set it and forget it outside of alerts.

    But it looks like to switch to Modern InTune, there's no migration path outside of completely removal of the classic client and then enrolling each device..... and there's no way to Autoenroll via GPO unless they also purchase AD Premium or EMS? They also lose out on a lot of patch control - they'd just be able to control the Update Ring.

    Am I missing something? If not, given how pricy Intune already is, it would be far cheapers and less labour intensive to simply switch to a third party anti-virus solution and just use WSUS for patching. I'm hoping someone will tell me I'm very very wrong about everything.

    Saturday, September 14, 2019 5:20 PM


All replies

  • Appreciate that the last paragraph is a bit negative but I'd really appreciate any pointers or corrections in my thinking!

    If the scenario is 250 corporate owned devices, enrolled via the classic portal I just need to know the easiest way to get those devices enrolled in the Modern portal in the most automated way possible.

    Auto-enrollment via GPO doesn't appear to work because we don't have AD Premium or EMS. If push came to shove I suppose I could enable a Trial for the purposes of the initial enrollment but I'd like to do this properly really.

    I do have other management tools available on all of these devices (i.e I can send remote commands with ease)

    Bearing in mind they're already Hybrid Azure AD and these are all corporate owned devices, is there any way I can bulk enroll them in InTune using a DEM? Is there a powershell script to enroll devices (and if not... why not!!? It'd be so easy if I could retire/wipe all from classic portal and then just send a powershell command to them again!)

    Sunday, September 15, 2019 9:56 AM
  • This has been discussed for several years now and I'm afraid you are right. There is no migration path from full Intune client to MDM managed. This is a manual process.

    Gerry Hampson | Blog: | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    • Marked as answer by TrulyVexed Monday, September 16, 2019 5:42 PM
    Sunday, September 15, 2019 1:39 PM
  • No, you have to remove the Intune client software first before you can enroll the device as an MDM device in Intune. The autoenroll in GPO should work if you have removed the client software. Your environment is hybrid and is joined in AD and AAD. So, with the GPO autoenroll it should work. You must have EMS E3 or E5 subscription. Azure AD Premium feature is inside the EMS subscription. 

    Here the link for selective wipe for the Client software:

    And some script for removing the client software manually or by a script:

    • Marked as answer by TrulyVexed Monday, September 16, 2019 5:42 PM
    Monday, September 16, 2019 11:56 AM
  • Thanks - that re-iterates what I already thought.

    I just think it's pretty silly that InTune, which could be deployed via GPO when you have an InTune Subscription, requires an EXTRA subscription of EMS / AD Premium in order to continue deploying via GPO when switching from Classic to Modern.

    That extra expense just means clients are far less likely to stick with it (lost 2 this week as a result) - I'm sure it'll keep Mr Nadella awake at night.

    Monday, September 16, 2019 5:48 PM