Microsoft’s Endpoint Manager combines SCCM (now: Endpoint Configuration Manager) with the cloud service Intune. It provides for co-management for Windows 10 PCs, for which the local ECM infrastructure and Intune are coupled. The admin can decide which of the two takes on which administrative tasks.
The Endpoint Configuration Manager is published several times a year in a revised version and thus constantly receives new features. My current branch version for this article is 2002. Microsoft’s roadmap is also pursuing an ever closer merger of the grown on-prem infrastructure with Intune from the cloud (see: Microsoft merges SCCM and Intune to Endpoint Manager).
As part of this integration, the Azure Intune portal will be integrated into the on August 1, 2020 Microsoft Endpoint Manager Admin Center switch, a corresponding message is currently available in Intune.
In Configuration Manager you can go to Cloud services Various Azure services have been integrated for a long time and co-management is also possible. This means that Windows 10 systems can subsequently be managed via the ECM and at the same time via Intune.
Requirements for co-management
The following requirements must be met for co-management:
- The Configuration Manager must be installed from version 1710
- Windows 10 from version 1709
- An Azure AD Premium license
- Intune licenses for all users (EMS or M365)
- An Intune subscription
- Cloud Management Gateway (if Windows 10 computers are only members of Azure AD).
- Azure AD Connect (Download)
I’m assuming a hybrid configuration here, my systems were traditionally added to the local AD and registered in Azure Active Directory.
There are two variants for co-management:
- Existing devices that are currently managed by the local Configuration Manager can be registered in Intune. The management of Windows 10 systems remains the same, with the difference that you also benefit from the Intune tools. A hybrid configuration of the Active Directory with the Azure AD is required (see the Tutorial from Microsoft).
- Management without hybrid configuration of the local AD with AAD. Windows 10 devices are deployed via autopilot from Intune. The Cloud Management Gateway (CMG) is required to install the Configuration Manager Client. It allows the configuration manager clients to be managed on the Internet (there is also one for this) Tutorial).
The administration of the Configuration Manager leads to the Cloud Services. Below that we reach the configuration for the co-management.
Then our Intune subscription will be queried, you should now enter the log-in data of the Global Administrator once. Since version 2002, the upload to the Endpoint Manager Admin Center can be activated here.
For this configuration, a pilot collection was previously created under Configuration Manager and has also received individual client settings for the cloud services. If the clients are only known in Intune, then the second variant with the CMG is available.
The dialog then also outputs the command line for installing the Configuration Manager Client. An example:
With a local PKI the switch would have to / NoCRLCheck be installed. You can also leave workloads with the on-prem Configuration Manager, move them to Intune piloting, or move them entirely to Intune.
Then you have to choose the collections for the pilot deployment.
As usual, the deployment of the settings is shown below the created collection for the pilots.
Move workloads to Intune
Let’s break down the different policies for workloads so you can see their benefits:
Compliance policies are rules and settings that relate to compliance with a compliant device. This also includes problems with conditional access.
Device configuration are settings for the management of end devices. For this, the Configuration Manager must be installed at least in version 1806.
Endpoint protection can be transferred to Intune since Configuration Manager 1802. These include anti-malware or defender firewall policies.
Resource Access Policies cover VPN, WiFi and e-mail settings on Windows 10 devices, including certificate configurations.
Office Click-to-Run apps is used to manage Office 365 systems. After this workload has been moved to the cloud, the apps are visible in the company portal.
Windows Update Policies apply to devices that are managed by Windows Update for Business. You can configure guidelines for the Windows 10 feature or quality updates.