How to Setup SCCM Co-Management to Offload Workloads to Intune

Windows 10 co-management is a dual management capability available with Windows 10 1709 version (Fall Creators Update) and later. Co-management is the bridge between traditional management and modern management. In this post, we will see how to setup SCCM Co-Management to offload 4 (four) workloads to Intune.

Video Tutorial to Setup SCCM Co-Management Configurations

Prerequisite SCCM Co-Management Configuration Wizard 

To start the Co-Management Wizard, you need to have Microsoft Intune subscription. If you don’t have Intune subscription, you need to get a business account or trial version. More details to get a trial version of Intune is in the following post under “How to Start Working with Intune?”.

Beginners guide to learn Intune

SCCM Co-Management Auto Enrollment Options?

To enable co-management for devices managed by SCCM, configure Auto Enrollment. There are 2 Auto Enrollment in Intune options available in SCCM CB co-management. Following are the 2 options:-

  1. Pilot Collection – Auto Enrollment In Intune
  2. All Devices – Auto Enrollment In Intune

Pilot Collection – Auto Enrollment

Configure co-management will only be enabled for a selected pilot collection.  Selected Window 10 1709 or later devices will be in the pilot group for Co-Management.  This pilot group of this collection can use for a staged co-management roll-out.

We can choose to initiate automatic enrollment or move workloads to InTune for devices in the pilot collection before you roll out co-management to all supported Windows 10 devices in your production environment.

All Devices – Auto Enrollment

Configure Co-management for all production devices collection via Auto enrollment into option. Configure co-management policy for production. There is no exclusion collection option to disable devices from co-management.

SCCM Co-Management Pilot Production Options

How to Enable SCCM Co-Management for SCCM Clients and Intune Managed Devices?

There are two ways to enable SCCM co-management for Windows 10 1709 or later devices.

  1. Enable Co-management for SCCM Clients
  2. Enable Co-management for Intune managed devices

Enable Co-management for SCCM Clients

To enable co-management for already SCCM Managed Devices with Intune, you need to select following option. To facilitate co-management for devices managed by SCCM and configure. Select either ALL or Pilot from the drop-down menu to manage all/pilot SCCM clients via Intune.

Enable Co-management for Intune Managed Devices

To enable co-management for already, Intune managed devices with SCCM; you need to create an application in Intune. This application will install SCCM client onto Intune managed devices. SCCM team provided sample command line to install SCCM client.

Following is the sample command line provided in the wizard of Enable Co-Management page:-

CCMSETUPCMD="/mp:https://ACMCMG021.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057567037927944 CCMHOSTNAME=ACMCMG01.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927944 SMSSiteCode=PR3 SMSMP=https://SCCM_PROD.INTUNE.COM AADTENANTID=67BB8C6D-7266-4FAA-A290-5EDD572C2210 AADCLIENTAPPID=046cb662-0208-4bab-8118-4be4bd132bf2 AADRESOURCEURI=https://ConfigMgrService1 SMSPublicRootKey=0602000000A"

This command line needs some changes before creating a Mobile app in Intune portal. This command line details (the required changes) will be covered in my next post.

What are SCCM Co-Management Workloads?

SCCM Co-Management workloads are functionalities/features of device management. For example, the Compliance policies, Configuration Policies, Software Updates, Resource Access policies (WiFi Profiles/VPN Profiles, etc..), Office 365 workload, Application deployment, etc. are co-management workloads. More details available in the video tutorial here.SCCM Co-Management

Compliance Policies
Device Configuration (Available with SCCM TP 1805 or later)
  Resource Access Policies (WiFi, VPN profiles)
  Endpoint Protection
Configuration Policies 
Office Click-to-Run Apps (Available with SCCM TP 1806 or later)
Windows Update Policies (Patching without on-prem WSUS/SUP)

There are some workloads are missing in the above picture. This is because I have taken the screenshot from SCCM 1802 production version. However, in SCCM TP 1806 version has more workloads. I have incorporated all the workloads in the above list. More details available in SCCM TP 1806 blog post.

How to Offload Workloads for Co-management?

SCCM continues to manage all workloads functionalities of device management even after enabling the co-management option. When you decide that you are ready for co-management then, you can start using InTune for managing available workloads.

Co-Management Configuration Wizard or properties provides the ability to select any of the workloads as mentioned earlier and offload for Intune management. You can have Microsoft Intune start managing different workloads/features.

Choose pilot Intune to have Microsoft Intune start managing different workloads. Choose Pilot Intune to have Intune manage the workloads for only clients in the pilot groups.

If you want to manage these workloads with SCCM, then select ConfigMgr/SCCM. If you want to manage these workloads with Intune then, select Intune.

Co-Management Related Posts

All Co Management Video Tutorial in one post here.

Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8 (This Post)
How to Deploy SCCM Client from Intune - Co-Management - Part 9
End User Experience of Windows 10 Co-Management - Part 10

Sharing is caring!

5 thoughts on “How to Setup SCCM Co-Management to Offload Workloads to Intune”

  1. Hi, I have followed one of your guides for implementing CMG. But I have not enabled Co-Management. Our plan is to have devices from multiple Azure AD report back to one SCCM instance. Whilst Co-Management i a one to one solution. It works fine to have devices in different Azure ADs connect to one SCCM instance. However, we want to manage the workloads from Intune but with this setup all workload gets managed by SCCM. Since Co-Management is not configured we have no way to switch workloads. Is there another way to deactivate the SCCM workloads in the same way they are deactivated in coexist mode with 3rd party MDM tools?

      • Ok, but we do not have a 3rd party MDM. We use SCCM and Intune. But we only have activated CMG not Co-management. But SCCM agent and Intune acts as we have activated Co-management and SCCM takes control over all workloads.

        Our wanted scenario is:
        One SCCM Instance with one CMG
        Several Azure AD with serveral Intune instances connected to SCCM through the CMG.

        So far we have two AAD and Intune instances connected and it works fine except that SCCM takes over all Workloads. Is there no way to deactivate the workloads in SCCM? How does SCCM identify 3rd party MDM tools? Can we fool it some how?


      • But why are you enrolling devices to intune if you don’t want co management? If you enroll devices to intune then it’s recommended using co-managed workloads ..

        Does this make sense ?

  2. Yes but we only want to inventory devices through SCCM because our Software Asset Managment System is dependent on data from SCCM and we have several Intune tenants. The connection through CMG is working fine, (got it working through your guides, thank you!) but I have no way to deactivate SCCM from taking control over the workloads. Those controls are only visible if I turn on Co management which I only can do on one of the Intune tenants.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.