Setting up Co-management MECM (SCCM) *Part 1*

A lot of company’s are still managing there devices on premise with domain joined devices and with MECM (SCCM). But with the pandemic most employees are working at home on there personal device or on a domain joined mobile device. Managing the domain joined devices that are being used at home is quite challenging. Off course you can deploy your applications and windows update with MECM and an active vpn connection.
But still how often do employees connect with the vpn application? If they don’t the device will become unsecure because of missing windows updates and missing application updates. You want these kind of devices to be updated and managed even without an active vpn connection. To be able to do this we can setup co-management in MECM. In this post I will show you how to setup co-management in MECM 2006.

What do you need

  • Azure Active Directory Premium
  • An Azure Account that is global admin and has got a Microsoft Intune subscription

An Enterprise Mobility + Security (EMS) Subscription includes both Azure Active Directory Premium and Microsoft Intune. EMS Subscription (free trial).

  • Configure a hybrid Azure AD join using Azure AD Connect
  • Configure Client Settings to direct clients to register with Azure AD
  • Configure auto-enrollment of devices to Intune
  • Setting up Co-management in MECM

Configure a hybrid Azure AD join using Azure AD Connect

Installing Azure AD Connect

If you haven’t installed and configured Azure AD connect you can follow the steps below. If you have you can go to the Configure hybrid Azure AD join section of this post.

Before installing AD Connect check the prereqs Azure AD Connect: Prerequisites and hardware | Microsoft Docs

To download Azure AD connect go to Download Microsoft Azure Active Directory Connect from Official Microsoft Download Center.

We will be installing AD Connect with the express settings.

Sign in as a local admin to the server you want to install Azure AD Connect and double-click AzureADConnect.msi

On the welcome screen select the box agreeing to the licensing terms and click Continue.

On the Express settings screen, click Use express settings.

On the Connect to Azure AD screen, enter the username and password of a global administrator for your Azure AD. Click Next.

On the Connect to AD DS screen, enter the username and password for an enterprise admin account. Click Next.

The Azure AD sign-in configuration page only shows if you did not complete verify your domains in the prerequisites.

On the Ready to configure screen, click Install

When the installation completes, click Exit.

You can now check if AD accounts have been synced to the Azure AD.

Configure hybrid Azure AD join

Start Azure AD Connect, and then select Configure.

In Additional tasks, select Configure device options, and then select Next.

In Overview, select Next.

In Connect to Azure AD, enter the credentials of a global administrator for your Azure AD tenant and select Next.

In Device options, select Configure Hybrid Azure AD join, and then select Next.

In Device operating systems, select the operating systems that devices in your Active Directory environment use, then select Next.

In SCP configuration, for each forest where you want Azure AD Connect to configure the SCP, complete the following steps, and then select Next.

  1. Select the Forest.
  2. Select an Authentication Service.
  3. Select Add to enter the enterprise administrator credentials.

In Ready to configure, select Configure.

In Configuration complete, select Exit.

Configure Client Settings to direct clients to register with Azure AD

Use Client Settings to configure Configuration Manager clients to automatically register with Azure AD

Open the Configuration Manager console and go to: \Administration\Overview\Client Settings

Edit the default Client settings and select Cloud Services,  set Automatically register new Windows 10 domain joined devices with Azure Active Directory to = Yes. Select OK.

You can check if the device has correctly loaded the latest Client Settings:

Open your Console and go to: \Assets and Compliance\Overview\Devices

Select the device you want to check and select Client Setting/Resultant Client Settings in the ribbon.

Go to Cloud Services and check if the setting is set correct:

Configure auto-enrollment of devices to Intune

With automatic enrollment, devices you manage with Configuration Manager automatically enroll with Intune.

Automatic enrollment also lets users enroll their Windows 10 devices to Intune. Devices enroll when a user adds their work account to their personally owned device, or when a corporate-owned device is joined to Azure Active Directory.

Sign in to the Azure portal and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

Configure MDM user scope. Specify one of the following to configure which users devices are managed by Microsoft Intune and accept the defaults for the URL values.

  • Some: Select the Groups that can automatically enroll their Windows 10 devices
  • All: All users can automatically enroll their Windows 10 devices
  • None: Disable MDM automatic enrollment

    We will select All.

Select Save to complete configuration of automatic enrollment.

Return to Mobility (MDM and MAM) and then select Microsoft Intune Enrollment.

For MDM user scope, select All, and then Save.

Setting up Co-management in MECM

Open your MECM console and go to: \Administration\Overview\Cloud Services\Co-management and click on Configure co-management.

Click Sign In.

Sign in with the Intune organizational account (this account has got to have a Enterprise Mobility + Security (EMS) Subscription). It also must have Global Administrator Rights in Azure AD tenant.

Go to the What do we need section of this post and set up a free trial if needed.

I will be signing in with the account that is Intune admin and has got the free E5 subscription.

Enter your password and click Sign in.

The sign In button will be grayed out after signing in, click Next >

Click Yes to accept the Create AAD Application notification.

Select All my devices managed by MECM (recommended) or select a specific collection. And check Enable Endpoint Analytics for devices uploaded to MECM. Click Next >.

Now select how you want to automatic enroll your devices in Intune:

  1. None of your devices.
  2. Pilot a collection of devices, lets say you only want to enroll notebooks or only devices with Windows 10.
  3. All of the devices that are managed by MECM.

I will select All, because my lab environment only has got 2 devices in it. Click Next >.

Now lets select what workloads we want Intune to manage instead of MECM. Slide al of the workloads to the Pilot Intune, so we can assign each workload to different collections. In this case you can move a workload to Intune just by adding the device to a Workload collection. (If you don’t want a pilot intune but all your devices enrolled in co-management to be moved to a workload managed by Intune just slide it to Intune.) Click Next >.

Lets create the Workload Pilot Intune collections. I am creating the collections in a folder called Pilot Intune. If you want to know more about my Console structure, please read my post create structure to your MECM console.

Now we can set the pilot collections to the different workloads. Click Next >.

Click Next >

The Co-management Configuration Wizard completed successfully. Click Close.

If you go to: \Administration\Overview\Cloud Services\Azure Active Directory Tenants. You will see your Tenant is now attached.

You can check the log: CMGatewaySyncUploadWorker.log

Add Device to Pilot collection to enable Intune workloads

Now we can add our device to the created pilot collections. Lets say we want to enable Co-management on a device but only with the Endpoint protection managed by Intune. We can now add this device to the collection: DC-PI-Endpoint Protection.

Right click on the collection and select Add Resources.

Add your device and select OK.

Refresh the collection and check if the member count changes.


Before you switch any workloads, make sure you properly configure and deploy the corresponding workload in Intune. Make sure that workloads are always managed by one of the management tools for your devices.

In part 2 of this post I will show how you can configure and deploy the corresponsing workloads in Intune and how you can monitor Co-management.

Check enrollments

Your device should be Azure AD joined

You can check this by using this command:

dsregcmd /status

AND enrolled in Intune (MEMac):

Theme: Overlay by Kaira