Thursday, 23 April 2020

Configuration Manager co-management considerations

Co-management allows you to cloud-attach your Configuration Manager infrastructure. Essentially it enables you to manage Windows 10 devices with the ConfigMgr agent and Intune MDM at the same time. Implementing co-management gives you instant access to invaluable features like conditional access.

I just want to share some information on co-management that I find useful.

Co-management scenarios

My previous understanding was that, without co-management, it was not possible to manage a Windows 10 device with ConfigMgr and Intune at the same time. However, as I recently discovered on a customer site, that is only partially true. It depends on the order.

On a recent customer engagement, I had configured co-management with a pilot collection.

I was very surprised to see co-managed devices in the Azure portal that were not members of the pilot collection. I now understand that it depends on the scenario.

If the ConfigMgr agent is running on a device and the device becomes Azure AD joined, no attempt is made to enrol in Intune, even if automatic Intune enrolment is configured. When co-management is configured, then automatic Intune enrolment kicks in and enrols the device in Intune.

However, what happens if the device is MDM enrolled first? In this case you can install the ConfigMgr agent. The device will be co-managed but will not receive any workloads if it hasn’t been added to a co-managed collection.

In this case you will see a co-management capability of 1, which is what I saw on my customer site. This means that the device is co-managed but hasn’t received any policy. The “real” co-managed devices had a capability of 45. 

Intune automatic enrolment

What happens if my devices are already Azure AD joined but I haven’t configured automatic Intune enrolment? 

I was concerned that automatic enrolment was a one-time thing i.e. when the device is joined to Azure AD it is automatically enrolled in Intune (if that is configured). I was concerned that if automatic enrolment is not configured first then the Intune enrolment doesn’t try again as the device will already be joined to Azure AD.

MDM URLs must be populated on the client before it can be successfully enrolled. These URLs are populated by the automatic Intune enrolment user scopes. When co-management is configured, the ConfigMgr agent periodically checks for these URLs and keeps retrying until they are populated. At that point, the device is enrolled in Intune. It is not a one-time thing.

ConfigMgr client settings

Hybrid Azure AD join, and automatic Intune enrolment are among the prerequisites for co-management. What happens if you configure hybrid AADJ using Azure AD Connect? Do you still need to configure this in ConfigMgr client settings (Automatically register new Windows 10 domain joined devices with Azure Active Directory to = Yes)?

The answer is no. You do not need it. This is a throwback to when you needed a GPO to tell devices to perform a hybrid AADJ. Current supported versions of Windows 10 will automatically join Azure AD if they find a Service Connection Point in Active Directory.

However, this is the default setting and you should leave it alone. If you turn it off, you may block devices from competing the AAD join.


As stated above you no longer need to configure a GPO to force a hybrid AAD join. For current supported Windows 10 devices, this should happen automatically.

Co-management display changes (April 2020)

There are some changes in the 2004 service release. On the All devices page, the entries for the Managed by column have changed:
  • Intune is now displayed instead of MDM
  • Co-managed is now displayed instead of MDM/ConfigMgr Agent

Learn more about co-management in the official Microsoft docs

I hope this helps you to understand and configure co-management. Until next time…..