SCCM Co-Management Schema Workflow Scenarios – Architecture

Let’s check SCCM Co-Management Schema Workflow Scenarios – Architecture in detail as part of this post. Microsoft renamed the co-management node in the SCCM admin console to Cloud Attach.

SCCM Cloud management gateway (CMG) is an Azure service (PAAS) to manage SCCM clients over the internet. We can say CMG is an SCCM Management point in Cloud. SCCM CMG helps to reduce SCCM infrastructure complexity and cost.

SCCM CMG also opens up different scenarios for modern device management. We will be discussing different scenarios in this post. In a later post, we will cover configuration and troubleshooting.

Read MoreOverview Windows 10 Windows 11 Co-Management With Intune And SCCM HTMD Blog (anoopcnair.com)

Patch My PC

This is a series of posts as listed below:

  • SCCM CMG Architecture and different scenarios – Part 1
  • How to Configure CMG – Part 2
  • CMG troubleshooting Tips – Part 3

Subscribe to this Blog via eMail?

SCCM CMG High-level Architecture and Workflow

Let’s check the high-level architecture schema of SCCM Cloud Management Gateway in the video below.

SCCM CMG – Schema – Architecture 1
  1. Internet-connected SCCM client request for policy from Azure CMG cloud service.
  2. Azure CMG cloud service forwards the client communication to the on-premises CMG connection point. CMG cloud service gets the policy from On-premise MP and SUP through the CMG connection point role.
  3. CMG connection point role acts as a proxy and builds a 2-way communication channel between on-premise SCCM (MP & SUP) and Azure CMG cloud service.
  4. Finally, SCCM clients get policy and content from the Azure CMG cloud service.

Note: Starting SCCM 1806, CMG can act as DP as well.

Do you want to download the SCCM Architecture Visio Diagram? Check out 👍👍 SCCM Architecture Visio Template Download from GitHub Throwback. You can download the slides used in this post from Github.

SCCM CMG Co-Management Scenarios

  • Co-management = Manage Windows 10 with Intune and SCCM.
  • CMG = Manage SCCM client over internet.

SCCM CMG is required in some co-management scenarios but not in all. In some co-management scenarios, CMG will be optional.

Let us discuss some of the common co-management scenarios and the role of CMG. The best way to explain Co-Management is through “entry points.”

There are two types of co-management entry points.

  • Entry point 1: On-premise domain-joined computers get into the cloud world.
  • Entry point 2: Windows 10 from the OEM / or cloud world gets into on-premise

We can think about many scenarios with each entry point. However, in this post, we will cover a couple of scenarios from each Entry point.

SCCM CMG - Co-Management Entry Points
SCCM CMG – Co-Management Entry Points 2

Entry point 1 – Scenario 1

  • This is a common scenario for the majority of the customers. Initially, Windows 10 is Domain Joined, and SCCM is managed only.
  • Windows 10 is configured to Win 10 Hybrid Azure AD Join+ co-managed to avail of co-management benefits.
SCCM CMG – Co-Management Entry Point 1 3
  • Once the machine is co-managed, we can offload some of the on-premise workloads and start using cloud solutions.
  • In this scenario, CMG is optional. You require CMG only if you want to manage the SCCM agent over the internet.

In this scenario, below on-premise workloads can be offloaded to the cloud.

  • Software update (WSUS) – > WufB.
  • GPO policies – > Intune Baseline policies.
  • Security baseline – > Intune security baseline policies.
  • SCCM software distribution – > Intune software distribution.
  • SCCM Endpoint protection – > Intune Endpoint protection.

With SCCM 1906 production release, you have improved options to deploy specific workloads to different pilot collections.

SCCM CMG - Co-Management Entry Point 1
SCCM CMG – Co-Management Entry Point 1 4

Entry point 1 – Scenario 2

Initially, Windows 10 or Windows 11 was Domain Joined, and SCCM managed only. But it is possible to use the SCCM task sequence to change the Domain joined computer managed by SCCM to an Autopilot computer.

SCCM CMG – Co-Management Entry Point 2 5

Starting SCCM Current Branch builds (1810), the built-in task sequence is available.

SCCM CMG - Co-Management Entry Point 2
SCCM CMG – Co-Management Entry Point 2 – Autopilot 6

As shown below, the SCCM task sequence will Wipe and deploy an offline autopilot profile. Offline autopilot profile can be exported in JSON file format. We will cover how to configure this Task sequence in detail later.

SCCM CMG - Co-Management Entry Point 2
SCCM CMG – Co-Management Entry Point 2 – Autopilot 7

After offline autopilot profile deployment using SCCM task sequence, Win 10 computer becomes Azure AD Joined and Intune enrolled.

From Intune, you can push the SCCM agent. To achieve this, SCCM CMG plays an essential role here. Through CMG, the SCCM agent will communicate with the on-premise SCCM server over the internet.

Finally, the computer is no longer on-premise Domain AD joined. We cannot use on-premise AD for authentication and GPOs. Instead, Intune will manage the cloud GPO and security baseline settings.

In this scenario, below are workloads that can be co-managed. Based on the requirements we can decide who should do what.

  • SCCM WSUS < —- > WufB
  • SCCM software distribution < —- > Intune software distribution 
  • SCCM Endpoint protection < —- > Intune Endpoint protection

Entry point 2 – Scenario 3

SCCM CMG – Co-Management Entry Point 2 – Scenario 3,8
  • In this scenario, we are provisioning device as a Windows Autopilot computer initially.
  • Next, the SCCM agent needs to deploy from Intune. SCCM agents will communicate with the SCCM server over CMG.
  • Now Autopilot computer has become a co-managed state.
  • SCCM CMG is not optional here but required

Below are the typical workloads which can be co-managed. Based on the requirements, we can decide who should do what?

  • SCCM WSUS < —- > WufB
  • SCCM software distribution < —- > Intune software distribution
  • SCCM configuration policy < —- > Intune configuration policy
  • SCCM Endpoint protection – > Intune Endpoint protection

Entry point 2 – Scenario 4

SCCM CMG – Co-Management Entry Point 2 – Scenario 4,9

This scenario can be referred “Hybrid Autopilot.” In this setup, Windows 10 computer is Hybrid Azure AD joined. Intune AD connector is required for this setup. I already covered how to configure “hybrid Autopilot” in my previous post.

To be Continued…

We will discuss deploying SCCM agents from Intune in a hybrid autopilot scenario in my future posts. Intune will push the SCCM client and communicate with SCCM through CMG. Hence, CMG is required here.

In this post, we discussed four different co-management scenarios and the role of CMG in each of them.

You can download the slides used in this post from here Github. In the next post, we will discuss configuring CMG and troubleshooting.

Resources

Author

Vimal has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about the technologies like SCCM, Windows 10, Microsoft Intune, and MDT.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.