Autopilot into co-management
Microsoft Managed Desktop allows you to configure devices using Autopilot into co-management, where the device is co-managed. The device can be registered as detailed in the device registration overview article and delivered to users. When the device goes through the first run experience, the device joins Azure Active Directory.
The feature is optimal for organizations that already have co-management for Windows devices turned on and want to combine the benefits of Microsoft Intune for all workload management, except for client applications. Client applications can continue to be managed using Configuration Manager.
The following are common scenarios where you may want to use Autopilot into co-management:
- You use Microsoft Intune for all workload management, except client apps, for all devices in your organization.
- All Microsoft Managed Desktop devices in the tenant will be co-managed once this setting is enabled. It’s recommended to configure the co-management settings soon after completing tenant enrollment into Microsoft Managed Desktop, and prior to registering devices for the service. This will ensure that all devices in Microsoft Managed Desktop are in the co-managed state.
- If you already have existing Microsoft Managed Desktop devices, configuring this setting will affect all these existing devices, by installing and enabling the Configuration Manager client, not just new devices running Autopilot. Devices will be in a co-managed state as soon as the co-managed policy is received by the device.
Do not change the co-management policy authority after device provisioning. Because of the timing of the policy synchronization, the behavior of the policy change is non-deterministic. For more information, see How to enroll with Autopilot.
You no longer need to create and assign an Intune app to install the Configuration Manager client. The co-management policy automatically installs the Configuration Manager client as a first-party app during Autopilot Enrollment Status page (ESP) phase of the first run experience.
Before you begin
Autopilot into co-management currently supports:
- Azure Active Directory joined only
- User-driven Autopilot scenarios only
Currently, the following aren't supported:
- Hybrid Azure AD-joined devices
- Autopilot self-deployment mode
- Autopilot pre-provisioning
- Co-management workloads set to Pilot Intune. This functionality is dependent upon collection evaluation, which doesn't happen until after the client is installed and registered. Since the client won't get the correct policy until later in the Autopilot process, it can cause indeterminate behaviors.
For Microsoft Managed Desktop devices, the following settings must be met:
- Configure and assign only one co-management policy.
- Configure the Configuration Manager client installation properties without a task sequence to prevent conflicts with applications that are included in the Microsoft Managed Desktop first run experience. For more information, see How to enroll with Autopilot.
- The co-management policy must be set to use Intune for all workloads. Even when Intune is the device authority for the Client apps workload, a co-managed device can get apps from Configuration Manager and Intune.
- Before setting up the co-management policy, you must meet the prerequisites for Autopilot into co-management.
- Then, you can configure co-management settings.
Step 1: Configure co-management settings
To configure the co-management settings:
- Go to the Microsoft Endpoint Manager admin center.
- Select the Devices menu, select Enroll devices, and then select Windows enrollment.
- Select Co-management settings, and then select Create.
- In the Basics page, specify a name for the policy, and an optional description.
- In the Settings page, select Yes to the Automatically install the Configuration Manager agent setting.
- Specify the client installation command-line parameters. You can copy these parameters from the Enablement tab of the cloud attach properties in the Configuration Manager console. For more information and specific command-line parameters, see Get the command line from Configuration Manager.
- Expand the Advanced settings, for Override co-management policy and use Intune for all workloads option and select Yes. Even when Intune is the authority for the Client apps workload, a co-managed device can still get apps from Configuration Manager. For more information, see Workloads: Client apps and Use the Company Portal app on co-managed devices.
- In the Assignments page, select the Modern Workplace Devices-All group.
- In the Review + create page, review the settings, and create the policy.
To provide a consistent user experience and unified application delivery on all devices, configure co-managed devices to also use the Company Portal. This will also ensure that users receive notifications only from the Company Portal. For more information, see Apps in the Company Portal.
Step 2: Deploy applications in Configuration Manager
To deploy applications in Configuration Manager:
- In the Configuration Manager console, Microsoft Managed Desktop devices are listed as Workgroup clients.
- Add the Domain column in the Devices node to identify Workgroup clients. When using this column to help identify Microsoft Managed Desktop clients, workgroup clients will be included.
- Create a device collection for the Microsoft Managed Desktop devices.
- Deploy the application to the device collection for the Microsoft Managed Desktop devices. For more information, see Create and deploy an application with Configuration Manager.
Step 3: Register your devices
For Microsoft to manage your devices in Microsoft Managed Desktop, you must have devices registered with the service. Follow the registration methods described in device registration overview article.
- For new devices, once registered, deliver the new device to users to complete device enrollment.
- If you reuse an existing device, the device must be wiped and reset. For more information, see device wipe with factory reset.
Once complete, your user can start up the device and proceed through the Windows setup experience.
A co-managed device in Microsoft Managed Desktop can't be a shared device.
A shared device in Microsoft Managed Desktop will be assigned an Autopilot profile that will deploy in the self-deployment mode. Autopilot into co-management supports User-driven mode only.