With the release of SCCM 1710, one of the key new features is the SCCM Co-Management possibility with Microsoft Intune. Comanagement enables some interesting features like conditional access, remote actions with Intune, and provisioning using AutoPilot. You can decide which feature is managed by which platform (SCCM or Intune). This is great to slowly phase into Intune.

There are two main paths to reach to co-management:

  1. Windows 10 and later devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune
  2. Windows 10 devices that are enrolled in Intune and then install with the Configuration Manager client

We will describe how to enable co-management and enroll an SCCM-managed Windows 10 device into Intune.

SCCM Co-Management Prerequisites

Concept of SCCM 1710 Co-Management

Microsoft provides a great diagram that explains how the workload is managed when co-management is activated.

SCCM co-management

The co-management provides the ability to offload some workload to Intune. There are 3 categories of workloads :

Once a workload is offloaded to Intune, SCCM no longer manages those settings on the Windows client.

The co-management is designed to allow administrators to Pilot to specific computers before completely offloading a workload to Intune, allowing a smooth transition.

Enable SCCM 1710 Co-Management

Here’s how to enable SCCM co-management.

  • Go to Administration / Cloud Services / Co-Management and select Configure Co-Management
SCCM co-management
  • Enter your Intune Credentials
SCCM co-management
  • Select who can Automatic Enroll in Intune
    • We strongly recommend beginning with Pilot. This will require selecting a collection to limit allowed computers only
    • This can be changed later when ready to production roll-out
SCCM co-management
  • Configure the Workloads
    • This can be left to all SCCM for now and adjusted later on
SCCM co-management
  • Select a computer collection to be used for pilot
SCCM co-management
  • Summary, click Next
  • Co-Management is then enabled
  • Under Properties / Enablement, the Automatic enrollment can be changed from Pilot to Production
  • Under Properties / Workloads, it’s possible to set the slider for the different workloads and assign them to Pilot or Intune

Before changing any workload to pilot, it’s time to enroll a computer into Intune, while still managed by SCCM.

Enroll Windows 10 1709 client into Intune for Co-management

  • The first step is to enable the GPO to enable Auto MDM Enrollment with AAD Token
    • Location : Computer Configuration/Administrative Template/Windows Components/MDM

Important Info

If you don’t see the GPO, your Central store needs to be updated with the latest ADMX from Windows 10 1709

  • Next, add the computer to the Pilot collection for Co-Management
  • After the next machine policy update, the client will begin to enroll.
    • On the client, the CoManagementHandler.log will provide the details.
    • Note that during our testing, this took a while to get going in the logs. Many errors show up before it works correctly, without changing a thing. Patience is key.

After a little while (hours) the client will change from MDM – none to MDM – Intune

Before MDM managed

After MDM managed

  It will eventually report that the device is managed by MDM/ConfigMgr Agent

SCCM co-management

At that point, it’s time to configure Intune policy to eventually switch Workloads

More details about switching workload to Intune on Microsoft learn.

Comments (12)

Suraj Malusare

04.17.2019 AT 12:38 AM
Hey SC Dudes, we are working on different features of SCCM in our organization, and also some of our colleague getting their hands dirty on Inutne and autopilot, however while looking at SCCM Co management feature I observed that it has functionality to shift the workload to intune. My question is when Microsoft announced that from Sept1, 2019 they will retire the Hybrid MDM service offering and asking users to move from Hybrid MDM to Intune standalone, then in this case how different the "Co-Management" feature is ? Co-management is also working as hybrid which allows to perform some task using Configuration manager and shifting some task of CM to intune. Then will this feature also deprecated soon ? or Co-management is altogether different theory ? Regards, Suraj

Dayanand

10.24.2018 AT 04:43 AM
Hi Jonathan, Is there a blog that I can follow for the second path? > 2. Windows 10 devices that are enrolled in Intune and then install with the Configuration Manager client.

Gatis

10.01.2018 AT 04:42 AM
Hello, I have similar problem like James have: "Have enrolled a device, it says that it is managed by MDM/ConfigMgr Agent but the Azure AD Device MDM is still set to none." It's been more than two weeks and status still not changing. Additionally did some tests and confirm that workstations are receiving Windows Update for Business policy from Intune.

Anubhav Sharma

07.22.2018 AT 12:04 PM
No Idea, why co-management keeps failing at error MDM enrollment failed with error code 0xcaa9001f

Jan

06.20.2018 AT 04:24 AM
Hi, any ideas what might be the reason if SCCM is not saving the configuration for staging or enablement? Greetings Jan

John

04.23.2018 AT 09:43 AM
If i have a Windows 10 1709 'traditional workgroup' device and then Azure AD Join it so that's managed via Intune . Is there a paper on how to make it Co-Managed and Manage it via SCCM. Windows 10 Co-Management works fine on traditional AD joined and managed via SCCM, just not the other way.

Rkast

04.19.2018 AT 03:22 PM
Thanks Jonathan. So we meed to enable hybrid aad devices and also use the auto mdm enroll gpo? Thats not really #just4clicks #fliptheswitch

James

04.18.2018 AT 10:43 AM
Have enrolled a device, it says that it is managed by MDM/ConfigMgr Agent but the MDM is still set to none.

Rkast

03.20.2018 AT 01:09 PM
I have a question I hope you can answer. If we have on-prem AD joined Windows 10 device and have setup co-management do we have to configure (1) “hybrid Azure Active Directory joined devices” or (2) configure the GPO “Enroll a Windows 10 device automatically using Group Policy” or (3) does the ConfigMgr client do this and registers the device? Secondly when we have on-prem AD joined Windows 10 device and have setup full co-management with client management gateway and cloud distribution point, and the device is off network for more than 30 days does the computer account/password expire or is this mitigated by the management gateway/internet facing?

Jonathan Lefebvre

03.21.2018 AT 10:37 AM
Hi Rkast, #1 Computer must be Hybrid AD and AAD joined, there a link in the pre-req section. It also require the auto-enroll policy. and finally no the SCCM client is not taking care of any of that. #2 Cloud management gateway/DP have nothing to do with AD/AAD. They only serve for SCCM purpose. Thanks Jonathan

lvillesystemsjockey

10.25.2018 AT 10:00 AM
I can confirm that I had to set with GPO to get my devices to enroll. The device sat with the Co-management AutoEnrollment setting for 1 day, with reboot to no avail. Once GPO was configured, GPUPDATE /FORCE and reboot, the machine showed as co-managed. Vote on User Voice to see that this is address by explanation, documentation or feature change! https://configurationmanager.uservoice.com/forums/300492-ideas/suggestions/35824729-co-management-settings-do-not-set-the-enable-auto