Co-management for Windows 10 Devices

by David Maiolo 2018-03-2018

Overview Co-management for Windows 10 Devices

Starting with Configuration Manager 1710, co-management allows you to concurrently manage Windows 10 1709 by using both Configuration Manager and Intune. It’s a solution that provides a bridge from traditional to modern management and allows a phased transition between the two products.

There are two major paths you can take to co-management:

  • Configuration Manager provisioned co-management: Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune.
  • Intune provisioned devices that are enrolled in Intune: Install with the Configuration Manager client becomes a co-management state.

Prerequisites:

  • Configuration Manager version 1710 +
  • Windows 10 1709 (Fall Creators Update) devices
  • Azure AD
  • EMS or Intune license for all users
  • Azure AD automatic enrollment enabled
  • Intune subscription (MDM authority in Intune set to Intune)
  • If Configuration Manager client is installed: Hybrid Azure AD joined (joined to AD and Azure AD)
  • If Configuration Manager client is NOT installed: Cloud Management Gateway

Hybrid vs Co-Management

Although they sound similar, they are not the same thing. Co-management lets you concurrently manage devices in both Intune and Configuration Manager Console. Hybrid MDM with Configuration Manager integrates Intune’s MDM capabilities into Configuration Manager. In Hybrid, you can no longer use the Intune console.

If you have a hybrid MDM environment), you cannot enable co-management. You would need to first migrate to Intune standalone.

What Intune Can Manage with Co-Management

Once co-management is enabled, Configuration Manger still performs all of the traditional tasks that it always has. Now, Intune can also manage:

  • Compliance Policies (compliance for Conditional Access)
  • Windows Update for Business Policies
  • Resource Access Policies (policies which configure VPN, email and certificate settings)

Intune can also perform the following remote tasks on the Windows 10 devices:

  • Factory reset
  • Selective wipe
  • Delete devices
  • Restart device
  • Fresh start

How to Enable Co-Management

Co-management can be enabled for Windows 10 devices both when they are enrolled in Intune and when they are existing Configuration Manager Clients. Either result a Windows 10 device concurrently managed by Configuration Manager and Intune (as well as joined to both AD and Azure AD).

Windows 10 Devices enrolled in Intune

When devices are enrolled in Intune first, you can install the Configuration Manager client on the devices by creating a new line-of-business spp in Intune and use your ccmsetup.msi file with the following command line:


ccmsetup.msi 
CCMSETUPCMD="/mp:<URL of cloud management gateway mutual auth endpoint>/ CCMHOSTNAME=<URL of cloud management gateway mutual auth endpoint> 
SMSSiteCode=<Sitecode> 
SMSMP=https://<FQDN of MP> 
AADTENANTID=<AAD tenant ID> 
AADTENANTNAME=<Tenant name> 
AADCLIENTAPPID=<Server AppID for AAD Integration> 
AADRESOURCEURI=https://<Resource ID>

Then, you enable co-management from the Configuration Manager console.

Brand New Windows 10 Devices

For new devices you can use Windows AutoPilot to configure the Out of Box Experience (OOBE), which includes automatic enrollment that enrolls devices in Intune.

First, create a new Windows AutoPilot Deployment Program profile in intune:

Then, find the devices you want the profile enabled for and assign the profile to those devices.

Windows 10 Configuration Manager Clients

You can enroll these devices and enable co-management from the Configuration Manager console. Configuration Manager starts automatic enrollment into Intune based on the Azure AD tenant they belong to.

Configure Configuration Manager for Co-Management

A few things are left to be done. First, we need to enable co-management in the Configuration Manager Console. Then, we need to start switching specific Configuration Manager workloads to Intune.

  1. In the Configuration Manager console, go to Administration > Overview > Cloud Services > Co-management then click  Configure co-management to open the Co-management Configuration Wizard.
  2. Sign In to your Intune tenant, and then click Next.
  3. On the Enablement page, choose either Pilot or All to enable Automatic enrollment in Intune, and then click Next.
  4. On the Workloads page, choose to switch Configuration Manager workloads to be managed by Pilot Intune or Intune, and then click Next.
  5. To enable co-management, complete the wizard.

https://i0.wp.com/jerrymeyer.nl/wp-content/uploads/2017/11/SCCM_CB_1709_Co_Management_Setup_3.jpg?resize=650%2C341&ssl=1

Check compliance for co-managed devices

Use the Software Center to detect compliance for co-managed Windows 10 devices. You can check this compliance regardless of whether conditional access is managed by Configuration Manager or Intune. You can also check compliance with the Company Portal app when conditional access is managed by Intune.

Leave a Comment

Your email address will not be published.