Context
The user manages an environment where SCCM (Configuration Manager) and Intune are running in co-management mode. They’re preparing to remove SCCM entirely and want all devices to automatically enroll and sync with Intune — without manual intervention or touching endpoints.
Key Questions from the Post
The original poster (OP) is seeking clarity on three main points:
- Automatic Device Sync:
How can all existing Windows devices automatically connect and stay managed by Intune once SCCM is removed? - Pre-Removal Requirements:
Should any policies, GPOs, or scripts be deployed before disconnecting SCCM to ensure devices smoothly transition? - Azure AD + MDM Auto-Enrollment:
Is enabling Azure AD join and automatic MDM enrollment sufficient for this transition, or are extra steps required for devices to stay compliant and synced?
The user emphasizes wanting a clean and seamless migration path, avoiding manual re-enrollment or user-side actions.
Technical Considerations (What Needs to Happen)
1. Understanding Co-Management States
In a co-managed setup, devices are typically SCCM clients with the Intune MDM enrollment channel enabled through the co-management policy.
When SCCM is removed:
- Devices lose the SCCM agent and therefore no longer check in with Configuration Manager.
- If MDM enrollment wasn’t configured via Azure AD or Group Policy, devices may lose their connection to Intune after SCCM removal.
2. Ensuring Automatic Intune Enrollment
To maintain automatic enrollment, you need:
- Azure AD Join or Hybrid Azure AD Join configured and verified.
- Automatic MDM Enrollment enabled under Azure AD → Mobility (MDM and MAM) for all users (or targeted groups).
- MDM user scope set to include all relevant users or devices.
If devices are Hybrid Azure AD joined, confirm the MDM enrollment GPO is configured:
Computer Configuration > Administrative Templates > Windows Components > MDM
Enable automatic MDM enrollment using default Azure AD credentials → Enabled
This ensures that when SCCM is uninstalled, devices will auto-enroll back into Intune via Azure AD join status.
3. Policy or Script Deployment Before Removal
Before uninstalling SCCM, consider deploying a PowerShell script or configuration baseline that:
- Validates Azure AD registration (
dsregcmd /status). - Confirms the MDM enrollment URL is present.
- Forces Intune re-enrollment if necessary using:
dsregcmd /join start ms-device-enrollment:?mode=mdm
You can deploy this as a Compliance Baseline or via Configuration Item in SCCM prior to removal.
4. Cleanup Steps After SCCM Removal
Once SCCM is gone:
- Verify that the Co-management Configuration Policy is deleted.
- Check that MDM authority in Intune is set to Microsoft Intune.
- Confirm that devices report to Intune by checking Device > Monitor > Enrollment failures in the Intune admin center.
5. Optional: Azure AD Dynamic Group Targeting
Create a dynamic Azure AD group that captures all devices joined to Azure AD and not co-managed, for automatic policy assignment:
(device.managementType -eq "MDM") and (device.deviceTrustType -eq "AzureAD")
This ensures Intune automatically assigns compliance, configuration, and security policies to those transitioning devices.
What Happens If You Don’t Prepare
If SCCM is removed before enabling MDM auto-enrollment or ensuring devices are Azure AD joined:
- Devices may lose MDM connectivity.
- Intune will not receive new syncs.
- Manual re-enrollment (through Company Portal or script) will be required for every endpoint.
Best Practice Migration Flow
- Enable automatic MDM enrollment and confirm Azure AD joins.
- Deploy Intune management scripts to test enrollment on pilot devices.
- Monitor co-managed workloads to ensure they are fully switched to Intune.
- Uninstall the SCCM client after confirming successful syncs.
- Monitor Intune enrollment and compliance reports to ensure all devices appear correctly.
