Endpoint Configuration Manager: Configure co-management with Intune

Microsoft’s Endpoint Manager combines SCCM (now: Endpoint Configuration Manager) with the cloud service Intune. It provides for co-management for Windows 10 PCs, for which the local ECM infrastructure and Intune are coupled. The admin can decide which of the two takes on which administrative tasks.

The Endpoint Configuration Manager is published several times a year in a revised version and thus constantly receives new features. My current branch version for this article is 2002. Microsoft’s roadmap is also pursuing an ever closer merger of the grown on-prem infrastructure with Intune from the cloud (see: Microsoft merges SCCM and Intune to Endpoint Manager).

As part of this integration, the Azure Intune portal will be integrated into the on August 1, 2020 Microsoft Endpoint Manager Admin Center switch, a corresponding message is currently available in Intune.

Migration from Intune Azure Portal to Endpoint Manager Admin Center

In Configuration Manager you can go to Cloud services Various Azure services have been integrated for a long time and co-management is also possible. This means that Windows 10 systems can subsequently be managed via the ECM and at the same time via Intune.

Requirements for co-management

The following requirements must be met for co-management:

  • The Configuration Manager must be installed from version 1710
  • Windows 10 from version 1709
  • An Azure AD Premium license
  • Intune licenses for all users (EMS or M365)
  • An Intune subscription
  • Cloud Management Gateway (if Windows 10 computers are only members of Azure AD).
  • Azure AD Connect (Download)

I’m assuming a hybrid configuration here, my systems were traditionally added to the local AD and registered in Azure Active Directory.

Co-management options

There are two variants for co-management:

  1. Existing devices that are currently managed by the local Configuration Manager can be registered in Intune. The management of Windows 10 systems remains the same, with the difference that you also benefit from the Intune tools. A hybrid configuration of the Active Directory with the Azure AD is required (see the Tutorial from Microsoft).
  2. Management without hybrid configuration of the local AD with AAD. Windows 10 devices are deployed via autopilot from Intune. The Cloud Management Gateway (CMG) is required to install the Configuration Manager Client. It allows the configuration manager clients to be managed on the Internet (there is also one for this) Tutorial).

Activate co-management

The administration of the Configuration Manager leads to the Cloud Services. Below that we reach the configuration for the co-management.

Configuration of the co-management in the Configuration Manager

Then our Intune subscription will be queried, you should now enter the log-in data of the Global Administrator once. Since version 2002, the upload to the Endpoint Manager Admin Center can be activated here.

Log in with the Intune log-in data

For this configuration, a pilot collection was previously created under Configuration Manager and has also received individual client settings for the cloud services. If the clients are only known in Intune, then the second variant with the CMG is available.

Activation of co-management

The dialog then also outputs the command line for installing the Configuration Manager Client. An example:

CCMSETUPCMD="CCMHOSTNAME=kueppers.cloudapp.net/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=XYZ"

With a local PKI the switch would have to / NoCRLCheck be installed. You can also leave workloads with the on-prem Configuration Manager, move them to Intune piloting, or move them entirely to Intune.

Move workloads only for piloting or productive to Intune

Then you have to choose the collections for the pilot deployment.

Select Configuration Manager Collections (here: for piloting). Deployments are then applied.

As usual, the deployment of the settings is shown below the created collection for the pilots.

List of collections for pilot deployment

Move workloads to Intune

Let’s break down the different policies for workloads so you can see their benefits:

Compliance policies are rules and settings that relate to compliance with a compliant device. This also includes problems with conditional access.

Device configuration are settings for the management of end devices. For this, the Configuration Manager must be installed at least in version 1806.

Endpoint protection can be transferred to Intune since Configuration Manager 1802. These include anti-malware or defender firewall policies.

Resource Access Policies cover VPN, WiFi and e-mail settings on Windows 10 devices, including certificate configurations.

Summary of configuration for co-management

Office Click-to-Run apps is used to manage Office 365 systems. After this workload has been moved to the cloud, the apps are visible in the company portal.

Windows Update Policies apply to devices that are managed by Windows Update for Business. You can configure guidelines for the Windows 10 feature or quality updates.

You May Also Like

About the Author: Jan Gruber

Leave a Reply

Your email address will not be published. Required fields are marked *