What is co-management?

Co-management is one of the primary ways to attach your existing ConfigMgr environment to the M365 cloud.

Co-management enables you to concurrently manage Windows 10 and Windows 11 devices by using both ConfigMgr and MS Intune.

When a Windows PC has the SCCM client and is enrolled to Intune, it uses both the services. You control which workloads you switch from SCCM to Intune. SCCM still manages all other workloads, including the ones that you don't switch to Intune, and all other features of SCCM that co-management doesn't support yet.

You can pilot a workload with a pilot collection of devices. It allows you to test the Intune functionality on a pilot collection before switching a production.

When a workload is completely moved to Intune, to prevent policy conflict of which management authority policy will be enforced, you can deploy the below Policy CSP to give MDM preference over GPO:

./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP

Here is a diagrammatical overview of Co-management:

Bursting myths:

Co-management, Tenant Attach, Cloud Management Gateway and Hybrid AAD Join they are all different. But they can work all together and increase functionality.

We already talked about Co-management, lets looks at the others.

Tenant Attach - Tenant attach?is one of the ways to connect SCCM environment to M365 Cloud, it sets up sync between SCCM site and your Intune tenant so you can see SCCM clients in the Intune console. You can connect multiple Configuration Manager instances to a single Intune tenant.

CMG - It provides Internet connected SCCM clients access in a secure way to your internal SCCM infra. Although not exactly but just for understanding we can say that its a replacement for IBCM where you had to create an On-Prem DMZ infra for managing Internet based devices, but with CMG the Infra is provided and managed by Microsoft in Azure Cloud we juts manage the service.

HAAD Join - This is an Identity solution where as Co-Management is a management method. HAAD join means the device is joined to your On-prem AD and is registered in Azure AD. For Co-management the device must either be HAAD joined or AAD joined, basically it must have a cloud identity.

Enabling co-management itself doesn't require that you onboard your site with AAD. For the Cloud-Native Scenario , internet-based SCCM clients require the cloud management gateway (CMG). The CMG requires the site is onboarded to Microsoft Entra ID for cloud management .

Hope that clears the confusion and provides a better picture of each of the feature, You can get more details on the above topics and do a deep dive on each of them!

For third Party MDM Environments:

When you manage devices with SCCM + Intune, this configuration is called co-management. When you manage devices with SCCM + third-party MDM service, this configuration is called coexistence.

Managing the Policy conflicts of management authority in SCCM+Intune environment is handled by Workloads, which is not available with Third Party MDMs. In this scenario SCCM automatically deactivates certain workloads or changes to read-only operations giving the Third Party MDM preference in managing them.

Paths to co-management:

There are two main paths to reach to co-management:

• Existing Configuration Manager clients: You have Windows 10 or later devices that are already SCCM clients. You can set up HAD join, and enroll them into Intune.
• New Cloud-native devices: You have new Windows 10 or later devices that join AAD and automatically enroll to Intune. You install the SCCM client to reach a co-management state. CMG helps in this scenario, you can use my script for client installation here:

SCCM Client Installation using CMG command line and Blob storage

Immediate Values after enabling Co-management:

After enrolling SCCM clients in co-management, you get the following immediate value:

• Conditional access with device compliance
• Intune-based remote actions, for example: restart, remote control, or factory reset
• Centralized visibility of device health
• Link users, devices, and apps with Microsoft Entra ID
• Modern provisioning with Windows Autopilot
• Remote actions

Licensing

• Microsoft Entra ID P1 or P2.
• An Enterprise Mobility + Security (EMS) subscription includes both Microsoft Entra ID P1 or P2 and Microsoft Intune.
• At least one Intune license for you as the administrator to access the Microsoft Intune admin center.

Workloads

You don't have to switch the workloads right away, they can be switched individually when you're ready. SCCM continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.

Co-management supports the following workloads:

• Compliance policies
• Windows Update policies
• Resource access policies - No longer supported on SCCM
• Endpoint Protection
• Device configuration
• Office Click-to-Run apps
• Client apps

Prerequisites:

Co-management has these prerequisites in the following areas:

• Licensing - check above section
• Configuration Manager
• Microsoft Entra ID (AAD)
• Microsoft Intune
• Windows
• Permissions and roles

Permissions and roles:

I'll add more details on each component, implementations, monitoring and troubleshooting methods in the upcoming posts. Stay connected!!