Intune Comanagement

Question

Intune Comanagement

Matt Dillon 437

Inherited a on-prem AD and SCCM environment. Added PKI certs and a CMG, and now enabled Cloud Attach. Just finished getting all devices HAADJ and mostly co-managed. All newly imaged devices end up co-managed.

I have moved the Workloads for O365 apps and Windows Updates to Intune. For new devices, I have created a Hybrid AD Join Autopilot that comes pretty close to a fully SCCM imaged device when complete. I am finding that on the Autopiloted devices, once the SCCM client gets auto installed or installed from Company Portal, things get really messy.

Looking for some direction on what should be happening. If I autopilot a device, can it be comanaged? If I flip the workload for Client Apps, will that still allow apps to be installed from Software Center? I was trying to use Collections that were Cloud Synced to AAD groups to control the Windows Patching. I am finding that some of these Autopiloted devices will not properly sync. Its like the object number does not match. If I delete the device from Intune (both in the devices section and the autopilot devices section) after the SCCM client is installed, that is when stuff does not work.

Looking for guidance on what is expected after a hybrid autopilot basically. Is comanagement an option without breaking stuff?

0 comments

Answer accepted by question author

Crystal-MSFT 54,311 Microsoft External Staff

@Matt Dillon , Thanks for posting in Q&A. For your situation, I know you have enrolled device with Autopilot Hybrid Azure AD join and then install Configuration Manager client. Based as I know, it is not a recommend method.

For Autopilot into co-managment, currently, Hybrid Azure AD-joined device is not supported. Here is a link with more details:
https://learn.microsoft.com/en-us/managed-desktop/get-started/autopilot-co-management#before-you-begin

For your situation, if you want some workloads controlled by Configuration Manager but others controlled by Intune, we suggest you only choose co-management method to enroll the device. we can use path1 to configure it.
https://learn.microsoft.com/en-us/mem/configmgr/comanage/quickstart-paths#bkmk_path1

If you want all the workloads controlled by Intune, you can only choose Autopilot Hybrid Azure AD joined method to pre-configure new devices,

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Crystal-MSFT 54,311 Reputation points Microsoft External Staff

2022-11-21T06:18:29.927+00:00

@Matt Dillon , Hope things are going well. I am writing to see if there's anything unclear of the above information. If yes, feel free to let us know.
Matt Dillon 437 Reputation points

2022-11-21T14:42:12.64+00:00
Thank you - this link is super helpful. Now I just need to see what the powers that be want - the way I see it, I have two options:

Remove autopiloted devices from the hybrid aad group they join to remove the autopilot profile. Then delete the intune and autopilot device entry, followed by reinstalling the sccm client to make sure the device is then comanaged. This is a messy solution, but I do what i am asked.

Make sure every app that is available in SCCM is available in Intune, turn off the client auto install, and then have these devices supported through intune only.
Crystal-MSFT 54,311 Reputation points Microsoft External Staff

2022-11-22T02:43:41.053+00:00

@Matt Dillon , Thanks for the reply. I am glad our information can help. I think your options are good. If all the applications can be deployed via Intune, Joined to Azure AD and managed by Intune is a good option. However, if some are only on SCCM, we can consider co-management. To deploy app in Intune, there are some types we can choose. Here is a link for your reference:
https://learn.microsoft.com/en-us/mem/intune/apps/apps-add

Thanks for your time and have a nice day!

1 additional answer

Your answer

Crystal-MSFT 54,311 Reputation points Microsoft External Staff

2022-11-21T06:18:29.927+00:00

@Matt Dillon , Hope things are going well. I am writing to see if there's anything unclear of the above information. If yes, feel free to let us know.
Matt Dillon 437 Reputation points

2022-11-21T14:42:12.64+00:00

Thank you - this link is super helpful. Now I just need to see what the powers that be want - the way I see it, I have two options:

Remove autopiloted devices from the hybrid aad group they join to remove the autopilot profile. Then delete the intune and autopilot device entry, followed by reinstalling the sccm client to make sure the device is then comanaged. This is a messy solution, but I do what i am asked.

Make sure every app that is available in SCCM is available in Intune, turn off the client auto install, and then have these devices supported through intune only.
Crystal-MSFT 54,311 Reputation points Microsoft External Staff

2022-11-22T02:43:41.053+00:00

@Matt Dillon , Thanks for the reply. I am glad our information can help. I think your options are good. If all the applications can be deployed via Intune, Joined to Azure AD and managed by Intune is a good option. However, if some are only on SCCM, we can consider co-management. To deploy app in Intune, there are some types we can choose. Here is a link for your reference:
https://learn.microsoft.com/en-us/mem/intune/apps/apps-add

Thanks for your time and have a nice day!

Answer 1

Rahul Jindal 11,631

Co-management is 100% supported through Autopilot. Maybe this is your issue..windows-autopilot-for-pre-provisioned.html

0 comments

Share via

Intune Comanagement

1 additional answer

Your answer