Windows 10 Co-Management, Step by Step Guide

This blog post is about how to combine two different technologies to manage devices with Windows 10 Co-Management.

This topic has been divided into two parts:

Part I: Configuration Manager provisioned co-management

Part II: Intune provisioned devices that are enrolled in Intune

Part I: Configuration Manager provisioned co-management

Microsoft introduced the new feature Co-Management in SCCM 1710 (Configuration Manager). It allows system administrators to manage a single device simultaneously from both Configuration Manager and Microsoft Endpoint manager (Intune) an MDM solution.

Co-Management allows administrators to manage Windows 10 by using both Configuration Manager SCCM and Intune. It creates a bridge between two different products with the phased transition.

Why we should use Co-Management

Using Co-Management, we get new features and capabilities from Microsoft Intune.

• conditional access
• Compliance policies
• Remote wipe or factory resetting device remotely
• Advanced Threat Analytics (using EMS E5 License)
• windows updates
• Delete device
• Restart device
• Fresh start

But Intune doesn’t have more complex software deployments that we get from the SCCM and Resource access policies, Windows Updates policies, and Cloud Management Gateway.

High-Level Architecture of Co-Management

In the below diagram we can see the Windows 10 devices and windows 7/8 legacy devices Managed by an on-premises or configuration manager. Co-management can be enabled for Windows 10 devices both when they are enrolled in Intune and when they are existing in Configuration Manager Clients. Co-Management using both Configuration Manager and Intune can have the same results.

Requirements to set up Windows 10 Co-Management

• Configuration manager 1710 or later
• Windows 10 version 1709 (Fall Creators Update) or late
• Intune EMS License
• Intune subscription
• Azure subscription
• Azure AD automatic enrollment enabled
• If Configuration Manager client is installed: Hybrid Azure AD joined (joined to AD and Azure AD)
• If Configuration Manager client is NOT installed: Cloud Management Gateway

2 methods of Co-Management

1. Configuration Manager provisioned co-management: when Windows 10 devices managed by Configuration Manager and hybrid Azure AD joined get enrolled into Intune.
2. Intune provisioned devices that are enrolled in Intune: Installed with the help of Configuration Manager, client becomes a co-management state.

Adding the Microsoft EndpointManager subscription

In this step, the Intune subscription will be created in Configuration Manager.

• Go to Administration / Cloud services / select Co-Management
• click on Configure co-management Create button on the Home tab Ribbon

• it opnes the Co-management Configuration Wizard
• In the Tenant onboarding page select AzurePublicCloud as Azure environment
• Tick the check boxes Upload Microsoft Endpoint Manager admin center and Enable automatic client enrollment for co-management.
• Click Sign in button to subscribe Intune.

• Microsoft sign in window appears by clicking Sign in
• Enter the Intune  Global Administrator credentials to Sign in.

• After the successful Sign in, create AAD Application warning message will appears, click Yes to continue.

• In the next window Configure upload to Microsoft Endpoint Manager Cloud Console, select All the devices in Configuration manager collection or select Custom collections to continue.

• In the Enrollment page select the Pilot or All option in the Automatic enrollemnt in Intune, it will enable the configuration manager configure automatic enrollment in intune

• Click Next to continue the Workload page, Admin can specify the workload to Configuration manager or Intune to carry out the workload.

• Specify the worload, click Next to continue the staging.

• In the Staging page all the workloads and the configurations assigned to the Intune will be staged, carried out to the selected device collection.

• Click Next to shows the Summary page,

• Summary Page shows all the configuration details we mentioned in the Windows 10 Co-management configuraion Wizard.

•  click Next to carry out the Progress page to setup the above details.

• Once the Progress Installed, it completes the Windows 10 Co-Management setup.

• Click Close to finish the setup.

• To confirm the Windows 10 Co-management setup Navigate to Administration > Cloud Services >
• Verify the Co-management entry, see the below image for reference.

verify the tenant details in Administration > Cloud Service > Azure Active Directory Tenants.

To verify Windows 10 Co-management in Microsoft Endpoint Manager, do following:

• Open https://endpoint.microsoft.com/

• Navigate to Home > All devices

• You can see the Configuration manager device entries as Managed by ConfigMgr

See the below screenshot for reference.

We are done with Part 1.

Need help with setting up Co-Management? Talk to us

Part II: Intune provisioned devices that are enrolled in Intune

In this scenario, Windows 10, version 1709, devices already enrolled only in Intune. To combine config manager with Intune, Install the Configuration Manager client to Intune managed devices.

To achieve this, follow the below steps:

• Attach the endpoint manager to configuration manager by attaching AAD tenant (refer the Co-Management part I)
• Get the ccmsetup.msi file from the (SCCM folder/SMSSETUP\BIN\I386

Or navigate to Drive:/ Program files\MicrosoftConfigurationManager\cd.latest\SMSSETUP\BIN\I386)

• Create LOB (Line of Business) application in Microsoft Endpoint manager by using ccmsetup.msi file.
• Include the below commands in LOB app and edit according to the names provided in the angle bracket.

ccmsetup.msi

CCMSETUPCMD=”/mp:<URL of cloud management gateway mutual auth endpoint>/ CCMHOSTNAME=<URL of cloud management gateway mutual auth endpoint>

SMSSiteCode=<Sitecode>

SMSMP=https://<FQDN of MP>

AADTENANTID=<AAD tenant ID>

AADTENANTNAME=<Tenant name>

AADCLIENTAPPID=<Server AppID for AAD Integration>

AADRESOURCEURI=https://<Resource ID>

Open endpoint.microsoft.com Navigate to Home>Apps>Windows>

Click +Add Button, in the App type drop-down list select Line-of-business app and click on Select. In the App Package window select the ccmsetup.msi application, click ok to continue.

In the App Information tab, fill the required fields and click Next to continue.

In the Assignments tab, select the device group to assign the configuration manager.

Click Next to Revie + Save tab and click the Create button to finish.

The targeted Windows 10 devices will get the configuration manager client software. It will get enrolled immediately with SCCM. Thus, Windows 10 Co-Management now gets both the Intune and Configuration manager features.  

If you have any more questions, feel free to Contact Us