Set up comanagement in intune and sccm

Steps

  • Scenarios for Setting Up Intune Co-management with SCCM.
  • Setup Hybrid Join For The Existing Devices in Active Directory and SCCM
  • Configure Co-management in SCCM
  • Setup Default Client Settings In SCCM Console Manager For Devices To Be Automatically Registered in Entra ID 
  • Configure Auto Enrollment in Intune
  • Configure Co-management in Intune
  • Create Assigned Security Groups in Intune

Scenarios For Setting Up Intune Comanagement with SCCM

  • If you want to use the features of Intune for your existing devices without a lot of manual work on the IT side and with little or no impact to the end users. The end users will not notice any major difference.
  • If you want to continue leveraging SCCM features for your environment over a longer period of time.
  • If you want to continue leveraging features of Active Directory including GPOs for your environment over a longer period of time.
  • If you want to continue leveraging your third party antivirus and firewall applications instead of using Microsoft Defender for endpoint in Intune. 

Setup Hybrid Join The Existing Devices in Active Directory and SCCM

  • Log into your domain controller  as a Domain Administrator, use Server Manager to access Active Directory Users and Computers.
  • Create an Organizational Unit (OU) named Intune Pilot Comanagement in a desired location in your domain tree. This is where the Pilot group computers will be added to sync with a SCCM Device Collection which will in turn sync it with Intune.
  • Once the OU has been created use Azure AD Connect or Microsoft Entra ID Connect service on a designated server to sync the OU to Microsoft Entra ID; this will cause the device to become hybrid joined. If you do not have an existing Microsoft Entra ID Connect server, then use this link to create one.
  • Navigate to SCCM server, open the SCCM console and create a Device Collection called Intune Pilot Comanagement  a query script such as Select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM..ResourceDomainORWorkgroup,SMS_R_SYSTEM.Ckeubt from SMS_R_SYSTEM where SMS_R_SYSTEM.SystemOUName=”Skoanow.local/SkoanowOU/Computers/Win10-11Devices/Intune Pilot Comanagment”. You can customize the script  as needed. Now when you put any device in the Intune Pilot Comanagement OU in Active Directory, it will automatically be synced and added to the Intune Pilot Comanagement device collection in SCCM. 
  • If you do not want to use a script, you can add the devices manually in SCCM but that could get tedious for the administrator if the number of devices start to increase. 

Configure Co-management in SCCM

  • Login into the SCCM server with the account which was used to setup Primary Site server. You may not be able to access all the Cloud Attach and Cloud Services features even if your account has Full Control but was not the account used to setup the Primary Site server and so it is advisable to use that account for easier navigation and configuration of comanagment in SCCM. The account is usually a Service account which is managed by the SCCM administrator for these kind of scenarios; it also prevents a bottle neck if the SCCM administrator leaves the organization.

Setup Cloud Attach for Comanagement

  • Open the SCCM Console Manager and click on the Administration tab.
  • Within the Administration page, click on arrow next to Overview to expose all the drop downs and to navigate to Cloud Services.
  • Click on the arrow next to Cloud Services to expose Cloud Attach in the dropdown. 
  • Right-click on Cloud Attach and click on Configure Cloud Attach to open the Co-management Configuration Wizard. 
  • On the Tenant Onboarding page, select Azure Public Cloud for Azure Environment ; your other options are Azure Government cloud and Azure China cloud. Now click on the Sign In button and sign in with your Azure Global Administrator credentials. A popup will indicate that an Enterprise Application will be created in Microsoft Entra ID. Click Next to go to the Configure Upload page. 
  • On the Configure Upload page, check-mark Upload to Microsoft Endpoint Manager admin center
  • Under Devices section, select Upload all devices managed by Microsoft Configuration Manager (recommended) or Upload specific collectionUpload all devices managed by Microsoft Configuration Manager (recommended) option will upload all the devices in SCCM and sync them with Intune, this can be selected when you want to add all the devices in SCCM for comanagement; this will also create CoMgmentSettingsProd package in SCCM and deploy it to the All Systems device collection. For a pilot of the comanagement process or if you want to gradually move your devices to comanagement, then select the Upload Specific collection and then select your device collection which in my case is Intune Pilot Comanagement; this will also create the CoMgmentSettingsPilot package in SCCM and deploy it to the pilot collection which in my case is the Intune Pilot Comanagement device collection.
  • Under the Endpoint Analytics section, check-mark Enable Endpoint Analytics for devices uploaded to Microsoft Endpoint Manager.  
  • Under the Role-based Access Control section, check-mark Enforce Configuration Manager RBAC for cloud console requests that interact with Configuration Manager.
  • Under the Microsoft Defender for Endpoint section, check-mark Enable uploading of Microsoft Defender for Endpoint data for reporting on devices uploaded to Microsoft Endpoint Manager and click Next to go to the Enablement page.
  • On the Enablement page, for Automatic Enrollment in Intune select All or Pilot. Selecting the All option will enable comanagement and enroll all devices in SCCM in Intune comanagement. Selecting Pilot option will allow you to select the Intune Pilot Comanagement device collection in the Intune Autoenrollment section and so only devices in that collection will be comanaged. Click Next to go to the Workloads page.
  • On the Workloads page, set Compliance Policies, Device Configuration, Endpoint Protection, Resource access policies, Client Apps and Office Click-To-Run Apps away from the Configuration Manager and Intune on the far left and far right, respectively, to the Pilot Intune which is in the middle. Now click Next to go to the Staging page.
  • On the Staging page, for Compliance Policies, Device Configuration, Endpoint Protection, Resource Access Policies, Client Apps, Office Click-To-Run Apps and Windows Update policies, select the Intune Pilot Comanagement device collection. After making all the changes, click on Apply and OK. After making these configurations, corresponding packages will be created and deployed to the All Systems or the pilot device collection that you have selected; in my case it is the Intune Pilot Comanagement device collection. The packages include  CoMgmtSettingsPilotCP (for Compliance Policies), CoMgmtSettingsPilotDC (for Device Configuration), CoMgmtSettingsPilotEP (for Endpoint Protection), CoMgmtSettingsPilotRAP (for Resource Access Policies), CoMgmtSettingsPilotCApps (Client Apps), CoMgmtSettingsPilotO365(Office Click-To-Run Apps) and CoMgmtSettingsPilotWUP (for Windows Update policies).
  • If you selected for comanagement to apply to all devices in SCCM, then instead of CoMgmtSettingsPilot suffix, the packages would have a suffix of CoMgmtSettingsProd and it would be applied to All Systems device collection in SCCM.

Setup Azure Services Application

  • Back in the SCCM Console Manager, within the Cloud Services dropdown, click on Azure Services. You should see a component associated with the Cloud Attach service with a name such as ConfigMgrSvc_XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.
  • Create another Azure Service to sync and discover Azure Users and groups from the SCCM console manager; this will make Entra ID users and groups visible to SCCM Console Manager. 
  • Right-click on Azure Services and click on Configure Azure Services.
  • Under Server Apps, click Create and provide a name such Azure Cloud Users and Group  Management and then sign in with your Azure Global Administrator credentials to connect the Server App to the Azure tenant. 
  • Once the Server App has been created, click OK and then Next to go the the Discovery section.
  • In the Discovery section, check-mark Enable Azure Active Directory User Discovery and Enable Azure Active Directory Group Discovery and then click Next to go to Collection Synchronization page.
  • On the Collection Synchronization page, check-mark Enable Azure Active directory Group Sync and click Apply and OK to complete the setup.  Once created, you can check the sync status of the Azure Service  agent for Azure Active Directory Group Discovery and Azure Active Directory User Discovery at the bottom of the page. 
  • Note that configuring the the Cloud Attach automatically creates the ConfigMgrSvc_XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX and configuring the Azure service agent; in my case Azure Cloud Users and Group  Management, also creates the Azure Cloud Users and Group  Management application. The Azure Cloud Users and Group  Management and ConfigMgrSvc_XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX also create corresponding Enterprise applications in Microsoft Entra ID with Secret keys which expire after one year and so it is important to set calendar reminders to create new Secret keys when they expire otherwise the co-management setup will fail. 
  •  To view the secret key expiry dates in SCCM Console Manager, under Cloud Services, click on Azure Active Directory Tenants  and then click on the Tenant name to view the Applications and their Secret key expiration dates at the bottom of the page. 
  • To create new secret keys when they expire, navigate to App Registration in Microsoft Entra ID and click on Cl

Setup Default Client Settings In SCCM Console Manager For Devices To Be Automatically Registered in Entra ID

  • Within SCCM Console Manager, select the click the Administration tab and then click the arrow next to Overview to expose all the dropdowns. 
  • Click on Client Settings and then right-click the Default Client Settings and click on Properties
  • Within the Default Settings, click on Cloud Services and set Automatically register new Windows 10 or later domain joined devices with Azure Active Directory to Yes.
  • The setting change will force devices in SCCM to automatically be registered in Microsoft Entra ID. 

Configure Automatic Enrollment in Intune

  • Navigate to the Microsoft Intune portal, click on Devices>>>Windows>>>Windows Enrollment>>>Automatic Enrollment.
  • In the Automatic Enrollment page, set MDM user scope (All); MDM terms of use URL (https://portal.manage.microsoft.com/TermsofUse.aspx); MDM discovery URL (https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc); MDM compliance URL (https://portal.manage.microsoft.com/?portalAction=Compliance) and then set Windows Information Protection (WIP) user scope to None. Leave the default settings for the remaining WIP components including WIP terms of use URL, WIP discovery URL and WIP compliance URL

Configure Co-management in Intune

  • Navigate to the Microsoft Intune portal, click on Devices>>>Windows>>>Windows Enrollment>>>click on Co-management Settings to open the Co-management Authority page and click on Create.
  • Name (Intune Co-Management with SCCM); Description (Intune Comanagement configuration with SCCM), click Next.
  • On the Settings page, for Automatically install Configuration Manager agent (No); Client installation command line arguments (Empty); Override co-management policy and use Intune for all workloads (No) and click Next.
  • On the Assignment page, link the configuration to a device security group created for comanaged devices and then click Next. 
  • Click Create to create the Co-management authority policy. 
  • For comanaged devices, if the SCCM client is already installed, then this setting will work fine otherwise then you need to set Automatically install Configuration Manager agent to Yes and add the script in the Client installation command line arguments.
  • Alternatively, you can obtain the SCCM client MSI file from the SCCM server and package it in Intune as an application and also include the installation command line to install SCCM client on the device. 

Create Assigned Security Groups in Intune

  • Within the Microsoft Intune portal, click on Groups and click on the New Group button.
  • Group Type (Security); Group Name (Intune Comanaged Devices – IT); Group Description (Contains comanaged devices for the IT department); Microsoft Entra roles can be assigned to the group (No); Membership Type (Assigned) and then click Create to produce the Security group. 
  • You can create one security group for all the comanaged devices or you can create one for example for each department such as HR, IT, Finance, and others.