How to Setup Co-Management—Introduction—Prerequisites? Co-management is a Windows device manageability feature. It’s a solution that bridges traditional to modern management and gives you a path to make the transition using a phased approach.
This post is based on the presentation Rajul and I gave at GAB 2018. With Windows 10(1607), you can join a Windows 10 device to both on-premises Active Directory (AD) and cloud-based Azure AD at the same time (hybrid AAD).
Co-management takes advantage of this improvement and enables you to concurrently manage Windows 10 devices using SCCM and Intune. I accidentally tested the co-management feature with the 1703 version of Windows 10. Can you guess the results of my test?
I recommend having a dedicated HTTPS management point (MP) and Software Update Point (SUP—future-proof for third-party patching developments) to accommodate the new changes in SCCM 1802 and later.
Table of Contents
What is Co-Management? SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites
While writing this post, I could think of two entry points to co-management. One entry point is to enroll SCCM-managed Windows 10 devices into Intune management. We have divided Co-management prerequisites into different technology categories.
All Co-Management Video Tutorial in one post
What is Co-Management? |
---|
Co-management is a device manageability feature of Windows |
Bridge from Traditional Management to Modern Management |
Coexistence of management tools (Intune, SCCM, and other MDM??) |
- Overview Windows 10 Co-Management with Intune and SCCM
- Custom Report to Identify Machines Connected via SCCM CMG
- How to Setup Co-Management – Introduction – Prerequisites Part 1 (This Post)
- How to Setup Co-Management – Firewall Ports Proxy Requirements Part 2
- Setup Co-Management – AAD Connect UPN Suffix Part 3
- Setup Co-Management – CA PKI & Certificates Part 4
- Setup Co-Management Cloud DP Azure Blob Storage Part 5
- Setup Co-Management Azure Cloud Services CMG Part 6
- SCCM Configure Settings for Client PKI certificates Part 7
- How to Setup SCCM Co-Management to Offload Workloads to Intune – Part 8
- How to Deploy SCCM Client from Intune – Co-Management – Part 9
- End User Experience of Windows 10 Co-Management – Part 10
Co-Management Prerequisites
Another entry point to co-management is installing the SCCM client on Windows 10 devices already managed by Intune.
- Azure AD/On-Prem AD
- SCCM
- Intune
- License
- Client OS
Azure Active Directory or On-Prem AD | SCCM | Intune | License | Client OS |
---|---|---|---|---|
Domain Joined + AAD Registered (Hybrid AD) | SCCM 1710 or later | Intune Standalone (or Mixed?) | EMS or M365 | Windows 10 1709 or Later |
Azure AD Connect | Cloud Management Gateway* | Azure Subscription (PaaS)* | ||
ADFS* | Cloud Distribution Point | |||
Azure AD Joined (Cloud) | Cloud Service Configuration | |||
AAD Automatic Enrollment enabled | ||||
Conditional Access Policy Changes* |
Co-Management Entry Points
I have seen use cases for both entry points. The difference between device management tools will become thinner in the future. This will be visible to all of us when we are able to transition more workloads between management tools!
SCCM Managed + Domain Joined Client => Intune Enrolment
- Windows 10 device will automatically get enrolled to Intune based on Co-Mgmt Configuration
- Workload Transition – Wi-Fi Profile, VPN Profile, Window Defender, Configuration* and Compliance policies
Intune Managed + Azure AD Joined Client ==> SCCM Client Installation
- Get into Intune management via – Auto-Pilot + Configuration Profiles + PowerShell Script
- Use Intune Mobile Application Deployment to install the SCCM client on Windows 10 devices
- Workload Transition – Complex Win 32 MSI / App-V
What are the SCCM CMG & CDP Prerequisites
We have presented CDP and CMG prerequisites, except for certs, in a table format to make it easy to understand. SCCM CMG & CDP cert requirements are the same, and I’ve covered this in the following section.
Cloud Distribution Point (CDP) | Cloud Management Gateway (CMG) |
---|---|
DP on Azure Cloud | Reverse Proxy on Azure? |
Azure PaaS Solution | Azure PaaS Solution |
Azure Classic Deployment – MGMT Certs Authentication | Azure Resource Manager (ARM) SCCM 1802 or later – AAD App Authentication |
CDP GUID name resolution for clients – CNAME record in your DNS namespace | Azure Classic Deployment (1710 or below) – MGMT Certs Authentication |
NOT Pre-release Feature Anymore |
SCCM CMG/CDP Cert Requirements
We have divided CMG cert requirements into 2(two) categories based on authentication. I also tried to cover the deployment scenarios in the below table.
I recommend using PKI infra when your organization already has it (I cover PKI cert requirements in this post).
Think about the cloud scenarios and where your PKI infra fits in. I could see a long-term future where all certs authentication can be done with public certs independent of internal PKI. I recommend reading more details about CMG & CDP certs.
- Self Signed MGMT Cert – Azure Management Certificate (Only for CDP – SCCM 1802 or later )
- Client Authentication Certificate
- Server Authentication Certificate (Web Server Template & Custom web server certificate with CMG/CDP CNAME)
- Client Root (Intermediate CA Issuing Certs) Certificate (A service certificate (PKI) that SCCM clients use to connect to CDP/CMG)
Server/Azure side authentication | Client-side authentication |
---|---|
CMG creates an HTTPS service for Internet Clients | Azure AD Token for AAD joined machines |
Azure Management Cert (Classic Deployment Only) | Clients must trust the CMG server authentication certificate |
Public Provider Certificate (Verisign/Digicert/Entrust/GoDaddy etc) or PKI | Public Provider Certificate Root CA |
Wildcard server authentication certificate support (1802 onwards) *.anoopcnair.com | Root and Intermediate Chain of Client Certs to clients |
Manual Upload – SCCM CMG installation wizard | Deploy – GPO, SCCM Cert deployment, Any other delivery method |
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…