Case Study Intune Autopilot Entra ID PowerShell

SCCM to Intune & Autopilot Migration

Full endpoint management migration from SCCM co-management to cloud-native Intune MDM with zero-touch Autopilot provisioning and Entra ID-only device identity.

Overview

At a previous employer, I led the full migration of Windows endpoint management from SCCM co-management to a fully cloud-native stack using Microsoft Intune, Windows Autopilot, and Entra ID (Azure AD). The goal was to eliminate on-premises SCCM dependency, modernize device provisioning to zero-touch Autopilot, and move to Entra ID-only device join — removing the need for hybrid Azure AD join entirely.

This involved rebuilding the entire device lifecycle from scratch: enrollment profiles, compliance policies, app deployment, branding, endpoint security, and break-glass recovery — all delivered through Intune with no SCCM fallback.

Migration Phases

Entra ID-Only Device Identity

Moved all new device provisioning to Entra ID join (cloud-only), eliminating the hybrid Azure AD join requirement that SCCM co-management depended on. Configured Autopilot deployment profiles targeting the Entra ID device group, with user-driven provisioning mode and Enrollment Status Page (ESP) to gate desktop delivery until all critical apps were installed.

Autopilot Branding Package

Built a custom Win32 app package based on the AutopilotBranding framework (Michael Niehaus) to apply corporate branding during ESP before the user ever reaches the desktop. The package handled:

Corporate wallpaper and lock screen deployment
Taskbar pinning via TaskbarLayoutModification.xml (File Explorer, Teams, Outlook, Chrome, Edge)
Windows 11 Start Menu layout via exported Start2.bin and settings.dat
OEM support info (IT helpdesk branding in Settings → System → About)
Search bar configured to icon-only mode

Packaged with IntuneWinAppUtil.exe, deployed as Required to the Autopilot device group, and added to ESP blocking list to ensure branding applied before user login.

Win32 App Migration & Packaging

Migrated all SCCM-deployed applications to Intune Win32 app packages. Each app required custom install/uninstall commands, detection rules, and dependency ordering. Notable challenges included:

Legacy 32-bit VB6/ActiveX application requiring OCX registration — resolved by bundling all 15 OCX/DLL files in the package and registering via 32-bit regsvr32 at install time
Used Start-Process -PassThru -Wait for correct exit code capture on legacy installers
$PSScriptRoot used throughout to ensure scripts resolved dependencies relative to package location rather than hardcoded UNC paths

Endpoint Security & Compliance

Rebuilt all endpoint security policies natively in Intune, replacing SCCM baselines with:

Sophos endpoint protection deployed silently via Win32 app (--quiet --no-reboot)
BitLocker encryption policy via Intune disk encryption profile
Conditional Access policies enforcing compliant device requirement for M365 access
MFA enforcement via Entra ID authentication policies
Windows LAPS deployed via Intune for a local administrator account, providing break-glass recovery on Entra-only devices with no domain fallback

Device Coverage Auditing

Built a PowerShell-based cross-platform audit tool using Microsoft Graph API and the Sophos API to produce a color-coded Excel workbook showing device coverage across Intune, ConnectWise RMM, and Sophos. This replaced manual reconciliation and provided a single source of truth for identifying gaps — devices in RMM but not enrolled in Intune, missing Sophos, or inactive beyond a defined threshold.

Used an Azure App Registration with scoped Graph permissions to authenticate non-interactively. A companion script queried Entra ID and Intune for inactive devices based on last sign-in and last sync timestamps.

Key Scripts & Automation

AutopilotBranding Package

Win32 app package applying wallpaper, lock screen, taskbar, Start Menu, OEM info, and search settings during Autopilot ESP before first login.

PowerShell · XML · IntuneWinAppUtil

OCX Registration Package

Bundled 15 legacy OCX/DLL files with a registration script using 32-bit regsvr32 and PSScriptRoot-relative paths for clean Intune deployment.

PowerShell · regsvr32 · Win32 App

Device Coverage Audit

Cross-references Intune, ConnectWise RMM, and Sophos via Graph API and Sophos API. Outputs color-coded Excel workbook showing coverage gaps and inactive devices.

PowerShell · Microsoft Graph · Excel

Inactive Device Report

Queries Entra ID and Intune via Graph for devices inactive beyond a configurable threshold based on last sign-in and last sync timestamps.

PowerShell · Microsoft Graph · Entra ID

Outcomes

✓Full SCCM decommission — all endpoint management moved to Intune with no co-management fallback
✓Zero-touch Autopilot provisioning — new devices ship directly to users, fully configured on first boot
✓Consistent corporate branding applied to every device before user login via ESP-blocked Win32 app
✓Legacy application compatibility maintained on cloud-native devices via packaged OCX registration
✓Break-glass recovery on Entra-only devices via Windows LAPS with no domain dependency
✓Full device coverage visibility via automated audit across Intune, RMM, and Sophos

← Back to Projects