Co-management Integration

Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. There are two main paths to reach to co-management. Enabling co-management itself doesn’t require that you onboard your site with Azure AD. For the second path scenario, internet-based Configuration Manager clients require the cloud management gateway (CMG). The CMG requires the site is onboarded to Azure AD for cloud management.

1. Existing Configuration Manager clients: You have Windows 10 or later devices that are already Configuration Manager clients. You set up hybrid Azure AD, and enroll them into Intune.

Below is just the illustration depicting how Configmgr Windows 10 clients become co-managed state.

Pre-requisites:

a. Device has to be Hybrid AAD join because devices are already joined to on-prem active directory and required to enroll to intune MDM. In order to enroll device to intune MDM device need to register to Azure Active directory.

b. Configure MDM Automatic enrollment for windows devices to enroll when devices Join or Register with AAD in Intune portal . (Automatic Enrollment of Windows 10 device to MDM can also be achieved using Group Policy).

MDM user scope is set to Some so that only users/members in the group we specified are allowed to enroll their device (Created user security group and assign the targetted user to allow their device for intune auto enrollment).

c. Created device collection in Configmgr

d. Initiate the configuration wizard of Co-management from SCCM console and allow the device to autoenroll to intune during the process as below. Configmgr version:2107

Device status in Intune portal

Device state in Azure AD

And the second path for device to become co-managed state.

2 New internet-based devices: Windows 10 or later devices that join Azure AD and automatically enroll to Intune. You install the Configuration Manager client to reach a co-management state.

Although Windows 10 devices exist in Azure AD and auto enrolled to intune, Configmgr is not aware of the devices yet. In order for configmgr be device aware you need to install configmgr client to Windows 10 devices that are selected for co-management. Here we assume that Windows 10 devices are AAD joined and auto enrolled to intune.Set up enrollment for Windows devices by using Microsoft Intune | Microsoft Docs.

So, next step is to create a security group in Intune console to host the devices. For instance.

Next step

Create an Intune app to install the Configuration Manager client. Tutorial – Enable co-management for internet devices – Configuration Manager | Microsoft Docs

1. sign in to the Microsoft Endpoint Manager admin center. Then, go to Apps > All Apps > Add.
2. For app type, select Line-of-business app under Other.
3. For the App package file, browse to the location of the Configuration Manager file ccmsetup.msi (for example, C:\Program Files\Microsoft Configuration Manager\bin\i386\ccmsetup.msi). Then, select Open > OK.
4. Select App Information, and then specify the following details:
   • Description: Enter Configuration Manager Client.
   • Publisher: Enter Microsoft.
   • Command-line arguments: Specify the CCMSETUPCMD command. You can use the command that you saved from the Enablement page of the Co-management Configuration Wizard. This command includes the names of your cloud service and additional values that enable devices to install the Configuration Manager client software.
     The command-line structure should resemble this example, which uses only the CCMSETUPCMD and SMSSiteCode parameters:
     CommandCopy
     CCMSETUPCMD=”CCMHOSTNAME=<ServiceName.CLOUDAPP.NET/CCM_Proxy_MutualAuth/<GUID>” SMSSiteCode=”<YourSiteCode>” 
     
      Tip
     If you don’t have the command available, you can view the properties of CoMgmtSettingsProd in the Configuration Manager console to get a copy of the command. The command appears only if you’ve met all of the prerequisites, such as setting up a CMG.

1. Select OK > Add. The app is created and becomes available in the Intune console. After the app is available, you can use the following section to assign the app to your devices from Intune.

Next Step

Assign the Intune app to install the Configuration Manager client

The following procedure deploys the app for installing the Configuration Manager client that you created in the previous procedure:

1. Sign in to the Microsoft Endpoint Manager admin center. Select Apps > All Apps, and then select ConfigMgr Client Setup Bootstrap. That’s the app that you created to deploy the Configuration Manager client.
2. Select Properties, and then select Edit for Assignments. Select Add group under Required assignments to set the Azure AD groups that have users and devices that you want to participate in co-management.
3. Select Review + save > Save to save the configuration. The app is now required by users and devices that you assigned it to. After the app installs the Configuration Manager client on a device, it’s managed by co-management.

Validation:

Open CoManagementhandler.log in client computer to see if the device is co-managed state.

or, we can open Configmgr client applet from Control panel and review the general tab => Co-Management.