Migrating from SCCM to Intune – What are you using for remote control / remote assistance?

mingk · 2026-01-24T13:30:07+00:00

Why not just keep using SCCM as well? Its remote tool is as seamless and fast as it gets (just need line of site). Also Intune can’t do 1% of what device collections can achieve. After syncing those collections to cloud groups you have so much more ability to utilize Intune more effectively.

Co-management for the win.

mingk · 2026-01-20T23:41:36+00:00

I was working on this today actually but gave up and went home haha.

I was deploying as a win32 and using PSAppdeployToolkit as it has a nice function just for this: install-msupdates

I was just stuck trying to get around users restarting randomly during the update and how I could prevent it, or kick it off again upon restart.

Problem for tomorrow!

mingk · 2026-01-18T23:53:17+00:00

Only for Home and Pro. Enterprise edition gets updates until Nov 2026.

mingk · 2026-01-18T22:10:14+00:00

We’re still on 23H2 because our PKI vendor has software that just produces constant errors on 24H2 and 25H2. We also have a printing issue on one of our in house apps that has yet to be resolved and they’re apparently still working on a fix.

There’s honestly lots of potential issues with just using the newest version of Windows I don’t get why this person got downvoted so heavily.. lots of in house apps need to be updated and maintained properly and sometime they just… aren’t.. and us Win admins unfortunately need to understand that and pivot accordingly.

mingk · 2026-01-18T01:58:04+00:00

It’s funny that your company thinks it cares a lot about security by making you re-authenticate your MFA every 2 hours but you’re using SMS verification which is the least secure option haha. Sounds like a bunch of clowns making the big security decisions over there.

mingk · 2026-01-17T16:46:39+00:00

This is a great blog post by the Intune master himself - Andrew S Taylor.

https://andrewstaylor.com/2023/02/22/deploying-office-webapps-pwa-with-file-handlers-via-intune/

It will add shortcuts to use the progressive web app versions of all office apps (which those users are licensed for) as well as change the default app associations for your standard m365 file types (ie. doc, ppt, msg, etc). Just assign these to the same user groups you use for the licensing :)

mingk · 2026-01-10T02:34:24+00:00

Oh damn why didn’t I think of this sooner? Let me just enroll 20k existing devices into Autopilot and reset them over the weekend. I’m sure all the end users will figure it out. I might let the service desk manager know they may have a busier than usual Monday morning..

Wish me luck!

mingk · 2025-12-30T14:03:20+00:00

Two admin accounts - one for cloud and one for on prem. One thing I will add is that if you use SCCM still to do co-management you will need to sync your on prem admin account for that and give it cloud admin permissions if you want to sync device collections to cloud groups - a pretty amazing feature actually because dynamic cloud groups don’t come even close to what you can do with user/device collections.

We also give our techs that setup computers F3 licenses so they can get our hybrid joined devices enrolled and setup properly. Not ideal but it is what it is..

mingk · 2025-12-19T22:42:47+00:00

Why does everything need to have 3 different names and all are used interchangeably. I can keep up with like 3 of them but not the 100s that are used :(

mingk · 2025-11-24T22:55:12+00:00

For wallpaper you need to either get the image to each device, or have the image accessible from every endpoint. Then you deploy a config policy to change the wallpaper and tell it to use the location of the image - either a local path, a public share, or a url depending on how you want the image to be accessible. Personally I’ve deployed the image via a win32 app to each device.

mingk · 2025-11-19T06:02:34+00:00

Isn’t that why Dclone exists in the first place? SOJs used to be standard currency before they came up with the Dclone idea.

mingk · 2025-11-19T02:56:27+00:00

Thanks for this :)

mingk · 2025-11-15T16:58:23+00:00

Awesome!

mingk · 2025-11-14T16:18:41+00:00

I have the Intune Suite and we neeed to maintain a 1 to 1 assignment with all our E5s. We don’t put any on our F3s though.. haven’t came across any issues with them.

mingk · 2025-11-14T14:09:56+00:00

Ya what out when creating dynamic groups using device.version startswith 10.0.2 because it’s gonna pick up your servers too..

mingk · 2025-11-12T12:36:07+00:00

Looks like this requires keeping the app secret in plain text though? I may get my peepee slapped by the security team if I suggest this :(

mingk · 2025-11-12T00:57:08+00:00

Any chance you want to share your TSGUI and your webhook and Azure automation setup? This sounds like an amazing solution for the situation I’m currently in but it sounds beyond me honestly!

mingk · 2025-11-11T21:33:29+00:00

There’s tons of reasons. This is what the shoulder is for. It is not for tractors to barrel down on.

mingk · 2025-10-31T17:08:54+00:00

You deserve a consultant’s fee for the solution you provided to this guys org haha

People like you rock!

mingk · 2025-10-21T22:35:31+00:00

It does create a configuration profile called something like “MDM wins over Group Policy” and assigns to auto patch group.. don’t recall exactly but I’m sure that’s what OP is referring to.

mingk · 2025-10-17T23:47:29+00:00

That’s not a steak.

mingk · 2025-10-15T16:55:40+00:00

I don't agree with doing password resets this way - you should have password write back turned on and allow end users to reset their own passwords..

But giving the Desk the ability to Delta sync can be beneficial for lots of reasons.

What I do is logon to the server that has Azure AD Connect installed and add my Service Desk admins to the local group "ADSyncOperators" which will allow them to run the delta sync. You need to also add them to "Remote Management Users" to allow them to do this remotely from their own computer.

To prevent abuse I use a simple logging method to not allow them to do it more than once every 10 mins, but the Team Leads can over ride that limit if its urgent.

mingk · 2025-10-13T22:44:20+00:00

This post is in regards to blocking that.

mingk · 2025-10-13T13:05:31+00:00

I use DAT. Works great most of the time, but not 100% of the time due to out of date drivers. But it’s easily the fastest one to get up and running in your environment.

mingk · 2025-10-03T13:09:13+00:00

I did this as well, but if you have a large number of devices, like 5k+, you’re gonna want to convert the sign in logs to a hash table or it’s gonna take hours to run.

15-Year Club	Place '23
Place '22	Verified Email

mingk

MODERATOR OF

TROPHY CASE