I'm feeling quite stressed about our company's current policies regarding Azure Active Directory and Intune. Last year, we started moving all devices from SCCM to Intune, and while we're still in the process, we've recently begun using Autopilot for Hybrid Azure Join. Our main engineer didn't have the time to transition everything fully to the cloud, and I've read that the hybrid approach can be problematic. As a small team of three, we've taken on the task of creating all configurations and deployment profiles, but I have some questions.
1. Once our devices are compliant with Intune, should we shift entirely to Entra Join? Will that transition be complicated?
2. I'm confused about how to migrate our local GPOs to Intune. What tools or resources do you recommend for this?
3. How do you manage the GPO and policy transition while still on Hybrid? I'm worried this could turn chaotic!
Thanks for any insights you can provide!
7 Answers
Remember, hybrid-joined devices are very much like regular AD-joined devices but with some extra features. As a hybrid, they retain some restrictions, like requiring line-of-sight to a domain controller. You can choose to manage with GPOs or Intune, but I recommend managing separately for clarity—keep AD for Hybrid devices and switch to Intune solely for Entra.
I’ve worked at places with hybrid joins, and we never faced major problems. Go hybrid as long as you have on-prem AD; migrating to Entra requires reimaging, so pace yourself. We've transitioned slowly from SCCM/GPO to Intune over a year, starting with software and gradually moving security policies. It allows us to review settings and ensure they are current and needed.
Intune does have a tool for importing GPOs and converting them to policies, but it doesn’t cover everything and often misses key settings. I find that managing hybrid works fine if you mainly handle entry-level configurations for off-network devices. Just make sure you’re aware of unsupported methods for directly migrating from hybrid to Entra—usually, a wipe and reconfigure is needed.
No imported ADMX files? Wow, that’s limiting!
It really depends on what you have on-prem. If you still rely heavily on local resources, staying hybrid makes sense. Intune licensing also provides an SCCM/MECM license for scenarios where Intune might not cover everything yet. I find it valuable to pick and choose the best of both worlds for flexibility.
We've just moved away from SCCM, and it feels freeing!
Migrating from hybrid while still running SCCM can be a tricky mess. For example, some provisioning failed because of conflicts with SCCM checking intervals. It sounds like going fully cloud-based could ease many headaches, but make sure you consider how to manage device decommissioning effectively to avoid issues like old devices coming back into service.
We transitioned from hybrid to full Entra joined without any issues. AD remains hybrid, but our endpoints connect using Kerberos cloud trust. I checked our GPOs and realized many hadn't been updated in decades! I just re-created the necessary configurations in Intune, which turned out to be quite straightforward. There's a learning curve, but it's doable!
Did you ever run into issues with a domain controller not appending DNS correctly? Locally, machines couldn't ping by name, but FQDN worked fine. I just solved it, though!
That's reassuring! We're a small team too, learning as we go, and your inputs help!
Thanks for the reassurance! We're tackling this step-by-step, prioritizing accuracy over speed.