SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites

Let us learn that Co-management is a device manageability feature of Windows. It’s a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach. This post is based on the presentation Rajul and I had given at GAB 2018.

Co-Management Related Posts

All Co-Management Video Tutorial in one post

Overview Windows 10 Co-Management with Intune and SCCM 
Custom  Report to Identify Machines Connected via SCCM CMG 
How to Setup Co-Management - Introduction - Prerequisites Part 1 (This Post)
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6
SCCM Configure Settings for Client PKI certificates Part 7
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9
End User Experience of Windows 10 Co-Management - Part 10

What is Co-Management?

Windows 10(1607), you can join a Windows 10 device to on-premises Active Directory (AD) and cloud-based Azure AD at the same time (hybrid AAD). Co-management takes advantage of this improvement & enables you to concurrently manage Windows 10 devices by using SCCM and Intune.

  • Co-management is a device manageability feature of Windows
  • Bridge from Traditional management to modern Management
  • Coexistence of management tools (Intune, SCCM, and other MDM??)

I accidentally tested the co mgmt feature with the 1703 version of Windows 10. Can you guess the results of my test? I would recommend having a dedicated HTTPS management point (MP) and Software Update Point (SUP – future proof for 3rd party patching developments) to cater the new changes in SCCM 1802 and later.

Patch My PC

Co-Management Prerequisites

We have divided Co-management prerequisites into different technology categories.

  • Azure AD/On-Prem AD
  • SCCM
  • Intune
  • License
  • Client OS
Azure Active Directory or On-Prem ADSCCMIntuneLicenseClient OS
Domain Joined + AAD Registered (Hybrid AD)SCCM 1710 or laterIntune Standalone (or Mixed?)EMS or M365Windows 10 1709 or Later
Azure AD ConnectCloud Management Gateway* Azure Subscription (PaaS)* 
ADFS*Cloud Distribution Point   
Azure AD Joined (Cloud)Cloud Service Configuration   
AAD Automatic Enrollment enabled    
Conditional Access Policy Changes*    
SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites

Co-Management Entry Points

I can think of two entry points to co-management while writing this post. One entry point to co-management is to enroll SCCM-managed Windows 10 devices into Intune management.

Another entry point to co-management is installing the SCCM client on Windows 10 devices already managed by Intune.

I have seen use cases for both entry points. The difference between device management tools will become more and thinner in the future. This will be visible to all of us when we would be able to transition more workloads between management tools!


SCCM Managed + Domain Joined Client => Intune Enrolment

  • Windows 10 device will automatically get enrolled to Intune based on Co-Mgmt Configuration
  • Workload Transition – Wi-Fi Profile, VPN Profile, Window Defender, Configuration* and Compliance policies

Intune Managed + Azure AD Joined Client ==> SCCM Client Installation

  • Get into Intune management via – Auto-Pilot + Configuration Profiles + PowerShell Script
  • Use Intune Mobile Application Deployment to install the SCCM client on Windows 10 devices
  • Workload Transition – Complex Win 32 MSI / App-V

What are the SCCM CMG & CDP Prerequisites

We have presented CDP and CMG prerequisites except for certs in a table format so that it will be easy to understand. SCCM CMG & CDP cert requirements are the same, and I’ve covered this in the following section.

Cloud Distribution Point (CDP)Cloud Management Gateway (CMG)
DP on Azure CloudReverse Proxy on Azure?
Azure PaaS SolutionAzure PaaS Solution
Azure Classic Deployment – MGMT Certs AuthenticationAzure Resource Manager (ARM) SCCM 1802 or later – AAD App Authentication
CDP GUID name resolution for clients – CNAME record in your DNS namespaceAzure Classic Deployment (1710 or below) – MGMT Certs Authentication
 NOT Pre-release Feature Anymore
SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites

SCCM CMG/CDP Cert Requirements

We have divided CMG cert requirements into 2(two) categories based on authentication. I also tried to cover the deployment scenarios in the below table.

I recommend using PKI infra when you already have PKI infra for your organization (I cover PKI cert requirements in this post).

Think about the cloud scenarios and where your PKI infra fits in. I could see a long-term future where all certs authentication can be done with public certs independent of internal PKI. I recommend reading more details about CMG & CDP certs.

  • Self Signed MGMT Cert – Azure Management Certificate (Only for CDP – SCCM 1802 or later )
  • Client Authentication Certificate
  • Server Authentication Certificate (Web Server Template & Custom web server certificate with CMG/CDP CNAME)
  • Client Root (Intermediate CA Issuing Certs) Certificate (A service certificate (PKI) that SCCM clients use to connect to CDP/CMG)
Server/Azure side authenticationClient-side authentication
CMG creates an HTTPS service for Internet ClientsAzure AD Token for AAD joined machines
Azure Management Cert (Classic Deployment Only)Clients must trust the CMG server authentication certificate
Public Provider Certificate (Verisign/Digicert/Entrust/GoDaddy etc) or PKIPublic Provider Certificate Root CA
Wildcard server authentication certificate support (1802 onwards) *.anoopcnair.comRoot and Intermediate Chain of Client Certs to clients
Manual Upload – SCCM CMG installation wizardDeploy – GPO, SCCM Cert deployment, Any other delivery method
SCCM ConfigMgr How to Setup Co-Management – Introduction – Prerequisites

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.