Let’s learn how to Setup SCCM Co-Management to Offload Workloads to Intune. Windows 10 co-management is a dual management capability available with the Windows 10 1709 version (Fall Creators Update) and later.
Co-management is the bridge between traditional management and modern management. This post will show how to set up SCCM Co-Management to offload 7 (seven) workloads to Intune.
To start the Co-Management Wizard, you must have a Microsoft Intune subscription. You must get a business account or a trial version if you don’t have an Intune subscription.
The following post, How to Start Working with Intune, provides more details on how to get a trial version of Intune.
Table of Contents
Video Tutorial to Setup SCCM Co-Management Configurations
The video given below will show how to set up SCCM Co-Management to offload workloads to Intune.
- SCCM Client App Workload – Software Center Vs. Company Portal Differences SCCM Intune
- Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Microsoft’s strategy for device management is three (3) folded.
- Tenant Attach (More details about Tenant Attach).
- Co-Management Workloads. In total, there are seven co-management workloads.
- Cloud-Native Management.
What are SCCM Co-Management Workloads?
SCCM Co-Management workloads are functionalities/features of device management. For example, the Compliance policies, Configuration Policies, Software Updates, Resource Access policies (WiFi Profiles/VPN Profiles, etc..), Office 365 workload, Application deployment, etc., are co-management workloads.
- Compliance policies
- Resource access policies
- Device configuration
- Windows Update policies
- Endpoint Protection
- Client apps
- Office Click-to-Run apps
I have added the latest screenshot from the SCCM 2203 version. The workloads have changed a lot. Let’s have a quick check-in using the screenshot below.
How to Offload Workloads for Co-management?
SCCM continues to manage all device management workload functionalities even after enabling the co-management option. When you decide that you are ready for co-management, you can start using Intune to manage available workloads.
The Co-Management Configuration Wizard or properties provide the ability to select any of the workloads mentioned earlier and offload them for Intune management. You can then have Microsoft Intune start managing different workloads/features.
Choose pilot Intune to have Microsoft Intune start managing different workloads. Choose Pilot Intune to have Intune manage the workloads for only clients in the pilot groups.
If you want to manage these workloads with SCCM, select ConfigMgr/SCCM. If you’re going to manage them with Intune, select Intune.
SCCM Co-Management Auto Enrollment Options?
To enable co-management for devices managed by SCCM, configure Auto-Enrollment. There are 2 Auto-Enrollment in Intune options available in SCCM CB co-management. The following are the 2 options:-
- Pilot Collection – Auto Enrollment In Intune
- All Devices – Auto Enrollment In Intune
SCCM Co-Management Workload Reports from Intune Portal
Let’s check the default Intune Co-Management Workloads Report available in the Endpoint Manager portal. The Co-Manage Workloads report provides a report of devices that are currently co-managed.
The report shows the management authority for each device’s Compliance, Resource Access, Device Configuration, Windows Update for Business, Endpoint Protection, Modern Apps, and Office Apps workloads.
Read more : Intune Co-Management Workloads Report | Endpoint Manager
Pilot Collection – Auto Enrollment
Configuring co-management will only be enabled for a selected pilot collection. Selected Window 10 1709 or later devices will be in the pilot group for Co-Management. This pilot group of this collection can be used for a staged co-management roll-out.
We can choose to initiate automatic enrollment or move workloads to InTune for devices in the pilot collection before you roll out co-management to all supported Windows 10 devices in your production environment.
All Devices – Auto Enrollment
Configure Co-management for all production devices collection via Auto-enrollment into the option. Configure co-management policy for production. There is no exclusion collection option to disable devices from co-management.
How to Enable SCCM Co-Management for SCCM Clients and Intune Managed Devices?
There are two ways to enable SCCM co-management for Windows 10 1709 or later devices.
- Enable Co-management for SCCM Clients
- Enable Co-management for Intune-managed devices
Enable Co-management for SCCM Clients
To enable co-management for already SCCM-managed devices with Intune, you must select the following option: To facilitate co-management for devices managed by SCCM and configured, select ALL or Pilot from the drop-down menu to manage all/pilot SCCM clients via Intune.
Enable Co-management for Intune Managed Devices
You need to create an application in Intune to enable co-management for already Intune-managed devices with SCCM. This application will install the SCCM client onto Intune-managed devices. The SCCM team provided a sample command line to install the SCCM client.
More Details – How To Install SCCM Client Using Intune For Autopilot Provisioned Devices
Following is the sample command line provided in the wizard of Enable Co-Management page:-
CCMSETUPCMD=”/mp:https://ACMCMG021.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057567037927944 CCMHOSTNAME=ACMCMG01.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927944 SMSSiteCode=PR3 SMSMP=https://SCCM_PROD.INTUNE.COM AADTENANTID=67BB8C6D-7266-4FAA-A290-5EDD572C2210 AADCLIENTAPPID=046cb662-0208-4bab-8118-4be4bd132bf2 AADRESOURCEURI=https://ConfigMgrService1 SMSPublicRootKey=0602000000A”
This command line needs some changes before creating a Mobile app in the Intune portal. My next post will cover these command-line details (the required changes).
Co-Management Related Posts
All Co-Management Video tutorials.
Overview Windows 10 Co-Management with Intune and SCCM Custom Report to Identify Machines Connected via SCCM CMG How to Setup Co-Management - Introduction - Prerequisites Part 1 How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 Setup Co-Management - AAD Connect UPN Suffix Part 3 Setup Co-Management - CA PKI & Certificates Part 4 Setup Co-Management Cloud DP Azure Blob Storage Part 5 Setup Co-Management Azure Cloud Services CMG Part 6 SCCM Configure Settings for Client PKI certificates Part 7 How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8 (This Post) How to Deploy SCCM Client from Intune - Co-Management - Part 9 End User Experience of Windows 10 Co-Management - Part 10
We are on WhatsApp. To get the latest step-by-step guides and news updates, Join our Channel. Click here –HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His primary focus is Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
Hi, I have followed one of your guides for implementing CMG. But I have not enabled Co-Management. Our plan is to have devices from multiple Azure AD report back to one SCCM instance. Whilst Co-Management i a one to one solution. It works fine to have devices in different Azure ADs connect to one SCCM instance. However, we want to manage the workloads from Intune but with this setup all workload gets managed by SCCM. Since Co-Management is not configured we have no way to switch workloads. Is there another way to deactivate the SCCM workloads in the same way they are deactivated in coexist mode with 3rd party MDM tools?
I’m afraid the answer is no. That is the disadvantage of having 3rd party MDM… you might not get the granularity that you are looking for …
Ok, but we do not have a 3rd party MDM. We use SCCM and Intune. But we only have activated CMG not Co-management. But SCCM agent and Intune acts as we have activated Co-management and SCCM takes control over all workloads.
Our wanted scenario is:
One SCCM Instance with one CMG
Several Azure AD with serveral Intune instances connected to SCCM through the CMG.
So far we have two AAD and Intune instances connected and it works fine except that SCCM takes over all Workloads. Is there no way to deactivate the workloads in SCCM? How does SCCM identify 3rd party MDM tools? Can we fool it some how?
Thanks!
But why are you enrolling devices to intune if you don’t want co management? If you enroll devices to intune then it’s recommended using co-managed workloads ..
Does this make sense ?
Yes but we only want to inventory devices through SCCM because our Software Asset Managment System is dependent on data from SCCM and we have several Intune tenants. The connection through CMG is working fine, (got it working through your guides, thank you!) but I have no way to deactivate SCCM from taking control over the workloads. Those controls are only visible if I turn on Co management which I only can do on one of the Intune tenants.
I’ve inherited a serious mess that I’m trying to understand and I’m relatively new at SCCM, but pretty versed in Intune.
Does anyone know if Software Center and Intune have conflicts?
Scenario:
SCCM and Intune in a co-managed configuration.
The workloads for applications have been set to a pilot group and the group has devices.
If Software Center is installed on the device the required Intune applications assigned will not install and just show the waiting for install status.
If I uninstall Software Center the applications will flow down properly from the Intune side.
Can these two exist? if so, what should I look at to remedy this?