MS-Intune: Paths for Co-Management of Windows Devices

What exactly is Co-Management:

- Co-management is a technique used for simultaneously managing Windows 10 and

above devices with SCCM and Intune by balancing/switching the workloads
- It is crucial to manage the workloads carefully so that there are no conflicts as we are
merging two different technologies (SCCM and Intune)
- With co-management we get the benefits of Cloud services as well as SCCM
- This doesn’t mean that you will be actually able to manage the features
simultaneously, but means that you can flip the switch (workloads between SCCM &
Intune).
- For example: you want to manage everything through SCCM but Windows update
through Intune, this is what co-management is meant for.

(Note: When you manage devices with Configuration Manager and enroll to a third-party MDM
service and not Intune, this configuration is called Coexistence)

Fig: Co-management in Intune

Paths to co-management:

1. Existing SCCM configured windows 10 and later devices

2. Existing Intune configured/enrolled devices

Begin:

1. Existing SCCM configured windows 10 and later devices:

- Here the devices are already configured with SCCM, locally joined
- SCCM on windows server: We would Enable the co-management in SCCM. Configure Azure
AD Connector to achieve Hybrid AAD Join, Configure Client Settings to direct clients to register
with Azure AD
- Intune: We will define MDM, MAM Scope accordingly

Prerequisites:
- Licensing: Azure AD Premium, At least one Intune license for you as the administrator to access
the Microsoft Endpoint Manager admin center.
- SCCM: Co-management requires Configuration Manager version 1710 or later.

Steps:

SCCM: Enable Co-Management:

- The phrase Pilot group is used throughout the co-management feature and configuration
dialogs. Use a pilot group in SCCM for your initial testing, adding devices as needed, until you're
ready to move the workloads for all Configuration Manager devices.

- Navigate to Administration / Cloud Services / Co-Management and select Configure Co-

Management
- Click Sign-In to enter your Intune credentials.
- After signing in, click Next
- Configure Automatic enrollment in Intune. Select None or Pilot at this time. You can change this
setting later. You can select your pilot collection later.
- Select Pilot then click Next.
- Configure Workloads lets you choose which workloads will be managed by which system –
Configuration Manager or Intune. Don’t change any settings at this time and click Next.
- Full list of workloads from the wizard
- Configure the roll-out collections allows you to select the collection to use for deploying Co-
Management. In this example, we selected our Co-Management Piloting collection.
- Click Next.

- On the summary screen, click Close.

- Back in the console, verify that Co-Management appears. This is where you go to configure Co-
Management workloads and targeted collections.
SCCM: Configure Client Settings to direct clients to register with Azure AD
- Use Client Settings to configure Configuration Manager clients to automatically register with
Azure AD.
- Open the Configuration Manager console > Administration > Overview > Client
Settings, and then edit the Default Client Settings.
- Select Cloud Services.
- On the Default Settings page, set Automatically register new Windows 10 domain
joined devices with Azure Active Directory to = Yes.
- Select OK to save this configuration.

Windows Server: Hybrid Azure AD Configuration

- Download Azure AD Connector to sync your on-prem domain to Azure AD account
(1.1.819.0 or higher)
https://www.microsoft.com/en-us/download/details.aspx?id=47594

- When setting up Azure AD Connect you will be given to choice (step 5 of instructions) between
several authentication methods between your Active Directory and Azure Active Directory. Below
is a table of common hybrid identity and access management scenarios with recommendations
as to which hybrid identity option (or options) may be appropriate for your organization:

• Column 1: Password Hash Synchronization with Single Sign-On

• Column 2: Pass-through Authentication and Single Sign-On
• Column 3: Single Sign-On with Active Directory Federated Services
-

- Launch Azure AD Connect, and then select Configure.

-

- After downloading the Azure AD Connect tool, open the file and agree to the license terms and
privacy notice by checking the checkbox. Click ‘Continue’.
- From the 'Express Settings' tab, select the Customize button.

- From the 'Install Required Components' tab, check the 'Use an existing service account' and set the
required information. You will need to type your domain administration credentials. Click ‘Install’
- From the 'User Sign-In' tab you will need to set your desired selection of the Single Sign-On
method. Each selection might add more steps and requirements. We recommend using
Password Synchronization or Do not configure options.
- From the 'Connect to Azure AD' tab, you will need to type you Active Directory credentials, this may
also be known as Office 365 administrator credentials.

- From the 'Connect Directories' tab, you will need to enter your current deployment directory
information.
- On the 'Azure AD sign-in configuration' tab, our recommendation is to set the on-premise
attribute (in this case your on-premise will be your deployment) to be used in the Azure AD to
userPrincipalName. If your domain is still not verified, you can check the ‘Continue’ without any
verified domains checkbox to continue
- On the Domain and OU filtering, leave everything as default to sync the entire directory data. You can
also filter this data by only selecting the desire domain and OUs.
- From the 'Uniquely identifying your users' tab, our recommendation is to leave the default settings for
basic setups, of one forest, one domain, one azure AD. For more complicated setups you may want
other options where you will need to match your users using a particular attribute across all directories.
On the user identification option in the Azure AD we recommend leaving the default option of using the
'ObjectGUID', the system will use this to generate an ID and use it for mapping users in the system

- From the 'Filter users and devices' tab, you can sync all users and devices or you can specify a
group.
- On the 'Optional features' tab, select any additional feature that you would like to activate. Each
feature has an icon for more information on each feature.

- From the 'Ready to configure' tab, you select the 'Start the synchronization process when configuration
completes' if you want to start automatically.
 - On the Configure view, wait until the configuration is completed and click on Exit when it’s done

Intune: Auto-enrollment Intune

- Sign in to the Azure portal and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft
Intune.
- Configure MDM user scope. Specify one of the following to configure which users' devices are managed by
Microsoft Intune and accept the defaults for the URL values.
o Some: Select the Groups that can automatically enroll their Windows 10 or later devices
o All: All users can automatically enroll their Windows 10 or later devices
o None: Disable MDM automatic enrollment
- Save and Exit
 2. Existing Intune configured/enrolled devices

- Here the devices are Intune enrolled, Azure AD joined

- SCCM on Windows Server: We will Enable Co-management. Configure CMG (Cloud
Management Gateway) and CDP (Cloud Distribution Point)
- Intune: We will define MDM, MAM scope accordingly. We will deploy SCCM client
(ccmsetup.exe) via LOB apps

Note:
- This CMG/CDP prerequisite is applicable only when you want to install ConfigMgr/SCCM client
on to Intune Windows 10 devices from the internet when the client doesn’t have the SCCM on-
prem infra reachability. They both are Platform as a Service (PaaS) solutions in Azure.

- CMG: Cloud Management Gateway: provides a simple way to manage Configuration Manager
clients over the internet. You deploy CMG as a cloud service in Microsoft Azure.
Then without more on-premises infrastructure, you can manage clients that roam on the
internet or are in branch offices across the WAN.
You also don't need to expose your on-premises infrastructure to the internet.
A client from internet contacts SCCM to get policies.
The request will reach CMG. And the CMG will forward this request from a client to on-prem
SCCM components.
The on prem SCCM component will validate the request and provide policies via CMG.

- CDP: Cloud Distribution Point: Provide software content to internet-based clients without
additional on-premises infrastructure
Cloud-enable your content distribution system
Reduce the need for traditional distribution points

Pre-requisites:
- Licenses: Azure Subscription, Azure Active Directory Premium, Microsoft Intune subscription

Steps:

SCCM: Enable Co-management: This procedure is exactly same as mentioned in the first path

SCCM: Configure CMG: I have not covered this topic here as it is too complex. However, after going
through many blogs, I find this one as comprehensive material to follow
https://www.prajwaldesai.com/setup-sccm-cloud-management-gateway/#Allow-access-to-cloud-
distribution-points

SCCM: Configure CDP:

https://systemcenterdudes.com/sccm-cloud-distribution-point/

Intune: Auto-enrollment Intune

- Sign in to the Azure portal and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft
Intune.
- Configure MDM user scope. Specify one of the following to configure which users' devices are managed by
Microsoft Intune and accept the defaults for the URL values.
o Some: Select the Groups that can automatically enroll their Windows 10 or later devices
o All: All users can automatically enroll their Windows 10 or later devices
o None: Disable MDM automatic enrollment
- Save and Exit
Intune: Deploy SCCM Client
- If you're planning to deploy the Configuration Manager client to devices going through Autopilot, it's
recommended to target users for the assignment of the Configuration Manager client instead of devices.
This action will avoid a conflict between installing line-of-business apps and Win32 apps during Autopilot

- MEM > Apps > All Apps > Add.

- For app type, select Line-of-business app under Other.
- For the App package file, browse to the location of the Configuration Manager
file ccmsetup.msi, and then select Open > OK.
- For example, C:\Program Files\Microsoft Configuration Manager\bin\i386\ccmsetup.msi
- Select App Information, and then specify the following details:
- Description: Configuration Manager Client
- Publisher: Microsoft
- Command-line arguments: Specify the CCMSETUPCMD command line. You can use the
command line you saved from the Co-management Configuration Wizard.
- If you do not have the command line available, you can view the properties
of CoMgmtSettingsProd in the Configuration Manager console to get a copy of the command
line. The command line only shows if you've met all of the prerequisites, such as set up a cloud
management gateway.
- Select OK > Add. The app is created and becomes available in the Intune console. After the app
is available, you can use the following section to configure Intune to assign it to devices.

- Assign this App to the devices: MEM > Apps > All Apps
- Select Configuration Manager Client > Properties > Edit > Assignments > Add Group
- Choose the Group that we created
- Review + save and then Save the configuration

Note: There are various methods to check the status of Co-management which would be part of troubleshooting.