Overview Windows 10 Co-Management with Intune and SCCM

Overview Windows 10 Co-Management with Intune and SCCM

Co-Management is another buzz word in device management world. What is this co-management?  Windows 10 co-management is a dual management capability available with Windows 10 1709 version (Fall Creators Update) and later. Co-management is the bridge between traditional management and modern management. In this post, we will see more details “Overview Windows 10 Co-Management with Intune and SCCM.”

I had a fascinating conversation with Bill Bernat on the topics of Co-Management, Auto Pilot, and CMG. You can watch E³ podcast video here. This is my first interview experience!

Co-Management Related Posts

Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG 
How to Setup Co-Management - Introduction - Prerequisites 
How to Setup Co-Management - Firewall Ports Proxy Requirements 
Setup Co-Management - AAD Connect UPN Suffix 
Setup Co-Management - CA PKI & Certificates

Topics Covered in this post

Why Modern Management?
How to move from Traditional Management to Modern Management?
Entry Points to Co-Management?
Co-Management SCCM Requirements?
Sample High Level Architecture of Co-Management with SCCM & Intune
What is Enterprise Endpoint Experts (E³) Podcast?

Why Modern Management?

What are the problems with traditional management? Why are most of the organizations  trying to get into modern management? It’s all about moving fast and adopt agile scrum method.

I did more detailed analysis of IT industry in the post called Future of SCCM ConfigMgr Intune Admin Jobs. I hope Airbnb and Uber stories will give you more thought points about modern management.

Traditional IT is designed to manage single business owned device which is always connected to corporate network. Devices and users landscape has changed over the years. To handle these changes in the modern world, IT needs to change.

Modern IT management should be agile and able to handle multiple flavours of devices for users. And it should be able to manage cloud managed SaaS applications. Automation, Pro-Activeness, and Self service are the other 3 trigger points for modern IT.

Overview Windows 10 Co-Management with Intune and SCCM

How to move from Traditional to Modern Management?

Co-management is the transition method proposed by Microsoft to move towards modern management. In my opinion, this transition method will help organizations who are having tons of on-prem infrastructure.

The first step of this transition should be Windows 10 co-management with SCCM and Intune. Prominent organizations can’t take a big leap towards modern management. Co-management is the best approach to transformation in a controlled and iterative way.

What is Windows 10 Co-Management with Intune and SCCM

Entry Points to Co-Management?

1. SCCM + Domain Joined Devices
2. Intune + AAD Joined Devices

1. SCCM + Domain Joined Devices

Assume that your organization is already an SCCM shop and SCCM manages all the devices. In this scenario, we can offload some of your SCCM workloads to Intune.

For example:- 

When you have Windows 10 device which is already managed by SCCM client then, you can configure co-management to offload compliance policy workload to Intune. From my perspective, setting up compliance policy in Intune is much better experience than in SCCM. And moreover, there are some advanced controls in Intune compliance policies.

After the co-management configuration, compliance policies can be deployed via Intune. We don’t need to create and implement compliance policies from SCCM. Instead, we can use Intune to deploy compliance policies. Other workloads like Win 32 application deployment can be handled through SCCM.

2. Intune + AAD Joined Devices

Assume that you have Intune setup and your organization doesn’t have any on-prem infrastructure. The devices are already managed through Intune. As of today, we have some gaps with Intune management like Win 32 application deployment.

If your organization wants to deploy Win 32 application with some complicated command line to an Intune managed device then, we need to have some help from SCCM. This is where second entry point of Co-management comes into the picture.

You can configure the SCCM to perform co-manage of that machine with Intune as you can see in the co-management configuration video above. Intune can deploy an SCCM client to Intune managed devices so that the device would be capable of installing Win 32 applications via SCCM.

Overview Windows 10 Co-Management with Intune and SCCM

Co-Management SCCM Pre requisites?

Cloud Management Gateway (CMG)
Cloud Distribution Point (CDP)

When you want to use both the entry points to co-management then, there are two prerequisites from SCCM side. Those requirements are CMG (Cloud Management Gateway) and Cloud DP (CDP). CDP and CMG are Platform as a Service (PaaS) solution in Azure. CMG and CDP have its prerequisites which I’m not going to cover on this blog.

The Cloud Management Gateway is SCCM proxy solution hosted in Azure cloud service. I assume CMG communication flow is similar to that of Azure App Proxy. Yes, there are some PKI requirements for CMG and CDP.

Example:- A client from internet contacts SCCM to get policies. The request will reach CMG. And the CMG will forward this request from a client to on-prem SCCM components. The on prem SCCM component will validate the request and provide policies via CMG.

The Cloud Distribution Point is another PaaS solution in Azure, and it’s a content location in the cloud. The CDP role is similar to on-prem Distribution Point role. The clients from the internet can easily get the content from Cloud Distribution Point.

Sample High-Level Architecture of Co-Management with SCCM & Intune

Overview Windows 10 Co-Management with Intune and SCCM

What is Enterprise Endpoint Experts (E³) Podcast?

Adaptiva has insightful articles and videos from IT industry experts on their website Adaptiva Academy. E³ podcast is an excellent resource for video/audio interviews with SCCM, Intune, Security experts from the industry.

Bill is an excellent host of Adaptiva’s E³ podcasts. He is very serious with all his interviews. I had a unique experience being his guest for this month’s Enterprise Endpoint Experts (E³) Podcast. You can watch the interview from here


Plan for the cloud management gateway in Configuration Manager - here

Co-Management - Ask Microsoft Anything (AMA) about Co-Management - here

How to Setup SCCM CB and Intune Co-Management - here

Co-management of Windows 10 and Office 365 ProPlus with SCCM and Intune - here


  1. Hi Anoop, I have a question I hope you can answer. If we have on-prem AD joined Windows 10 device and have setup co-management do we have to configure (1) “hybrid Azure Active Directory joined devices” or (2) configure the GPO “Enroll a Windows 10 device automatically using Group Policy” or (3) does the ConfigMgr client do this and registers the device?

    Secondly when we have on-prem AD joined Windows 10 device and have setup full co-management with client management gateway and cloud distribution point, and the device is off network for more than 30 days does the computer account/password expire or is this mitigated by the management gateway/internet facing?

  2. Hey, I will try to answer. Are you using AAD Connect to sync on prem AD and AAD? That is the first requirement. I would prefer to use SCCM client policies instead of GPO. Do you have ADFS then, you may need perform some action on ADFS side also.
    More details https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup

    Are you looking for SSO experience for user? If so following article has loads of details.

    More details https://jairocadena.com/2016/11/08/how-sso-works-in-windows-10-devices/

    • Hi Anoop, Yes we have AD Connect and ADFS. But is settings up ‘hybrid azuread joined devices’ a requirement. On TechNet I read

      ‘When you have Windows 10 devices that are Configuration Manager clients, you can enroll these devices and enable co-management from the Configuration Manager console. Configuration Manager triggers automatic enrollment into Intune based on the Azure AD tenant information.’

      Is the registration done automatic by co-management or does the admin need to trigger something in co-management or sccm client to get the device registered? Above TechNet states that configuring ‘hybrid azuread joined devices’ would not be necessary.

      For the 30 days offsite/offline question, a better approach would be to do AAD join and then install sccm client for co-management right?


Please enter your comment!
Please enter your name here