Exporting SCCM Detection Rules to Intune

Certain detection rule operators and configurations available in SCCM do not have equivalents in Intune. This document outlines how detection rules are handled when they are imported from SCCM and exported to Intune using Rimo3 Workspace360.

Intune supports the same detection rule types as SCCM:

• Windows Installer (MSI)
• File system (File and folder rules)
• Registry

However, not all of the operators and rule configurations available in SCCM are supported in Intune, these differences and limitations are detailed below.

Windows Installer (MSI) rules

While Intune still supports Windows Installer detection rules only 1 MSI rule can be configured per application via the Intune UI, whereas SCCM allows multiple MSI detection rules to be configured.  However, it is possible to add multiple MSI rules via the Graph API leveraged by Rimo3 therefore, if multiple MSI rules are found when importing an application from SCCM they will be exported to Intune.

Unsupported operators

Intune does not support as many operators as SCCM and as a result not all rules configured in SCCM can be recreated in Intune.  Rules configured with the following operators will not be exported to Intune because they are not supported:

• Between
• One of
• None of
• Begins with
• Does not begin with
• Ends with
• Does not end with
• Contains
• Does not contain

If rules with an unsupported operator are found when importing from SCCM and exporting to Intune you will be informed via the console in the respective sequences which rules will not exported as follows:

<Rule name> has an operator: <operator> which is not supported in Intune, the rule will not be exported to Intune.

Grouped rules

SCCM allows rules to be grouped for evaluation purposes but Intune does not support grouping rules.  Any grouped rules found when importing from SCCM will be exported to Intune, unless they use an unsupported operator or are one of multiple MSI rules, however the grouping will not be exported and you will need to decide which rules to keep and which to amend or remove in order to have a valid set of detection rules.

If grouped rules are found when importing from SCCM and exporting to Intune you will be informed via the console in the respective sequences which rules will not exported as follows:

<Rule name> is part of a group, rules cannot be grouped in Intune, the rule itself will still be created.

OR operands

In SCCM rules can be evaluated with the OR operand but this is not supported in Intune.  The OR operand affects all rules either directly or indirectly.  When exporting to Intune all supported rules will be exported but they will be evaluated by Intune with the AND operand, therefore you will need to determine which rules to keep and which to amend or remove in order to have a valid set of detection rules.

If at least one OR operand is found when importing from SCCM and exporting to Intune you will be informed via the console as follows:

OR operator present, the rule itself will still be created as an AND rule

Script rules

SCCM supports the following script types that can be used as a detection rule:

• VBscript
• Javascript
• PowerShell

Intune, however, only supports PowerShell scripts, therefore rules using VBScript and Javascript cannot be exported.

If an unsupported script rule is found when importing from SCCM and exporting to Intune you will be informed via the console as follows:

<Script Type> rules are not supported in Intune and cannot be exported, only PowerShell scripts are supported as a detection rule in Intune.