Let us learn that Co-management is a device manageability feature of Windows. It’s a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach. This post is based on the presentation Rajul and I had given at GAB 2018.
Co-Management Related Posts
All Co-Management Video Tutorial in one post
Overview Windows 10 Co-Management with Intune and SCCM Custom Report to Identify Machines Connected via SCCM CMG How to Setup Co-Management - Introduction - Prerequisites Part 1 (This Post) How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 Setup Co-Management - AAD Connect UPN Suffix Part 3 Setup Co-Management - CA PKI & Certificates Part 4 Setup Co-Management Cloud DP Azure Blob Storage Part 5 Setup Co-Management Azure Cloud Services CMG Part 6 SCCM Configure Settings for Client PKI certificates Part 7 How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8 How to Deploy SCCM Client from Intune - Co-Management - Part 9 End User Experience of Windows 10 Co-Management - Part 10
What is Co-Management?
Windows 10(1607), you can join a Windows 10 device to on-premises Active Directory (AD) and cloud-based Azure AD at the same time (hybrid AAD). Co-management takes advantage of this improvement & enables you to concurrently manage Windows 10 devices by using SCCM and Intune.
- Co-management is a device manageability feature of Windows
- Bridge from Traditional management to modern Management
- Coexistence of management tools (Intune, SCCM, and other MDM??)
I accidentally tested the co mgmt feature with the 1703 version of Windows 10. Can you guess the results of my test? I would recommend having a dedicated HTTPS management point (MP) and Software Update Point (SUP – future proof for 3rd party patching developments) to cater the new changes in SCCM 1802 and later.
Co-Management Prerequisites
We have divided Co-management prerequisites into different technology categories.
- Azure AD/On-Prem AD
- SCCM
- Intune
- License
- Client OS
| Azure Active Directory or On-Prem AD | SCCM | Intune | License | Client OS |
| Domain Joined + AAD Registered (Hybrid AD) | SCCM 1710 or later | Intune Standalone (or Mixed?) | EMS or M365 | Windows 10 1709 or Later |
| Azure AD Connect | Cloud Management Gateway* | Azure Subscription (PaaS)* | ||
| ADFS* | Cloud Distribution Point | |||
| Azure AD Joined (Cloud) | Cloud Service Configuration | |||
| AAD Automatic Enrollment enabled | ||||
| Conditional Access Policy Changes* |
Co-Management Entry Points
I can think of two entry points to co-management while writing this post. One entry point to co-management is to enroll SCCM-managed Windows 10 devices into Intune management.
Another entry point to co-management is installing the SCCM client on Windows 10 devices already managed by Intune.
I have seen use cases for both entry points. The difference between device management tools will become more and thinner in the future. This will be visible to all of us when we would be able to transition more workloads between management tools!
SCCM Managed + Domain Joined Client => Intune Enrolment
- Windows 10 device will automatically get enrolled to Intune based on Co-Mgmt Configuration
- Workload Transition – Wi-Fi Profile, VPN Profile, Window Defender, Configuration* and Compliance policies
Intune Managed + Azure AD Joined Client ==> SCCM Client Installation
- Get into Intune management via – Auto-Pilot + Configuration Profiles + PowerShell Script
- Use Intune Mobile Application Deployment to install the SCCM client on Windows 10 devices
- Workload Transition – Complex Win 32 MSI / App-V
What are the SCCM CMG & CDP Prerequisites
We have presented CDP and CMG prerequisites except for certs in a table format so that it will be easy to understand. SCCM CMG & CDP cert requirements are the same, and I’ve covered this in the following section.
| Cloud Distribution Point (CDP) | Cloud Management Gateway (CMG) |
| DP on Azure Cloud | Reverse Proxy on Azure? |
| Azure PaaS Solution | Azure PaaS Solution |
| Azure Classic Deployment – MGMT Certs Authentication | Azure Resource Manager (ARM) SCCM 1802 or later – AAD App Authentication |
| CDP GUID name resolution for clients – CNAME record in your DNS namespace | Azure Classic Deployment (1710 or below) – MGMT Certs Authentication |
| NOT Pre-release Feature Anymore |
SCCM CMG/CDP Cert Requirements
We have divided CMG cert requirements into 2(two) categories based on authentication. I also tried to cover the deployment scenarios in the below table.
I recommend using PKI infra when you already have PKI infra for your organization (I cover PKI cert requirements in this post).
Think about the cloud scenarios and where your PKI infra fits in. I could see a long-term future where all certs authentication can be done with public certs independent of internal PKI. I recommend reading more details about CMG & CDP certs.
- Self Signed MGMT Cert – Azure Management Certificate (Only for CDP – SCCM 1802 or later )
- Client Authentication Certificate
- Server Authentication Certificate (Web Server Template & Custom web server certificate with CMG/CDP CNAME)
- Client Root (Intermediate CA Issuing Certs) Certificate (A service certificate (PKI) that SCCM clients use to connect to CDP/CMG)
| Server/Azure side authentication | Client-side authentication |
| CMG creates an HTTPS service for Internet Clients | Azure AD Token for AAD joined machines |
| Azure Management Cert (Classic Deployment Only) | Clients must trust the CMG server authentication certificate |
| Public Provider Certificate (Verisign/Digicert/Entrust/GoDaddy etc) or PKI | Public Provider Certificate Root CA |
| Wildcard server authentication certificate support (1802 onwards) *.anoopcnair.com | Root and Intermediate Chain of Client Certs to clients |
| Manual Upload – SCCM CMG installation wizard | Deploy – GPO, SCCM Cert deployment, Any other delivery method |