Overview
- In this video guide, we will be covering how to setup Co-management in Microsoft SCCM. Co-management will allow you to use the full Configuration Manager client as well as the Microsoft Intune MDM.
Topics in Video
- Overview of Co-management in SCCM and Microsoft Intune – https://youtu.be/rTapalSHv6U?t=21
- The first scenario overview, using Azure AD Join Only (Cloud Domain Join) – https://youtu.be/rTapalSHv6U?t=62
- The second scenario overview, using On-Prem domain join and auto-register in Azure Hybrid AD and MDM – https://youtu.be/rTapalSHv6U?t=86
- Validate Azure AD and Intune enrollment is enabled in the online portal – https://youtu.be/rTapalSHv6U?t=113
- Covering CMG prerequisites for the option to Install the SCCM Agent from an Azure AD only scenario – https://youtu.be/rTapalSHv6U?t=252
- Add the co-management subscription into the SCCM console – https://youtu.be/rTapalSHv6U?t=358
- Uploading the CCMSetup.msi to auto-deploy through Intune to install the SCCM agent through CMG – https://youtu.be/rTapalSHv6U?t=496
- Enroll a device into Azure AD from OOBE to have it auto-enroll into MDM/Intune – https://youtu.be/rTapalSHv6U?t=676
- Validate the device enrolled in MDM and the SCCM Client auto started and review the CCMSetup download from CMG over the internet – https://youtu.be/rTapalSHv6U?t=758
- Review ClientIDStartupManager to review how the Azure AD Authentication is used to be approved within the SCCM environment – https://youtu.be/rTapalSHv6U?t=871
- Validate in the Configuration Manager Control Panel applet the co-management is showing enabled – https://youtu.be/rTapalSHv6U?t=947
- Review the scenario for registering on-prem domain joined devices to register into Hybrid Azure AD and auto-MDM enroll in Intune – https://youtu.be/rTapalSHv6U?t=1043
- Install Azure AD Connect and Configure the OU for the user/device sync we need for the lab – https://youtu.be/rTapalSHv6U?t=1093
- Validate a valid public UPN suffix is configured in Active Directory Domain and Trust and configure the on-prem users that will be used to auto-enroll devices with the public UPN in AD Users and Computers – https://youtu.be/rTapalSHv6U?t=1171
- Set GPO to have devices auto-enroll into MDM/Intune when the device registered into Azure AD- https://youtu.be/rTapalSHv6U?t=1568
- Run dsregcmd /status to see if the device is registered with Azure AD – https://youtu.be/rTapalSHv6U?t=1687
- Configure devices to auto Azure Hybrid AD Join in Azure AD Connect – https://youtu.be/rTapalSHv6U?t=1731
- Validate on-prem domain joined SCCM client switched to be co-managed after auto-enrolling into Intune – https://youtu.be/rTapalSHv6U?t=1928
- Validate both devices are showing in Intune and the SCCM console with co-management capabilities – https://youtu.be/rTapalSHv6U?t=1997
- Deploy device reset to both co-managed devices – https://youtu.be/rTapalSHv6U?t=2099
Helpful Resources:
- Tutorial: Configure hybrid Azure Active Directory join for managed domains – https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
- Enable Windows 10 automatic MDM enrollment – https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment
- Co-management for Windows 10 devices – https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview
- Enroll a Windows 10 device automatically using Group Policy – https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
- Prerequisites for co-management – https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-prepare#prerequisites
- Auto-Pilot for new Windows 10 Devices – https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-prepare#new-windows-10-devices
I'm Justin Chalfant! I'm the founder of
Do you know if it is a requirement for auto-enrollment to Intune that the user be a device administrator? My standard user’s devices will not auto-enroll..
That’s a good question, in my lab the user account did have local admin. Here’s a post about a similar topic that may help https://social.technet.microsoft.com/Forums/en-US/d2bda796-eef4-452a-b622-7c7463218555/mdm-enrollment-error-0x8018002b-on-windows-10-1709?forum=microsoftintuneprod. I can test it sometime next week.
Did you ever get to test if you needed to be an admin? I’m still having a similar issue where non admins cannot auto enroll.
Sorry, I haven’t tested that and don’t have the setup. I would recommend creating a case with Microsoft. Make sure they know this is the case. Seems like a bad design and something that should be improved in a future build if this is the case.
Is it true you have to be a device administrator for auto-enrollment to Intune?
Thank you for video. its very well explained.
one question from me. you have mentioned group policy can be used to enroll onprem system in Intune. is it supported method in hybrid scenario.
i was testing same behavior in Hybrid environment, group policy deployed – win10 device is showing in intune as well as in SCCM however comanage status in SCCM is showing NO.
Not sure what haapend exactly… can you please suggest
Sorry for the delay, did you figure this one out?