**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.
For years, organization have relied on on-premises solutions such as MECM – Microsoft Endpoint Configuration Manager (Previously System Center Configuration Manager, Previously Systems Management Server) to manage their client devices. It has always worked well, but it has also always relied on connectivity to the corporate network to work.
As our workforces are more and more remote – this was the trend even before the Coronapocalypse – we have needed to look for a better solution. Yes, remote machines can still connect to the network using a virtual private network (VPN), and a Cloud Management Gateway (CMG) will provide remote device management even when users are outside the corporate network. These solutions are bandwidth-intensive, but they are ways to allow us to extend the life of a technology that we have gotten comfortable with over the years.
I have been saying for a decade that Microsoft Intune (now part of Microsoft Endpoint Management) is SCCM in the cloud. If you don’t believe me, check out this CIAOPS podcast from 2013. Of course, at the time I felt that Intune would be a better solution for small and mid-sized clients, and that SCCM would continue to dominate the Enterprise space. Now that Intune has matured to where we are, that is no longer my opinion, and we are going to see more and more enterprise customers migrating to the cloud management solution that is MEM and Intune.
Of course, you likely are not going to want to rip and replace your entire management suite in one go. This will take time and testing. The interim phase between MECM and MEM is, not surprisingly, a marriage of the two. Co-management allows you to control manage of your workloads from MECM, and others from MEM. It can be a gradual process, with piloting programs for each workload, including:
- Compliance Policies
- Device Configuration
- Endpoint Protection
- Resource access policies
- Client apps
- Office Click-to-Run apps
- Windows Update policies
So how do we configure Co-management? Easy. Let’s go through it here.
1) In your Configuration Management console, navigate to the 1) Administration context (bottom-left corner). In the navigation pane, expand 2) Cloud Services.
2) Click on 3) Co-management. In the upper-left corner of the console, click 4) Configure co-Management.
3) In the Co-management Configuration Wizard window, on the Tenant onboarding screen select which Azure environment you will use. Unless you work for the US Government, the answer in always AzurePublic Cloud. Click the Sign In button underneath, and enter your credentials. Click Next. (You might get a notice that This action will register an application in the AAD tenant <name> to authorize the synchronization of data to Intune. Click Yes.
4) On the Configure upload screen, select whether to add all of your managed devices, or only a selected collection to MEM. You can also enable Endpoint Analytics, if you wan to gather usage metrics for upgrade issues. Click Next.
5) In the Enablement screen, you can select which devices to automatically enroll into Intune. Your options are All, None, or Pilot. In the case of Pilot, you can select which collections to add from your list. Click Next.
6) In the Workloads screen, you can select using a toggle bar which workloads will be managed by Configuration Manager, by Intune, or on an Intune Pilot program. Select your options and then click Next.
7) If you selected Pilot Intune for any of your workloads, on the Staging screen you have to select the collections that will be piloted. Do that, and then click Next.
8) On the Summary screen, confirm that the details are correct, and then click Next.
After a few minutes, the Completion screen should show a green checkmark, stating The Co-management Configuration Wizard completed successfully. Click Close.
At this point, you are done. You will see in the main window of your Config Manager console the CoMgmtSettingsProd is configured. That item is context-sensitive, and you can right-click to either view the Xml definition, refresh, delete, or (most importantly) view and/or modify the properties.
Take note! If you click Properties, it will take several seconds for anything to happen… and much longer if you are working on a remote machine with the console installed.
As you move from Config Manager managed to Intune pilot to Intune management, you will make the changes in the Workloads tab of the Properties window. You can move the selector bar between each option.
You can also switch your automatic enrollment in Intune in the Enablement tab, and change the collections in the Staging tab.
Config Manager has been with us for so many years, and there are people who will be sad to see it go. There will also be those opposed to it, and this will be for a number of reasons (not the least of which is that most organizations have someone who manages ConfigMgr, and has been doing so for years, and might be opposed to change… or afraid to lose control of his bailiwick, which might result in the loss of job security or comfort. Yes, there are other reasons people might be opposed to this move… but there were also people who took exception to every advancement in the workplace. Cloud management is the future; your ConfigMgr admins should see this as an opportunity to grow and to learn MEM. Otherwise they are right… their job security will be lost.