With the release of SCCM 1710, one of the key new features is the SCCM Co-Management possibility with Microsoft Intune. Comanagement enables some interesting features like conditional access, remote actions with Intune, and provisioning using AutoPilot. You can decide which feature is managed by which platform (SCCM or Intune). This is great to slowly phase into Intune.
There are two main paths to reach to co-management:
- Windows 10 and later devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune
- Windows 10 devices that are enrolled in Intune and then install with the Configuration Manager client
We will describe how to enable co-management and enroll an SCCM-managed Windows 10 device into Intune.
SCCM Co-Management Prerequisites
- SCCM 1710 or later
- Azure AD Subscription
- EMS or Intune license for all users
- Azure AD automatic enrollment enabled
- Following our blog post, only configure Azure AD. Do not follow instructions for Windows 10, those options have changed between 1703 and 1709.
- Intune subscription (MDM authority in Intune set to Intune)
- See our post to change the MDM authority from SCCM to Intune
- Windows 10 1709 or higher
- Client computer using Hybrid Azure AD Joined (domain + AAD joined)
Concept of SCCM 1710 Co-Management
Microsoft provides a great diagram that explains how the workload is managed when co-management is activated.
The co-management provides the ability to offload some workload to Intune. There are 3 categories of workloads :
- Device Compliance which replaces the Compliance Policies from SCCM
- Resource Access Policies which replace the Company resource access from SCCM
- Windows Update for Business which replaces the ability to manage updates from SCCM using the Software Update Point
Once a workload is offloaded to Intune, SCCM no longer manages those settings on the Windows client.
The co-management is designed to allow administrators to Pilot to specific computers before completely offloading a workload to Intune, allowing a smooth transition.
Enable SCCM 1710 Co-Management
Here’s how to enable SCCM co-management.
- Go to Administration / Cloud Services / Co-Management and select Configure Co-Management
- Enter your Intune Credentials
- Select who can Automatic Enroll in Intune
- We strongly recommend beginning with Pilot. This will require selecting a collection to limit allowed computers only
- This can be changed later when ready to production roll-out
- Configure the Workloads
- This can be left to all SCCM for now and adjusted later on
- Select a computer collection to be used for pilot
- Summary, click Next
- Co-Management is then enabled
- Under Properties / Enablement, the Automatic enrollment can be changed from Pilot to Production
- Under Properties / Workloads, it’s possible to set the slider for the different workloads and assign them to Pilot or Intune
Before changing any workload to pilot, it’s time to enroll a computer into Intune, while still managed by SCCM.
Enroll Windows 10 1709 client into Intune for Co-management
- The first step is to enable the GPO to enable Auto MDM Enrollment with AAD Token
- Location : Computer Configuration/Administrative Template/Windows Components/MDM
Important Info
If you don’t see the GPO, your Central store needs to be updated with the latest ADMX from Windows 10 1709
- Next, add the computer to the Pilot collection for Co-Management
- After the next machine policy update, the client will begin to enroll.
- On the client, the CoManagementHandler.log will provide the details.
- Note that during our testing, this took a while to get going in the logs. Many errors show up before it works correctly, without changing a thing. Patience is key.
After a little while (hours) the client will change from MDM – none to MDM – Intune
Before MDM managed
After MDM managed
It will eventually report that the device is managed by MDM/ConfigMgr Agent
At that point, it’s time to configure Intune policy to eventually switch Workloads
More details about switching workload to Intune on Microsoft learn.
11 Comments on “How to enable SCCM Co-Management”
Hey SC Dudes,
we are working on different features of SCCM in our organization, and also some of our colleague getting their hands dirty on Inutne and autopilot, however while looking at SCCM Co management feature I observed that it has functionality to shift the workload to intune. My question is when Microsoft announced that from Sept1, 2019 they will retire the Hybrid MDM service offering and asking users to move from Hybrid MDM to Intune standalone, then in this case how different the “Co-Management” feature is ? Co-management is also working as hybrid which allows to perform some task using Configuration manager and shifting some task of CM to intune. Then will this feature also deprecated soon ? or Co-management is altogether different theory ?
Regards,
Suraj
Hi Jonathan,
Is there a blog that I can follow for the second path?
> 2. Windows 10 devices that are enrolled in Intune and then install with the Configuration Manager client.
Hello,
I have similar problem like James have: “Have enrolled a device, it says that it is managed by MDM/ConfigMgr Agent but the Azure AD Device MDM is still set to none.”
It’s been more than two weeks and status still not changing.
Additionally did some tests and confirm that workstations are receiving Windows Update for Business policy from Intune.
No Idea, why co-management keeps failing at error MDM enrollment failed with error code 0xcaa9001f
Hi,
any ideas what might be the reason if SCCM is not saving the configuration for staging or enablement?
Greetings
Jan
If i have a Windows 10 1709 ‘traditional workgroup’ device and then Azure AD Join it so that’s managed via Intune . Is there a paper on how to make it Co-Managed and Manage it via SCCM.
Windows 10 Co-Management works fine on traditional AD joined and managed via SCCM, just not the other way.
Thanks Jonathan. So we meed to enable hybrid aad devices and also use the auto mdm enroll gpo? Thats not really #just4clicks #fliptheswitch
Have enrolled a device, it says that it is managed by MDM/ConfigMgr Agent but the MDM is still set to none.
I have a question I hope you can answer. If we have on-prem AD joined Windows 10 device and have setup co-management do we have to configure (1) “hybrid Azure Active Directory joined devices” or (2) configure the GPO “Enroll a Windows 10 device automatically using Group Policy” or (3) does the ConfigMgr client do this and registers the device?
Secondly when we have on-prem AD joined Windows 10 device and have setup full co-management with client management gateway and cloud distribution point, and the device is off network for more than 30 days does the computer account/password expire or is this mitigated by the management gateway/internet facing?
Hi Rkast,
#1 Computer must be Hybrid AD and AAD joined, there a link in the pre-req section. It also require the auto-enroll policy. and finally no the SCCM client is not taking care of any of that.
#2 Cloud management gateway/DP have nothing to do with AD/AAD. They only serve for SCCM purpose.
Thanks
Jonathan
I can confirm that I had to set with GPO to get my devices to enroll. The device sat with the Co-management AutoEnrollment setting for 1 day, with reboot to no avail. Once GPO was configured, GPUPDATE /FORCE and reboot, the machine showed as co-managed.
Vote on User Voice to see that this is address by explanation, documentation or feature change!
https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/35824729-co-management-settings-do-not-set-the-enable-auto