Many organisations are looking for a more simplified management options for Windows devices. There are two ways of management. First one is. The Traditional way of management and the second is the Modern way of management. They are also looking for a more easy way to transition from SCCM and Domain Join devices (Traditional) to a modern management approach with InTune and Azure AD Join devices (Modern). In this post, we will see How to Setup SCCM CB and InTune Co-Management.
I have an another post which covers more “Management strategic” details about co mgmt – Overview Windows 10 Co-Management with Intune and SCCM
More details about SCCM CB 1709 upgrade and Co-Management setup via Video Tutorial here
Co-Management option is available only on a Preview release of SCCM CB 1709. I don’t know whether it will make it to SCCM CB 1710 Production release in a couple of months. But, I guess is that Co-Management will be available in SCCM CB 1710 production release.
What is Co-Management?
In simple terms, SCCM CB co-management is a dual management capability offered for Windows 10 1709 version (Fall Creators Update) devices. InTune and SCCM can manage windows 10 1709 devices at the same time. For example, eligible Windows 10 devices will be managed via SCCM client. And some other workloads will be managed by InTune MDM channel. We will see more details about the Workloads in the below section of this post.
This co-management is only available for the Intune subscriptions which are set INTUNE as MDM authority.
So you might be thinking, how can handle the conflicts of policies in SCCM Co-Management scenario? Yeah, the conflicts of configuration/compliance policies will be controlled via Co-Management Configuration policies in SCCM CB. You can select which workloads can be managed via Intune. And all other Workloads of SCCM will be managed through SCCM management method.
SCCM CB 1709 upgrade and Co-Management setup via Video Tutorial here.
Where can we Setup SCCM Co-Management Policies?
Install or Upgrade SCCM CB 1709 or a later version of SCCM. Navigate SCCM CB 1709 (or later) console via \Administration\ Overview\ Cloud Services\Co-management. Click on the button “Configure Co-Management” to create Co-management Production or Co-Management Pilot policies.
SCCM CB Co-Management Configuration Wizard – STAGING Options?
There are 2 staging options available in SCCM CB co-management. Following are the 2 options:-
- Co-Management Production Policies (CoMgmtSettingsProd)
- Co-Management Pilot Policies (CoMgmtSettingsPilot)
Configure roll out groups – Pilot Collection
Configure co-management will only be enabled for a selected pilot collection. Selected Window 10 1709 or later devices will be in the pilot group for Co-Management. This pilot group of this collection can use for a staged co-management roll-out. We can choose to initiate automatic enrollment or move workloads to InTune for devices in the pilot group before you roll out co-management to all supported Windows 10 devices in your production environment.
Configure Co-management for Production collection with exclusion collection
Configure co-management policy for production. You may select an exclusion group that will be excluded from co-management in your production environment. Exclusion groups can be any collection of Windows 10 devices, and those devices will be excluded from co-management.
SCCM CB 1709 upgrade and Co-Management setup via Video Tutorial here.
How to Enable SCCM Co-Management for SCCM Clients and Intune Managed Devices?
There are two ways to enable SCCM co-management for Windows 10 1709 devices.
- Enable Co-management for SCCM Clients
- Enable Co-management for Intune managed devices
Enable Co-management for SCCM Clients
To enable co-management for already SCCM Managed Devices with Intune, you need to select following option. To enable co-management for devices managed by SCCM and configure. Select either ALL or Pilot from the drop-down menu to manage all/pilot SCCM clients via Intune.
SCCM CB 1709 upgrade and Co-Management setup via Video Tutorial here.
Enable Co-management for Intune Managed Devices
To enable co-management for already, Intune managed devices with SCCM; you need to create an application in Intune. This application will install SCCM client onto Intune managed devices. SCCM team provided sample command line to install SCCM client. Following is the sample command line provided in the wizard:-
CCMSETUPCMD="/mp:https:// CCMHOSTNAME= SMSSiteCode= SMSMP=https:// AADTENANTID= AADTENANTNAME= AADCLIENTAPPID= AADRESOURCEURI= SMSPublicRootKey="
What is SCCM Co-Management Workloads?
SCCM Co-Management workloads are functionalities/features of device management. For example, the Compliance policies, Configuration Policies, Software Updates, Resource Access policies (WiFi Profiles/VPN Profiles etc..), Application deployment etc. are co-management workloads.
How to configure/select Workloads for Co-management?
SCCM continues to manage all workloads functionalities of device management even after enabling the co-management option. When you decide that you are ready for co-management then, you can start using InTune for managing available workloads. Co-Management Configuration Wizard provides the ability to select these functionalities /features. Following are the 3 features enabled for co-management :-
Compliance Policies (this will work with Conditional Access)
Resource Access Policies (WiFi, SCEP etc..Anything comes under SCCM console Company Resource Access node)
Windows Update Policies (Patching without on-prem WSUS/SUP)For Windows 10 devices that are in co-management state. You can have Microsoft Intune start managing different workloads/features. Choose pilot Intune to have Microsoft Intune start managing different workloads. Choose Pilot Intune to have Intune manage the workloads for only clients in the pilot groups. If you want to manage these workloads with SCCM, then select ConfigMgr/SCCM. If you want to manage these workloads with Intune then, select Intune.
SCCM CB 1709 upgrade and Co-Management setup via Video Tutorial here.
Awesome. I cannot wait to manage this feature as well as AutoPilot.
how do you get the intune managed clients to install the configuration manager client if they are only azure AD joined? How do you get intune clients to also be domain joined automatically?
There are more steps than just enabling in SCCM.
Sure thing.And this was a preview of Co MGMT which I tested. BTW, I tested co management before Microsoft released that feature with SCCM because the CO-MGMT with Windows 10 was available well before that. So if you have proper connectivity to your SCCM and Intune infra then, you can do co mgmt 🙂
I see there 2 things related to WUfB,
1) “Diagnostic & usage data” is set to “Basic”. (https://docs.microsoft.com/en-us/intune/windows-update-for-business-configure)
2) Deploy policy to stop clients using WSUS/SUP (https://docs.microsoft.com/en-us/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10#configure-windows-update-for-business-deferral-policies)
When we change the workload in Co-management for “Windows Update Policy” from SCCM to Intune should we take care of above items.
Thank you Paddy for the insights! This is great information. I shall test it soon