Introduction
Microsoft has just released System Center Configuration Manager Technical Preview 1709, and that Technical Preview release allows you to configure co-management. Microsoft announced co-management at Microsoft Ignite (September 2017) and now with this release you can begin testing that scenario (however you still need the yet to be released Windows 10 Fall creators update edition, aka Windows 10 version 1709), so for now you’ll need to test with a Windows Insider preview release.
But what is co-management ? according to Microsoft it is…
Co-management is a solution where Windows 10 devices can be concurrently managed by Configuration Manager and Intune, as well as joined to Active Directory (AD) and Azure Active Directory (Azure AD) to provide a way for you to modernize over time. It’s a solution to provide a bridge from traditional to modern management and provides you with a path to make the transition using a phased approach.
The graphic below shows you that scenario.
Prerequisites
The following are general prerequisites for you to enable co-management:
- Technical Preview for Configuration Manager version 1709
- Azure AD
- EMS or Intune license for all users
- Intune subscription (MDM authority in Intune set to Intune)
Additional prerequisites for existing Configuration Manager clients
- Windows 10, version 1709 (Fall Creators Update) and later
- Hybrid Azure AD joined (joined to AD and Azure AD)
Additional prerequisites for new Windows 10 devices
- Windows 10, version 1709 (Fall Creators Update) and later
- Cloud Management Gateway in Configuration Manager
Create some collections
In SCCM Assets and Compliance, select Device Collections and create a device collection, called Pilot co-managed devices, and alternatively one called Production co-managed devices, populate them with some devices.
Enabling co-management
To configure Co-Management, select Administration, Cloud Services, and click on Co-Management. Enter the credentials of your Standalone MDM Intune tenant and click Sign In.
Create a Pilot co-management policy
To being with, you’ll want to do a Pilot configuration of Co-Management.
Select your Pilot group of co-managed devices by clicking on Browse and selecting the Pilot co-managed devices collection created above.
On the Configure Enablement screen, set the drop down to Pilot
Click on Copy to copy that line of text
The text will be something like this:
CCMSETUPCMD=”/mp:https:// CCMHOSTNAME= SMSSiteCode= SMSMP=https:// AADTENANTID= AADTENANTNAME= AADCLIENTAPPID= AADRESOURCEURI= SMSPublicRootKey=”
You can use that to create your Intune app to install the ConfigMgr client agent.
Next, you can configure the workloads (on or off, there is no middle ground here)
and continue the wizard through to completion.
Create a Production co-management policy
After creating the above policy, and once you’ve completed your pilot, create a new Production policy (Pilot will be greyed out).
Now, the drop down can choose All (or none).
and again configure workloads…
The created policies are shown here.
Recommended reading
To get more info about this topic, please review the following blog posts from Microsoft.
I have a question I hope you can answer. If we have on-prem AD joined Windows 10 device and have setup co-management do we have to configure (1) “hybrid Azure Active Directory joined devices” or (2) configure the GPO “Enroll a Windows 10 device automatically using Group Policy” or (3) does the ConfigMgr client do this and registers the device?
Secondly when we have on-prem AD joined Windows 10 device and have setup full co-management with client management gateway and cloud distribution point, and the device is off network for more than 30 days does the computer account/password expire or is this mitigated by the management gateway/internet facing?