Applies to: Configuration Manager (current branch)
This article answers your frequently asked questions about co-management. For more information, see What is co-management?.
I want to enable co-management, what's the effect?
When you enable co-management, Configuration Manager is still the management authority for all workloads. So you continue to manage your devices the same way. If you don't switch any workload to Intune, all of the Configuration Manager settings and apps continue to work the same as before you enabled co-management.
Enabling co-management is completely transparent to the end user. There's no reboot, no agent installation, no interruption, and no user notification.
As an administrator, you can see co-managed devices in the Microsoft Endpoint Manager admin center. You can do remote actions from the admin center, and can benefit from insights with Endpoint analytics.
Co-managed devices could be transformed to Autopilot-provisioned devices next time the device is reset.
Consider using the Company Portal. It's the cross-platform app portal experience for Microsoft Endpoint Manager. By configuring co-managed devices to also use the Company Portal, you can provide a consistent user experience on all devices. Your users should get familiar with Company Portal as it will provide the integrated experience going forward. For more information, see Use the Company Portal app on co-managed devices.
Should I use co-management or tenant attach?
Both! You can use them independently, but they work great together.
Co-management enables you to concurrently manage a Windows 10 or later device with both Configuration Manager and Intune. You install the Configuration Manager client and enroll the device to Intune. The device communicates with both services. Configuration Manager policy controls which workloads you switch to Intune as the management authority. You can enable co-management and not use tenant attach to upload devices to the Microsoft Endpoint Manager admin center.
Tenant attach sets up synchronization between your Configuration Manager site and your Intune tenant. Then you can see Configuration Manager devices in the Microsoft Endpoint Manager admin center. This connection provides you with a single view for all devices that you manage with Microsoft Endpoint Manager. This web-based console may be beneficial in some scenarios that don't want to use the full Configuration Manager console, such as with help desk staff. You can also benefit from insights in Endpoint analytics. You can configure the site to upload devices to the Microsoft Endpoint Manager admin center and not enable co-management. However, those devices are still managed by ConfigMgr until you enable co-management.
For more information on tenant attach and how to configure it, see Microsoft Endpoint Manager tenant attach.
Can I co-manage Windows 365 Cloud PCs?
Yes! You can co-manage Windows 365 Cloud PCs.
Is hybrid Azure AD join the only option for co-management?
No. Hybrid Azure AD join and co-management are two different things:
Hybrid Azure AD join is a device identity state where the device is joined to an on-premises Active Directory domain and registered in Azure Active Directory (Azure AD).
Co-management enables you to concurrently manage a Windows 10 or later device with both Configuration Manager and Intune. You install the Configuration Manager client and enroll the device to Intune. The device communicates with both services. Configuration Manager policy controls which workloads you switch to Intune as the management authority. Co-management requires that the device has a cloud identity. This identity can be either hybrid Azure AD join or Azure AD join only.
For an existing Configuration Manager client that's already joined to Active Directory, it needs to be hybrid joined before you enable co-management.
For new devices that are only cloud domain-joined with Azure AD, you can enable co-management right away. There's no requirement for hybrid Azure AD join for new co-managed devices.
For more information, see Use Azure AD for co-management.
Does co-management support Azure AD-joined devices?
Yes. Co-management supports both Azure AD-joined devices and hybrid Azure AD-joined devices. For more information, see Co-management prerequisites.
My environment has too many group policy objects and legacy authenticated apps. Do I have to use hybrid Azure AD?
It depends. Some customers have concerns about Azure AD-joined devices because they need group policies or need Win32 app authentication. More details are needed to understand if it's a real blocker.
For apps, test them on an Azure AD-joined device. Typically only apps that require machine-based authentication won't work, and those aren't common. If the app works on a cloud domain-joined device, then you don't need to hybrid-join your devices because of that app.
For group policies, don't try to translate all of your existing group policy objects (GPOs) to Intune policies. For a cloud-managed device, there are some group policies that don't apply to the scenario. If you don't know why a group policy setting is configured, now is an opportunity to determine if it's still needed. Also make sure that you're not still using settings for an app that you no longer use. This process is an opportunity to optimize the performance and configuration requirements of your cloud-managed devices.
Use Microsoft policy analytics to help you understand if there are critical settings in your GPOs that you need to migrate to Intune. For more information, see Use group policy analytics.
Don't decide to invest in hybrid authentication only to avoid reviewing the settings that you need for your Windows 10 or later devices. Use this opportunity to invest the time now to be in a better position for the future. Also, a healthy and clean device configuration helps with performance and user experience. Don't buy new hardware, install the latest Windows version, and then apply an old configuration.
Does a user need to be signed in for automatic enrollment to happen?
No. A device token is used to enroll the device to Intune. There's no need for a user to sign in to Windows for the setting to apply.
When you set up co-management, enable autoenrollment of devices currently managed by Configuration Manager. If needed, you can scope autoenrollment only for a pilot collection.
Do I need to do anything with the deprecation of the Azure AD Graph API and Azure AD Authentication Library (ADAL)?
Most likely not. For more information, see CMG FAQ.
I've enabled co-management, which workload should I switch first?
Compliance is the workload that most customers switch first. If you switch this workload to Intune, you can still require devices to evaluate settings from Configuration Manager. When you configure a compliance policy in Intune, enable it to require device compliance from Configuration Manager. Then you can use device compliance state to control conditional access to cloud-based resources. This configuration lets you start using the cloud services without changing the compliance checks you already have in Configuration Manager.
After compliance, the most common workloads are Office Click-to-Run apps, Client apps, and Windows Update policies.
When you switch an app workload to Intune, you can still deploy applications from Configuration Manager. This configuration also lets you assign apps in Intune. The experience is completely integrated as the new Company Portal shows both Configuration Manager and Intune apps. For more information, see Use the Company Portal app on co-managed devices.
For software updates, many customers aren't micromanaging them in Configuration Manager any more, but using Windows Updates for Business. Given that Windows updates live in the cloud, instead of syncing them down to the on-premises network and then distributing them out to clients on the internet again, the modern approach is to manage this workload entirely in the cloud.
For more information, see Co-management workloads.
Can I use Windows Autopilot with co-management?
Yes. One of the two paths to co-management is to bootstrap with modern provisioning. For a new or repurposed device, Autopilot joins it to Azure AD and enrolls it to Intune. Intune can then deploy the Configuration Manager client and enable co-management.
For more information, see How to prepare internet-based devices for co-management.
You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for hybrid Azure AD join. This limitation is due to the identity change of the device during the Azure AD-join process. Deploy the Configuration Manager client after the Autopilot process. For alternative options to install the client, see Client installation methods in Configuration Manager.
How do I manage updates for Windows and Microsoft 365 apps?
You can manage updates for Windows and Microsoft 365 apps with either Configuration Manager or Intune. Configuration Manager provides a very detailed and controlled process for managing these updates and their content, which is important to some customers. A modern approach is to just keep devices up to date, but still control the timing and user experiences.
If you switch the Windows Update policies workload to Intune, then it becomes the management authority for Windows quality and feature updates. Use Intune to configure settings for update rings and feature update settings. For more information, see Manage Windows software updates in Intune.
If you switch the Office Click-to-Run apps workload to Intune, then it becomes the management authority for Microsoft 365 apps and updates. When you create a new Microsoft 365 suite deployment, choose the update channel for your clients will be at. For more information, see the following articles:
With co-management, can I use compliance policies in Intune and compliance settings in Configuration Manager to assess overall device compliance?
Yes. Once you have your environment co-managed, and switch the compliance workload to Intune, you can use your existing Configuration Manager compliance settings and integrate them with conditional access. For more information, see the following articles:
Work from anywhere
What are my options to manage VPN bandwidth for devices of users that are working from home?
See the following blog posts, which go into detail on how to use a cloud management gateway (CMG) and how to set it up with a split-tunnel VPN to provide the best experience and alleviate VPN traffic:
Does co-management require a cloud management gateway (CMG)?
No. CMG is a Configuration Manager feature for device connectivity. You should use a CMG if you have Configuration Manager clients on the internet, if they're co-managed or not. A co-managed client in an environment with no CMG would have to rely on VPN connectivity when it roams outside of the on-premises network.
The scenario to provision Azure AD-joined co-managed devices does require a CMG. It allows an interned-based device to install the Configuration Manager client after the Autopilot process.
For more information, see the following articles:
Do I need to distribute software updates to a content-enabled CMG for remote clients to install them?
No. Windows updates are already available on the internet, so you don't need to distribute them to your CMG.
In past versions, Configuration Manager blocked update packages to cloud-based content sources. This constraint was removed so you can distribute third-party software updates. Don't distribute to the CMG any updates that are available from Microsoft Updates.
Configuration Manager clients have native affinity when using a CMG to get updates directly from the Microsoft Updates cloud service. For more information on how CMG works with Microsoft Updates service and configuration guidance, see the blog post on Managing remote machines with cloud management gateway in Microsoft Endpoint Configuration Manager.