SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites

How to Setup Co-Management—Introduction—Prerequisites? Co-management is a Windows device manageability feature. It’s a solution that bridges traditional to modern management and gives you a path to make the transition using a phased approach.

This post is based on the presentation Rajul and I gave at GAB 2018. With Windows 10(1607), you can join a Windows 10 device to both on-premises Active Directory (AD) and cloud-based Azure AD at the same time (hybrid AAD).

Co-management takes advantage of this improvement and enables you to concurrently manage Windows 10 devices using SCCM and Intune. I accidentally tested the co-management feature with the 1703 version of Windows 10. Can you guess the results of my test?

I recommend having a dedicated HTTPS management point (MP) and Software Update Point (SUP—future-proof for third-party patching developments) to accommodate the new changes in SCCM 1802 and later.

Patch My PC

What is Co-Management? SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites

While writing this post, I could think of two entry points to co-management. One entry point is to enroll SCCM-managed Windows 10 devices into Intune management. We have divided Co-management prerequisites into different technology categories.

All Co-Management Video Tutorial in one post

Adaptiva
What is Co-Management?
Co-management is a device manageability feature of Windows
Bridge from Traditional Management to Modern Management
Coexistence of management tools (Intune, SCCM, and other MDM??)
SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites – Table 1

Co-Management Prerequisites

Another entry point to co-management is installing the SCCM client on Windows 10 devices already managed by Intune.

  • Azure AD/On-Prem AD
  • SCCM
  • Intune
  • License
  • Client OS
Azure Active Directory or On-Prem ADSCCMIntuneLicenseClient OS
Domain Joined + AAD Registered (Hybrid AD)SCCM 1710 or laterIntune Standalone (or Mixed?)EMS or M365Windows 10 1709 or Later
Azure AD ConnectCloud Management Gateway* Azure Subscription (PaaS)* 
ADFS*Cloud Distribution Point   
Azure AD Joined (Cloud)Cloud Service Configuration   
AAD Automatic Enrollment enabled    
Conditional Access Policy Changes*    
SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites – Table 2
SCCM ConfigMgr How to Setup Co-Management - Introduction - Prerequisites - Fig.1
SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites – Fig.1

Co-Management Entry Points

I have seen use cases for both entry points. The difference between device management tools will become thinner in the future. This will be visible to all of us when we are able to transition more workloads between management tools!

SCCM Managed + Domain Joined Client => Intune Enrolment

  • Windows 10 device will automatically get enrolled to Intune based on Co-Mgmt Configuration
  • Workload Transition – Wi-Fi Profile, VPN Profile, Window Defender, Configuration* and Compliance policies

Intune Managed + Azure AD Joined Client ==> SCCM Client Installation

  • Get into Intune management via – Auto-Pilot + Configuration Profiles + PowerShell Script
  • Use Intune Mobile Application Deployment to install the SCCM client on Windows 10 devices
  • Workload Transition – Complex Win 32 MSI / App-V

What are the SCCM CMG & CDP Prerequisites

We have presented CDP and CMG prerequisites, except for certs, in a table format to make it easy to understand. SCCM CMG & CDP cert requirements are the same, and I’ve covered this in the following section.

Cloud Distribution Point (CDP)Cloud Management Gateway (CMG)
DP on Azure CloudReverse Proxy on Azure?
Azure PaaS SolutionAzure PaaS Solution
Azure Classic Deployment – MGMT Certs AuthenticationAzure Resource Manager (ARM) SCCM 1802 or later – AAD App Authentication
CDP GUID name resolution for clients – CNAME record in your DNS namespaceAzure Classic Deployment (1710 or below) – MGMT Certs Authentication
 NOT Pre-release Feature Anymore
SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites – Table 3

SCCM CMG/CDP Cert Requirements

We have divided CMG cert requirements into 2(two) categories based on authentication. I also tried to cover the deployment scenarios in the below table.

I recommend using PKI infra when your organization already has it (I cover PKI cert requirements in this post).

Think about the cloud scenarios and where your PKI infra fits in. I could see a long-term future where all certs authentication can be done with public certs independent of internal PKI. I recommend reading more details about CMG & CDP certs.

  • Self Signed MGMT Cert – Azure Management Certificate (Only for CDP – SCCM 1802 or later )
  • Client Authentication Certificate
  • Server Authentication Certificate (Web Server Template & Custom web server certificate with CMG/CDP CNAME)
  • Client Root (Intermediate CA Issuing Certs) Certificate (A service certificate (PKI) that SCCM clients use to connect to CDP/CMG)
Server/Azure side authenticationClient-side authentication
CMG creates an HTTPS service for Internet ClientsAzure AD Token for AAD joined machines
Azure Management Cert (Classic Deployment Only)Clients must trust the CMG server authentication certificate
Public Provider Certificate (Verisign/Digicert/Entrust/GoDaddy etc) or PKIPublic Provider Certificate Root CA
Wildcard server authentication certificate support (1802 onwards) *.anoopcnair.comRoot and Intermediate Chain of Client Certs to clients
Manual Upload – SCCM CMG installation wizardDeploy – GPO, SCCM Cert deployment, Any other delivery method
SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites – Table 4

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.