Enabling co-management feature in SCCM gives you the benefit of controlling the devices through Configuration Manager as well as intune. This doesn’t mean that you will be able to manage the features simultaneously, but means that you can flip the switch (workloads between SCCM & intune). For example: you want to manage everything through SCCM but Windows update through intune, this is what co-management is meant for.

Prerequisites for configuring co-management

  • You need to have Azure subscription with Azure Active Directory Premium (AADP1 or AADP2) service with on-premises infrastructure.
  • You need to have Intune subscription. Enterprise Mobility + Security E3 or E5 will do the job.

Apart from these 2, following are the equivalent subscriptions which are valid: Microsoft 365 E3, Microsoft 365 E5, Microsoft 365 F3

  • MDM authority must be set to intune on MEM portal.
  • You must have configured hybrid Azure AD join using Azure AD Connect.
  • SCCM client settings to enable Cloud Services. Launch Configuration Manager admin console and navigate to \Administration\Overview\Client Settings under existing client settings, navigate to Cloud Services confirm following Device Settings:

Automatically register new Windows 10 or later domain joined devices with Azure Active Directory: Yes

Client Settings Cloud Services

(Note: This can be configured through group policy as well)

Enable co-management in SCCM

Under Configuration Manager console, navigate to \Administration\Overview\Cloud Services. For MECM 2103 or earlier, you will see Co-management right click and select Configure co-management.

Configure co-management

Starting onwards MECM 2107, co-management name has changed to Cloud Attach. Hence you right click Cloud Attach and select Configure Cloud Attach

Configure Cloud Attach

Sign in with Azure Account using Azure AD global administrator, click Next.

ConfigureCoManagement 02
Create AAD application

This will create AAD application, click on Yes to continue creation webapp for AAD tenant.

Under Configure Upload page, we can select all devices or have an option to select collection by clicking on Specific collection.

Configure upload

Under Enable co-management page, we have 3 options:

All: This will automatically enroll all Configuration Manager clients.
Pilot: Configuration manager clients part of Intune Auto Enrollment collection will be automatically enrolled, and will onboard to co-management.
None: Disabling the automatic enrollment.

Enablement enable co-management

Under Workloads page, we have several options available to control the workload of each component, following options are available:

  • Compliance policies
  • Device configuration
    • Endpoint Protection
    • Resource access policies
  • Client apps
  • Office Click-to-Run apps
  • Windows Update Policies

We can flip the switch to change the workload in between Configuration Manager, Pilot Intune & Intune.

Configure workloads

Under Staging page, we have to select & configure roll out collections, as in previous page I selected Windows Update Policies to be managed by intune, I need to select a pilot group collection. This can be different from previous collection we used in Configure upload page. We can choose different collection for each pilot group settings.

Configure roll out collections

Click Next to confirm the settings and proceed with completion of co-management configuration Wizard.

ConfigureCoManagement 09

Verification of co-management settings

Once the configuration is done, you can always come back to Cloud Services \ Co-management page and edit the options such as Workloads, configure upload etc.

ConfigureCoManagement 10

Based upon what we did just now, has configured Azure Services, while navigating \Administration\Overview\Cloud Services\Azure Services to we can see the name Cloud Attach.

Azure Services Cloud Attach

Navigate to Azure Active Directory Tenants, and we can see new Tenant Name which is attached now.

Azure Active Directory Tenants Tenant Name

Pilot group collection we used have now 2 deployments targeted, which got created automatically with the names:

CoMgmtSettingsPilotAutoEnroll : This is the auto enrollment policy, default schedule is set for 1 day, and will try to remediate noncompliant rules as well.
CoMgmtSettingsPilotWUP :  This is Windows update policy, scheduled to run every 1 day as default option.

ConfigureCoManagement 14

Navigate to \Monitoring\Overview\Co-management, this is the co-management Dashboard where we can see Client OS Distribution, Co-management Status, Co-management Enrollment Status all in single Dashboard.

ConfigureCoManagement 15

Login to one of the workstations, launch Configuration Manager Properties, we can see Co-management settings enabled.

ConfigureCoManagement 13