Background
The device estate had grown faster than anyone had managed it. SCCM covered the office-based machines — more or less. The remote workforce had nothing. Nobody knew the actual state of the fleet with any confidence, and patch compliance was tracked in spreadsheets that most people didn't trust.
A regulatory audit made the gap official: the organization couldn't demonstrate that its device fleet met the minimum baseline required under its compliance framework. That created a hard deadline.
Anil Choudhary led the architecture, deployment, and operational handover of the endpoint management platform.
The Challenge
Fragmented Management Coverage
The device estate had no single source of truth:
- SCCM was deployed but only covered devices on the corporate network — remote workers were out of scope
- No MDM solution was in place for cloud-native management
- Device inventory was maintained manually and was known to be inaccurate
- Multiple teams managed different subsets of the fleet with no shared tooling or standards
Patch Compliance Below Threshold
Patch management was the most critical compliance gap:
- Windows Update policies were configured inconsistently across different SCCM site systems
- Remote devices had received no patches since the shift to hybrid working
- The organization could not produce a compliant patch report — no tooling existed to query compliance state across the full fleet in one view
- Critical vulnerability remediation required manual identification and manual deployment
Manual and Slow Device Onboarding
The existing onboarding process took 2–3 days per device:
- IT technician reimaged the device manually
- User collected the device in person or waited for courier delivery
- SCCM client was installed manually if the device would be office-based
- Software was deployed via SCCM collections — further delays if the device was offline during deployment windows
For a financial services organization hiring at scale, this was a significant operational burden.
No Conditional Access Enforcement
Corporate resources — email, SharePoint, internal applications — were accessible from any device regardless of its compliance state. A device that had not received a security patch in six months could access the same resources as a fully compliant machine. This was an unacceptable risk posture under the organization's compliance requirements.
Architecture
The solution was built on Microsoft Endpoint Manager (Intune + SCCM co-management) with three key pillars: zero-touch enrollment, automated remediation, and compliance-gated access.
Co-Management Architecture
Rather than replacing SCCM immediately, a co-management model was introduced that allowed both tools to operate in parallel during the transition:
Microsoft Endpoint Manager Admin Center
├── Intune (cloud-native MDM)
│ ├── Windows Autopilot profiles
│ ├── Compliance policies
│ ├── Configuration profiles
│ └── Conditional Access integration
└── SCCM (on-premises CMG)
├── Legacy software deployment
├── On-premises network workloads
└── Co-management enrollment for existing devices
Co-management workloads were progressively shifted to Intune over the engagement duration. By the end, all compliance evaluation, configuration policy, and Windows Update management were handled by Intune, with SCCM retained only for legacy application deployment.
Windows Autopilot: Zero-Touch Enrollment
Autopilot transformed device onboarding from a 2–3 day manual process to a 45-minute self-service experience:
- Devices are registered in Autopilot by hardware hash (done by the OEM or captured at staging)
- User powers on the device and signs in with their corporate credentials
- Autopilot applies the assigned deployment profile automatically
- Intune delivers all configuration policies and required applications in the background
- Device is ready for use — no IT technician involvement required
# Bulk Autopilot registration from existing devices
Get-WindowsAutoPilotInfo -OutputFile AutopilotHWIDs.csv -Append
# CSV uploaded to Intune > Devices > Windows > Windows Enrollment > Devices
Deployment profiles were configured per persona:
| Profile | Group | Settings |
|---|---|---|
| Standard Employee | All Corporate Users | ESP, rename, Office deployment |
| Power User | IT / Finance | Additional tools, elevated local admin |
| Kiosk | Shared Devices | Single-app kiosk mode |
Compliance Policies
Device compliance policies defined the minimum security baseline required to access corporate resources:
{
"passwordRequired": true,
"passwordMinimumLength": 12,
"storageRequireEncryption": true,
"osMinimumVersion": "10.0.19041",
"defenderEnabled": true,
"defenderSignatureUpdateWithinDays": 3,
"activeFirewallRequired": true,
"tpmRequired": true
}
Devices failing any compliance check were marked non-compliant and given a 24-hour grace period to remediate before Conditional Access blocked access.
PowerShell Remediation Scripts
Automated remediation handled the most common compliance failures without requiring user action:
# Remediation: Enable BitLocker if not active
$status = Get-BitLockerVolume -MountPoint "C:"
if ($status.ProtectionStatus -ne "On") {
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 `
-RecoveryPasswordProtector -SkipHardwareTest
Write-Host "BitLocker enabled — recovery key escrowed to AAD"
}
# Remediation: Force Windows Defender signature update
$defender = Get-MpComputerStatus
if ($defender.AntivirusSignatureAge -gt 3) {
Update-MpSignature
Write-Host "Defender signatures updated"
}
Detection scripts ran every 8 hours; remediation scripts triggered automatically on compliance failure. The cycle from non-compliant detection to automatic remediation was under 2 hours for the most common failure types.
Conditional Access Integration
Three Conditional Access policies were configured to gate access based on device compliance state:
| Policy | Condition | Access Decision |
|---|---|---|
| Corporate Apps - Compliant Required | Any device accessing M365 | Block if non-compliant |
| High Sensitivity Data | Finance / HR apps | Require compliant + MFA |
| Admin Portal Access | Azure AD / Intune admin | Require compliant + MFA + named location |
Non-compliant devices received a self-service remediation page explaining what needed to be fixed and linking to the IT help documentation — reducing helpdesk tickets.
Patch Management
Windows Update for Business ring-based deployment replaced manual SCCM patch deployment:
| Ring | Target | Deferral | Population |
|---|---|---|---|
| Pilot | IT department | 0 days | 50 devices |
| Early Adopters | Volunteers | 3 days | 500 devices |
| Standard | All employees | 7 days | 8,500 devices |
| Deferred | Critical systems | 21 days | 950 devices |
Compliance reporting was automated via Azure Monitor Workbooks querying Intune telemetry — the organization could produce a full patch compliance report for the fleet in under 30 seconds.
Operational Outcomes
| Metric | Before | After |
|---|---|---|
| Patch compliance | Below 40% | 98% within 30 days |
| Device onboarding time | 2–3 days | 45 minutes (self-service) |
| Compliance report generation | Manual, 2–3 days | Automated, under 30 seconds |
| Remote device management coverage | 0% | 100% |
| Non-compliant device access to corporate apps | Unrestricted | Blocked via Conditional Access |
| IT helpdesk tickets for device onboarding | High | Reduced significantly via self-service |
| Defender signature currency | Unmonitored | Enforced — max 3 days old |
The platform gave the organization both the operational tooling and the audit evidence it needed. Every device, every patch state, every policy application — logged and queryable from a single admin center. The compliance story went from "we think we're mostly covered" to a report generated in under 30 seconds.
