It’s been over a year since our initial post about enabling Co-Management. Several improvements have been made so it’s worth revisiting the Co-Management SCCM 1902 topic.
Co-Management SCCM 1902 Prerequisites
- Azure Subscription
- Azure Active Directory Premium
- Microsoft Intune subscription OR Enterprise Mobility + Security (EMS) subscription
- Client computer using Hybrid Azure AD Joined (domain + AAD joined) using Azure AD Connect.
Enable SCCM 1902 Co-Management
- Navigate to Administration / Cloud Services / Co-Management and select Configure Co-Management
- Click Sign In to enter your Intune credentials.
- After signing in, click Next.
- Configure Automatic enrollment in Intune. Select None or Pilot at this time. You can change this setting later. You can select your pilot collection later.
- Select Pilot then click Next.
- Configure Workloads lets you choose which workloads will be managed by which system – Configuration Manager or Intune. Don’t change any settings at this time and click Next.
- Full list of workloads from the wizard:
- Configure the roll-out collections allows you to select the collection to use for deploying Co-Management. In this example, we selected our Co-Management Piloting collection.
- Click Next.
- On the summary screen, click Close.
- Back in the console, verify that Co-Management appears. This is where you go to configure Co-Management workloads and targeted collections.
Enroll Windows 10 1903 Client Into Intune for Co-Management
Client Settings
The Client Cloud Services node in the client settings policy allows you to configure devices to automatically register in Azure Active Directory instead of using a GPO as was previously necessary.
- Open a Client Settings policy and select Cloud Services.
- Set Automatically register new Windows 10 domain joined devices with Azure Active Directory to Yes then Click OK.
Intune Auto Enrollment
- In your Intune tenant, navigate to Device Enrollment > Windows Enrollment.
- Change MDM user scope to Some or All – if you choose Some, you will have to specify an AAD User Group.
- * NOTE* – If you enable MDM and MAM for the same group, only MAM is enabled for those users and they will not auto enroll in Intune.
Assigning Licenses
You must also be sure to assign an Intune license to any user who will use a co-managed device.
- Navigate to Azure Active Directory > Licenses > All Products
- Select the product with Intune licenses – in this case, Enterprise Mobility + Security E3.
- Select Licensed users or Licensed groups then select Assign to select a user or group to assign to.
- Select the License you want to assign
- Click Configure required settings then select the product license you want to assign then click Select.
- Click Assignment Options
- Make any needed change to License options and click OK then click Assign.
Auto-Enrollment Verification
To verify that devices are being auto-enrolled and managed by SCCM, you can review the Devices node in Intune. the Managed By and Compliance columns will indicate whether they are managed by ConfigMgr or not.
On a Windows device, you can also check the SCCM compliance settings to ensure verify Co-Management compliance and also see the number of workloads are managed by via Co-Management.
You can also review CoManagementHandler.log in the CCM Logs folder on the client to see Co-Management related client logs.
Moving Workloads to Intune
As I’m writing this, David James just tweeted that SCCM 1906 will likely ship in a few days. Based on past Technical Preview releases, I’m expecting to multiple pilot groups for Co-Management added on 1906. I will write a new post on moving workloads to Intune in 1906 to include the new options in that post.
12 Comments on “How to enable Co-Management in SCCM 1902”
We have tried to follow these steps to enable co-management for a customer. However, no account used seems to have the correct level of permissions.
We have tried a Global Admin user but even then we are getting errors relating to unable to create the AAD Application. Are there any ‘special’ permissions/rights/subscriptions that the account used needs?
Pingback: Complete SCCM Installation Guide and Configuration
Do we require a P1/Intune license for each user that the device will be provisioned to? Or do we just require the 1 P1/Intune license for a user account to admistrate Intune etc?
I recently read that you no longer need to assign Intune licenses to user.
Do we require a P1/Intune license for each user that the device will be provisioned to? Or do we just require the 1 P1/Intune license for a user account to admistrate Intune etc?
I read that you no longer need to assign Intune licenses to user.
Can Win7 devices be Co Managed as well? I see the guide only references win10
If on the workloads slider bar, everything is slid to the right, what does that actually mean? Is SCCM simply ignored going forward ?
We currently see Azure AD joined devices, co managed, but when on prem – ignoring the on prem DP’s… is that correct and as per design ? thanks
been through these [and other] instructions to set up Co-Management, but in the SCCM Client on th devices stays as ‘CoManagement’ as Disabled, not enabled, obviously ia have a custom client with “Automaitcally register new Windows 10 domained joined with Azure Active Directory” set to yes. any ideas?
Hello Keith,
If your device stay on “CoManagement” Disable it mean that your device is not under Azure in Hybrid.
Regards,
Enabled co-management with all workloads pointing to Configuration Manager, but now all devices in the pilot collection are successfully enrolled and no longer receiving group policy from our on-premises Active Directory. Unsure of where to even begin troubleshooting this issue.
I keep hearing from out Microsoft account rep that Microsoft is moving away from co-management. Is that not the case? We are wanting to move some work loads to Intune but still keep sccm so I thought about co management until they said don’t do it.
I would find a new Microsoft rep because he’s wrong. Co-Management is here to stay. In the next release of SCCM they will be adding more features to it. SCCM and Intune are being built as complimentary platforms to help new your needs. Choose which parts of each fit your business and use them.
“Co-management is disabled but expected to be enabled.”
Do i need to configure something more ?