Tutorial: Enable co-management for existing Configuration Manager clients

03/12/2020

12 minutes to read





In this article

With co-management, you can keep your well-established processes for using Configuration Manager to manage PCs in your organization. At the same time, you're investing in the cloud through use of Intune for security and modern provisioning.

In this tutorial, you set up co-management of your Windows 10 devices that are already enrolled in Configuration Manager. This tutorial begins with the premise that you already use Configuration Manager to manage your Windows 10 devices.

Use this tutorial when:

You have an on-premises Active Directory that you can connect to Azure Active Directory (Azure AD) in a hybrid Azure AD configuration. If you can't deploy a hybrid Azure Active Directory (AD) that joins your on-premises AD with Azure AD, we recommend following our companion tutorial, Enable co-management for new internet-based Windows 10 devices.

You have existing Configuration Manager clients that you want to cloud-attach.

In this tutorial you will:

Review prerequisites for Azure and your on-premises environment

Set up hybrid Azure AD

Configure Configuration Manager client agents to register with Azure AD

Configure Intune to auto-enroll devices

Enable co-management in Configuration Manager

Prerequisites

Azure services and environment

Azure Subscription (free trial)

Azure Active Directory Premium

Microsoft Intune subscription Tip An Enterprise Mobility + Security (EMS) Subscription includes both Azure Active Directory Premium and Microsoft Intune. EMS Subscription (free trial).

If not already present in your environment, during this tutorial you'll:

Configure Azure AD Connect between your on-premises Active Directory and your Azure Active Directory (AD) tenant.

Tip You no longer need to purchase and assign individual Intune or EMS licenses to your users. For more information, see the Product and licensing FAQ.

On-premises infrastructure

A supported version of Configuration Manager current branch

The mobile device management (MDM) authority must be set to Intune.

Permissions

Throughout this tutorial, use the following permissions to complete tasks:

An account that is a domain admin on your on-premises infrastructure

An account that is a full administrator for all scopes in Configuration Manager

An account that is a global administrator in Azure Active Directory (Azure AD) Make sure you've assigned an Intune license to the account that you use to sign in to your tenant. Otherwise, sign in fails with the error message "User not recognized".



Set up hybrid Azure AD

When you set up a hybrid Azure AD, you're really setting up integration of an on-premises AD with Azure AD using Azure AD Connect and Active Directory Federated Services (ADFS). With successful configuration, your workers can seamlessly sign in to external systems using their on-premises AD credentials.

Set up Azure AD Connect

Hybrid Azure AD requires configuration of Azure AD Connect to keep computer accounts in your on-premises Active Directory (AD) and the device object in Azure AD in sync.

Beginning with version 1.1.819.0, Azure AD Connect provides you with a wizard to configure hybrid Azure AD join. Use of that wizard simplifies the configuration process.

To configure Azure AD Connect, you need credentials of a global administrator for Azure AD.

Tip The following procedure should not be considered authoritative for set up of Azure AD Connect but is provided here to help streamline configuration of co-management between Intune and Configuration Manager. For the authoritative content on this and related procedures for set up of Azure AD, see Configure hybrid Azure AD join for managed domains in the Azure AD documentation.

Configure a hybrid Azure AD join using Azure AD Connect

Get and install the latest version of Azure AD Connect (1.1.819.0 or higher). Launch Azure AD Connect, and then select Configure. On the Additional tasks page, select Configure device options, and then select Next. On the Overview page, select Next. On the Connect to Azure AD page, enter the credentials of a global administrator for Azure AD. On the Device options page, select Configure Hybrid Azure AD join, and then select Next. On the Device operating systems page, select the operating systems used by devices in your Active Directory environment, and then select Next. You can select the option to support Windows downlevel domain-joined devices, but keep in mind that co-management of devices is only supported for Windows 10. On the SCP page, for each on-premises forest you want Azure AD Connect to configure the service connection point (SCP), do the following steps, and then select Next: Select the forest. Select the authentication service. If you have a federated domain, select AD FS server unless your organization has exclusively Windows 10 clients and you have configured computer/device sync or your organization is using SeamlessSSO. Click Add to enter the enterprise administrator credentials. If you have a managed domain, skip this step. On the Federation configuration page, enter the credentials of your AD FS administrator, and then select Next. On the Ready to configure page, select Configure. On the Configuration complete page, select Exit.

If you experience issues with completing hybrid Azure AD join for domain joined Windows devices, see Troubleshooting hybrid Azure AD join for Windows current devices.

Configure Client Settings to direct clients to register with Azure AD

Use Client Settings to configure Configuration Manager clients to automatically register with Azure AD.

Open the Configuration Manager console > Administration > Overview > Client Settings, and then edit the Default Client Settings. Select Cloud Services. On the Default Settings page, set Automatically register new Windows 10 domain joined devices with Azure Active Directory to = Yes. Select OK to save this configuration.

Configure auto-enrollment of devices to Intune

Next, we'll set up auto-enrollment of devices with Intune. With automatic enrollment, devices you manage with Configuration Manager automatically enroll with Intune.

Automatic enrollment also lets users enroll their Windows 10 devices to Intune. Devices enroll when a user adds their work account to their personally owned device, or when a corporate-owned device is joined to Azure Active Directory.

Sign in to the Azure portal and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune. Configure MDM user scope. Specify one of the following to configure which users' devices are managed by Microsoft Intune and accept the defaults for the URL values. Some : Select the Groups that can automatically enroll their Windows 10 devices

All : All users can automatically enroll their Windows 10 devices

None: Disable MDM automatic enrollment Important If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only Mobile Application Management (MAM) is added for users in that group when they workplace join personal device. Devices aren't automatically MDM-enrolled. Select Save to complete configuration of automatic enrollment. Return to Mobility (MDM and MAM) and then select Microsoft Intune Enrollment. Note Some tenants may not have these options to configure. Microsoft Intune is how you configure the MDM app for Azure AD. Microsoft Intune Enrollment is a specific Azure AD app that's created when you apply multi-factor authentication policies for iOS and Android enrollment. For more information, see Require multi-factor authentication for Intune device enrollments. For MDM user scope, select All, and then Save.

Enable co-management in Configuration Manager

With hybrid Azure AD set-up and Configuration Manager client configurations in place, you're ready to flip the switch and enable co-management of your Windows 10 devices.

Tip When you enable co-management, you'll assign a collection as a Pilot group. This is a group that contains a small number of clients to test your co-management configurations. We recommend you create a suitable collection before you start the procedure. Then you can select that collection without exiting the procedure to do so.

Starting in Configuration Manager version 1906, you may need multiple collections since you can assign a different Pilot group for each workload.

Enable co-management starting in version 1906

When enabling co-management, you can use the Azure Public Cloud, Azure US Government Cloud, or Microsoft Azure China 21Vianet (added in version 2006). To enable co-management starting in Configuration Manager version 1906, follow the instructions below:

In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Co-management node. Select Configure co-management in the ribbon to open the Co-management Configuration Wizard. On the Tenant onboarding page of the wizard, configure the Azure environment to use. Choose one of the following environments: Azure Public Cloud

Azure US Government Cloud.

Azure China Cloud (added in version 2006) Update the Configuration Manager client to the latest version on your devices before onboarding to Azure China Cloud.

When you select Azure China Cloud or Azure US Government Cloud, the Upload to Microsoft Endpoint Manager admin center option for tenant attach is disabled. Select Sign In. Sign in as an Azure AD global administrator, and then select Next. You sign in this one time for the purposes of this wizard. The credentials aren't stored or reused elsewhere. On the Enablement page, choose the following settings: Automatic enrollment into Intune - Enables automatic client enrollment in Intune for existing Configuration Manager clients. This option allows you to enable co-management on a subset of clients to initially test co-management, and rollout co-management using a phased approach. If a device is unenrolled by the user, on the next evaluation of the policy, it will re-enroll. Pilot - Only the Configuration Manager clients that are members of the Intune Auto Enrollment collection are automatically enrolled to Intune. All - Enable automatic enrollment for all Windows 10, version 1709 or later, clients.

Intune Auto Enrollment - This collection should contain all of the clients you want to onboard into co-management. It's essentially a superset of all the other staging collections. Automatic enrollment isn't immediate for all clients. This behavior helps enrollment scale better for large environments. Configuration Manager randomizes enrollment based on the number of clients. For example, if your environment has 100,000 clients, when you enable this setting, enrollment occurs over several days. Note Starting in version 1906: A new co-managed device now automatically enrolls to the Microsoft Intune service based on its Azure Active Directory (Azure AD) device token. It doesn't need to wait for a user to sign in to the device for auto-enrollment to start. This change helps to reduce the number of devices with the enrollment status Pending user sign in. To support this behavior, the device needs to be running Windows 10, version 1803 or later. For more information, see Co-management enrollment status.

If you already have devices enrolled to co-management, new devices now enroll immediately once they meet the prerequisites. For internet-based devices that are already enrolled in Intune, copy and save the command line on the Enablement page. You'll use this command line to install the Configuration Manager client as an app in Intune for internet-based devices. If you don't save this command line now, you can review the co-management configuration at any time to get this command line. On the Workloads page, for each workload, choose which device group to move over for management with Intune. For more information, see Workloads. If you only want to enable co-management, you don't need to switch workloads now. You can switch workloads later. For more information, see How to switch workloads. Pilot Intune - Switches the associated workload only for the devices in the pilot collections you'll specify on the Staging page. Each workload can have a different pilot collection.

- Switches the associated workload only for the devices in the pilot collections you'll specify on the page. Each workload can have a different pilot collection. Intune - Switches the associated workload for all co-managed Windows 10 devices. Important Before you switch any workloads, make sure you properly configure and deploy the corresponding workload in Intune. Make sure that workloads are always managed by one of the management tools for your devices. On the Staging page, specify the pilot collection for each of the workloads that are set to Pilot Intune. To enable co-management, complete the wizard.

Enable co-management in version 1902 and earlier

To enable co-management for Configuration Manager version 1902 and earlier, follow the instructions below:

In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Co-management node. Click Configure co-management in the ribbon to open the Co-management Configuration Wizard. On the Subscription page of the wizard, select Sign In. Sign in to your Intune tenant, and then select Next. On the Enablement page, choose your Automatic enrollment into Intune setting, either Pilot or All. If a device is unenrolled by the user, on the next evaluation of the policy, it will re-enroll. This action enables automatic client enrollment in Intune for existing Configuration Manager clients. When you choose Pilot, only the Configuration Manager clients that are members of the pilot collection are automatically enrolled to Intune. This option allows you to enable co-management on a subset of clients to initially test co-management, and rollout co-management using a phased approach. Automatic enrollment isn't immediate for all clients. This behavior helps enrollment scale better for large environments. Configuration Manager randomizes enrollment based on the number of clients. For example, if your environment has 100,000 clients, when you enable this setting, enrollment occurs over several days. For internet-based devices that are already enrolled in Intune, copy and save the command line on the Enablement page. You can use this command line to install the Configuration Manager client as an app in Intune. If you don't save this command line now, you can review the co-management configuration at any time to get this command line. On the Workloads page, for each workload, choose which device group to move over for management with Intune. For more information, see Workloads. If you only want to enable co-management, you don't need to switch workloads now. You can switch workloads later. For more information, see How to switch workloads. The Pilot Intune setting switches the associated workload only for the devices in the pilot collection. The Intune setting switches the associated workload for all co-managed Windows 10 devices. Important Before you switch any workloads, make sure you properly configure and deploy the corresponding workload in Intune. Make sure that workloads are always managed by one of the management tools for your devices. On the Staging page, configure the following settings: Pilot : The pilot group contains one or more collections that you select. Use this group as part of your phased rollout of co-management. Start with a small test collection, and then add more collections to the pilot group as you roll out co-management to more users and devices. You can change the collections in the pilot group at any time.

Production: Configure the Exclusion group with one or more collections. Devices that are members of any of the collections in this group are excluded from using co-management. To enable co-management, complete the wizard.

Next steps