The Twelve Days of Blog-mas: No.5 – The Endpoint Management Jigsaw

Happy Tuesday – You're back for more, I see?

Most orgs (hopefully) have a well-developed ‘practice' around Endpoint management, combining people, process and technology to deploy, configure, operate and support a fleet of devices that adhere to corporate policy.  This has been a main-stay of endpoint IT Pros for decades.

As IT Pros, whether we like it or not, we're continually expanding our knowledge and skills to account for the ever-growing scope that we're accountable for and the winds of change in technology.  The cloud, mobile devices, BYO, VDI and other flavors of endpoints – as well as a global pandemic – have all pushed or pulled (or dragged) us to where we are “today.”

And “today,” we live in interesting times (be it a curse, a blessing or a bit of both), where you can: 

Today, for Windows endpoint management, we have three primary solutions: 

Since well-before Y2k, some form or another of our “Systems Management Server” product has been around.  I think SMS 1.0 came out in '94?  AKA SCCM, MECM, CM.


System Policy and poledit.exe was an interesting NT-era pre-cursor to and our long-running and very effective Group Policy system. 


And the “Johnny Come Most-recently” to our endpoint management party is Intune. 

  • To me, for some odd reason, it still ‘feels' like Intune is new?  It's been around for well over 10 years.  


I visualize this like a jigsaw puzzle, with the different pieces representing the different Windows endpoint management paradigms:


None of these are exclusionary – you can weave each of these into your endpoint management tapestry.

  • Using ConfigMan?
    • That's fine – CM is great, but it requires considerable infrastructure and a unique/deep skillset 
  • Using GPOs?
    • That's fine – GPOs are great, though as we know, the world continues to move ‘beyond the LAN'
  • Using Intune?
    • That's fine – Intune is great and keeps evolving/expanding – we are investing the majority of our time/resources here
  • Using a mix?
    • That's fine – we have great/expanding interop, but as we all know, just because ‘you can' doesn't mean ‘you should' – and aiming for ‘simple over complex' almost always serves you better

Building on the jigsaw above, Tenant Attach, Co-management and Gateway gives us something like this:


IMPORTANT: I mentioned above that none of these are exclusionary, but you must be ‘operationally crisp' to avoid cross-tool conflicts.  Whatever you do, do it well.  It is entirely possible (and quite common) to have accidental overlap and/or conflicting policies, across tools.

  • For example, there could be a settings-value defined via and the same setting (but perhaps a different value) defined via Intune
  • There is a setting that seems like it would help solve for this – MDMWinsOverGPO – but that setting only applies to settings in the Policy CSP.  There are a lot of settings in the Policy CSP but there are LOTS of other CSPs; today, we generally recommend against using this.

From a high-level, process standpoint, I put together a visual to help me make better sense of endpoint management options:


For YEARS, many customers have been telling us how much they rely on GPOs – so much so that they were effectively ‘blocked' from getting to Intune for management of their Windows PCs.  You may know about these next two items, but you may not, or perhaps it didn't quite ‘set in:'

  1. You can import existing GPOs to Intune via Group Policy Analytics
    • The 's settings are auto-evaluated for comparable MDM settings
    • You can click ‘Import' to generate an Intune policy based on that
      • That can be used ‘as is' or edited as needed
    • I realize this solution may not be 100% but nothing is – don't let the lack of ‘perfection' stop you from getting to ‘good'  
    • PRO TIP #1 you can import ‘any' GPO backup (i.e. not only the ones from your AD).  For example, industry-standard CIS ‘Benchmark' GPOs can be downloaded from their workbench site, then imported into Intune and used to auto-generate Intune policies (thanks to Arnab for this tip).
    • PRO TIP #2 – You should factor in some time to review/rationalize your AD GPOs for ‘technical debt' – I'd bet $1 of Arnab's money that you have at least some old (or even ancient) GPOS – don't aim to bring ‘everything' forward
  2. Today, right now, as you read this, Intune has GREAT coverage of 1000s of ADMX settings directly in the portal
  • Aim for simple  
  • Microsoft will try to meet you where you are
  • Don't confuse ‘You can' with ‘You should'
  • Plan for the future (even if you're still on-prem now, what does 1-2 years out look like?)
  • The future is now
  • Goto line 1

I work with a lot of customers and many ask for help with getting further along on their endpoint management journey.  We have multiple levels/types of assistance:

  • Self-help – we recently published some very thorough guidance – an Intune deployment framework doc and a detailed Intune migration guide.  Both are yours for the taking:
  • Fast Track Center has a lot of very experienced IT Pros who have helped a lot of orgs a little or a lot with their M365 efforts:
  • Unified Support – you can use resources available from your Microsoft Support Contract, if you have one
    • Check with your Microsoft Support contact

I think I heard someone in the back yell out, “HEY!  What about the servers?” 


In my experiences, that's usually covered by a different team with a much different set of conditions, constraints and variables.  That said, though, I realize our ‘endpoint modernization' story is a good one and so it's attractive for the server management team, too.


We have some “different yet good” news there, but that's a story for another day…



A series recap (so far):

  1. The Twelve Days of Blog-mas: No.1 – A Creative Use for Intune Remediations – Microsoft Community Hub
  2. The Twelve Days of Blog-mas: No.2 – Windows Web Sign in and Passwordless – Microsoft Community Hub
  3. The Twelve Days of Blog-mas: No.3 – Windows Local Admin Password Solution (LAPS) – Microsoft Communi…
  4. The Twelve Days of Blog-mas: No.4 – Sync Cloud Groups from AAD/Entra ID back to Active Directory – M…



This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.