How to Setup Co-Management – Introduction – Prerequisites

0
Co-Management Windows SCCM Intune

Co-management is device manageability feature of Windows. It’s a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach. This post is based on the presentation Rajul, and I had given at GAB 2018.

Co-Management Related Posts

All Co Management Video Tutorial in one post here.

Overview Windows 10 Co-Management with Intune and SCCM 
Custom  Report to Identify Machines Connected via SCCM CMG 
How to Setup Co-Management - Introduction - Prerequisites Part 1 (This Post)
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9
End User Experience of Windows 10 Co-Management - Part 10

What is Co-Management?

Windows 10(1607), you can join a Windows 10 device to on-premises Active Directory (AD) and cloud-based Azure AD at the same time (hybrid AAD). Co-management takes advantage of this improvement & enables you to concurrently manage Windows 10 devices by using both SCCM and Intune.

  • Co-management is device manageability feature of Windows
  • Bridge from Traditional management to modern Management
  • Coexistence of management tools (Intune, SCCM and other MDM??)

I accidentally tested co mgmt feature with 1703 version of Windows 10. Can you guess the results of my test? I would recommend having dedicated HTTPS management point (MP) and Software Update Point (SUP – future proof for 3rd party patching developments) to cater the new changes in SCCM 1802 and later.

Co-Management Prerequisites

We have divided Co-management prerequisites to different technology categories.

Azure AD/On-Prem AD
SCCM
Intune
License
Client OS
Azure Active Directory or On-Prem ADSCCMIntuneLicenseClient OS
Domain Joined + AAD Registered (Hybrid AD)SCCM 1710 or laterIntune Standalone (or Mixed?)EMS or M365Windows 10 1709 or Later
Azure AD ConnectCloud Management Gateway* Azure Subscription (PaaS)* 
ADFS*Cloud Distribution Point
Azure AD Joined (Cloud)Cloud Service Configuration 
AAD Automatic Enrollment enabled
Conditional Access Policy Changes*

Co-Management Entry Points

There are two entry points to co-management which I can think off while writing this post. One entry point to co-management is to enroll SCCM managed Windows 10 devices into Intune management. Another entry point to co-management is installed SCCM client on Windows 10 devices which are already managed by Intune.

I have seen use cases for both entry points. The difference between device management tools will become more and  thinner in the future. This will be visible to all of us when we would be able to transition more workloads between management tools!

SCCM Managed + Domain Joined Client => Intune Enrolment

  • Windows 10 device will automatically get enrolled to Intune based on Co-Mgmt Configuration
  • Workload Transition – Wi-Fi Profile, VPN Profile, Window Defender, Configuration* and Compliance policies

 

Intune Managed + Azure AD Joined Client ==> SCCM Client Installation

  • Get into Intune management via – Auto Pilot + Configuration Profiles + PowerShell Script
  • Use Intune Mobile Application Deployment to install SCCM client on Windows 10 devices
  • Workload Transition – Complex Win 32 MSI / App-V

What are the SCCM CMG & CDP Prerequisites

We have presented CDP and CMG prerequisites except certs in a table format so that it will be easy to understand. SCCM CMG & CDP cert requirements are same and I’ve covered this in the following section.

Cloud Distribution Point (CDP)Cloud Management Gateway (CMG)
DP on Azure CloudReverse Proxy on Azure?
Azure PaaS SolutionAzure PaaS Solution
Azure Classic Deployment – MGMT Certs AuthenticationAzure Resource Manager (ARM) SCCM 1802 or later – AAD App Authentication
CDP GUID name resolution for clients – CNAME record in your DNS namespaceAzure Classic Deployment (1710 or below) – MGMT Certs Authentication
NOT Pre release Feature Anymore

SCCM CMG/CDP Cert Requirements

We have divided CMG cert requirements to 2(two) categories based on authentication. Also tried to cover the deployment scenarios in the below table. I would recommend using PKI infra when you already have PKI infra for your organization (I cover PKI cert requirements in this post).

Think about the cloud scenarios and where your PKI infra fits in. I could see a long-term future where all certs authentication can be done with public certs independent of internal PKI. I recommend reading more details about CMG & CDP certs.

  • Self Signed MGMT Cert – Azure Management Certificate (Only for CDP – SCCM 1802 or later )
  • Client Authentication Certificate
  • Server Authentication Certificate (Web Server Template & Custom web server certificate with CMG/CDP CNAME)
  • Client Root (Intermediate CA Issuing Certs) Certificate (A service certificate (PKI) that SCCM clients use to connect to CDP/CMG)
Server/Azure side authenticationClient side authentication
CMG creates an HTTPS service for Internet ClientsAzure AD Token for AAD joined machines
Azure Management Cert (Classic Deployment Only)Clients must trust the CMG server authentication certificate
Public Provider Certificate (Verisign/Digicert/Entrust/GoDaddy etc) or PKIPublic Provider Certificate Root CA
Wildcard server authentication certificate support (1802 onwards) *.anoopcnair.comRoot and Intermediate Chain of Client Certs to clients
Manual Upload – SCCM CMG installation wizardDeploy – GPO, SCCM Cert deployment, Any other delivery method

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.