If you have an existing on-premises Active Directory (AD) infrastructure with domain-joined Windows 10 devices managed by SCCM, and are currently licensed for Azure AD (utilizing Azure AD Connect user synchronization to your tenant) and Microsoft Intune, then enabling co-management with Intune will provide additional security benefits. The extended management capabilities and cloud benefits will allow you to take advantage of features such as:
- Conditional Access Policies
- Extending your helpdesk reach with Intune remote actions
- Device provisioning simplified by AutoPilot profiles
The process for enabling co-management with Intune can become complex depending on your organization’s environment, so I compiled some helpful steps to help get you started.
Make sure your SCCM is up-to-date
Co-management can be enabled in SCCM version 1906, but to get the latest benefits it is recommended to upgrade to the latest version 2006 branch. Version 2006 is an in-console update for versions 1810 and later. Always review the current upgrade checklist to verify that your current SCCM infrastructure can handle the upgrade and continue to meet or exceed the recommended site and site system prerequisites. Also, as a best practice, complete the post-upgrade checks after any update. The checklists for version 2006 can be found here.
Prepare your pilot collections
Prepare your pilot collections by upgrading any Windows 10 devices to 1709 or later. Start your pilot collections small with limited testing machines. Pilot collections can be created by utilizing creation of custom collection for specific devices. You can always add to these collections later. Utilizing a Collection Query Rule to link an AD Organizational Unit (OU) will simplify management when configuring AAD Connect later. You can learn more about creating custom collections here.
Configuring your Intune can be completed by following these steps:
- Verify your users have Intune licenses assigned
- Verify that users have rights to join devices to Azure AD
- Set your MDM authority to Intune
- Configure Intune Auto-Enrollment
- Create a Service Connection Point (SCP)
- Create a Group Policy Object (GPO)
- Link GPO to test/pilot collection OU
Additional documentation can be found here.
Configure Azure AD Connect for hybrid join
Verify that your Azure AD Connect is running version 1.1.819.0 or later. Again, you want to start slow using an AD OU that only contains your test pilot collection devices. You will need your SCP information that you completed previously for this step. Additional documentation about configuring hybrid Azure AD can be found here.
With the above steps completed you are now ready to configure SCCM for co-management for your pilot collection (Intune Auto Enrollment).
Next, create your Intune device compliance policy and device configuration profiles, and slowly start switching and testing your workloads to “Pilot Intune” and your staging to pilot collections. See how here.
It is easy to use SCCM with Co-Management enabled. Pilot collections never expire, and you can add and remove devices from your pilot collection at anytime. Workloads can be switched to PilotIntune back to Configuration Manager. You can test Intune device compliance policies and device configuration profiles while not making full Infrastructure modifications to your SCCM production workloads.
Once you implement the initial steps you can phase in full SCCM co-management for your organization on any time frame that meets your schedule and organizational needs.