APPENDIX B
Co-Managing Microsoft Intune and ConfigMgr

Windows 10 introduces new and streamlined methods for managing Windows, which Microsoft refers to as modern management. There are multiple paths to modern management, depending on where an organization is on its Windows 10 journey and the constraints of that organization’s environment and infrastructure. The main component of modern management is the use of Windows 10’s built-in mobile device management (MDM) agent instead of additional management agents.

This appendix discusses modern management and what it brings to Windows management. It also explains how you can leverage and configure Configuration Manager (ConfigMgr) to create a pathway to modern management. This pathway allows moving workloads from ConfigMgr to Microsoft Intune (and thus the Windows 10 MDM agent) once you have qualified those workloads and are confident they will meet your organization’s requirements.

Beginning with Windows 10, Microsoft has significantly increased the release cadence of Windows. Windows now receives approximately two major feature updates every year. This cadence is referred to as the Semi-Annual Channel, and it replaces earlier Current Branch and Current Branch for Business release channels. Since the initial release of Windows 10, these updates have included Windows 10 Anniversary Update (1607), Windows 10 Creators Update (1703), and Windows 10 Fall Creators Update (1709). The four-digit number refers to the year (for example, 17 refers to 2017) and month (for example, 09 refers to September) in which the release’s development was finalized.

The revised release cadence creates a need for equivalent releases of management tools. This is one of the reasons ConfigMgr Current Branch adopted a regular release cadence that aligns to Windows 10 releases. In addition, Windows 10 has a significant investment in MDM as a management method. In Windows 10, the MDM stack has the ability to configure device encryption (BitLocker), take hardware and app inventory, and configure Windows Update for Business, among other enhancements. In addition, with feature updates, or major releases, Windows 10 has received significant enhancements to MDM capabilities. For a comprehensive list of all the management capabilities available in Windows 10 MDM, see the list of configuration service providers (CSPs) at https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference.

Modern management was introduced as a new way to think about managing Windows. It was meant to enable information technology (IT) to consume Windows regularly—moving away from 3- to 10-year deployments of Windows as large capital expenditure projects and to regular annual or semi-annual operational tasks. The intent is to look at servicing (including updating), application management, security, provisioning, and settings management in new ways, including:

Modern Servicing: Moving to Windows Update for Business and leveraging ring-based release models.

Modern Provisioning: Moving from custom images to a clean “signature” image.

Modern Settings: Moving from group policy objects (GPOs) to MDM policy.

Modern Authentication: Moving from Kerberos to Windows Hello for business and modern authentication (OAuth in Azure Active Directory [Azure AD]).

Modern Security: Leveraging Windows Information Protection (WIP), Windows Defender Advanced Threat Protection (ATP; discussed in Chapter 19, “Endpoint Protection”), and other Windows Defender capabilities, such as SmartScreen, Device Guard, Credential Guard, and so on.

Modern Apps: Moving from legacy .exe/.msi installers to Universal Windows Platform apps, converting to Store format (.appx) using the Desktop Conversion Tool, Office 365 Pro Plus, and Software as a Service (SaaS) web apps.

Modern management is the evolution of the last 10 years of user-centric computing in Windows management.

There are parallels between moving to modern management and the challenges that Exchange administrators went through when their organizations moved to Exchange Online. Instead of managing an Exchange upgrade every few years, Exchange administrators now consume multiple changes to Exchange Online and Office 365 Pro Plus’s version of Outlook each year. New capabilities must be understood, articulated, determined if they should be used, and then configured; a Windows client administrator now needs to think in a similar fashion.

From a technology standpoint, this transformation is also difficult to accomplish without the ability to have traditional and modern methods co-exist—something ConfigMgr has historically blocked by disabling the MDM agent in Windows when the ConfigMgr agent is installed.

Co-management alleviates this issue by enabling side-by-side management of Windows 10 by the ConfigMgr agent and MDM management via Microsoft Intune. It requires the use of Microsoft Intune standalone rather than the hybrid mode of Intune integrated with ConfigMgr. Using Intune standalone allows you to maintain your ConfigMgr Current Branch environment while obtaining the rapid advancements of the cloud-only version of Intune, without binding Intune to ConfigMgr. Standalone is also Microsoft’s recommended method for deploying Intune.

Co-management also enables a company to evaluate modern management in its own time and control the rollout to its environment. You can choose which workloads to move to co-management. For example, you could move only Windows Update for Business from ConfigMgr update management. Alternatively, you could enable resource profile distribution so that Intune deploys certificates and Wi-Fi profiles to your devices.

In addition, co-management enables Intune-specific scenarios, such as device compliance conditional access. This allows Intune to validate device compliance and write that compliance state to Azure AD for use in conditional access, while continuing to leverage existing ConfigMgr policies to configure and control devices. This allows you to build compliance rules that target a specific month’s patches (using the Windows 10 version number) as part of compliance or require BitLocker prior to allowing access to Office 365 or another SaaS app protected by Azure AD. This control can apply from any location from which a user logs in.

For more information on co-management, see the ConfigMgr documentation at https://docs.microsoft.com/sccm/core/clients/manage/co-management-overview.

In addition, countless ConfigMgr environments exist, and loads of effort has been invested in them over the years. Co-management provides the ability to leverage your ConfigMgr investment while making a gradual and controlled move, on your terms, to modern management across all workloads, without a “big bang” migration or a rush to ramp up on modern management and the MDM stack.

For example, consider the complexity of legacy application deployment, which includes multiple application model deployments with supersedence logic and dependencies. Those types of applications are not modern in nature but will continue to exist until they are replaced by newer apps or moved to SaaS solutions or web-based systems. An entire environment should not hinge on those apps, nor should they block your company’s investigation into modern management. Co-management provides the ability to continue to deliver those apps via the ConfigMgr application model while shifting other workloads to Intune. Continuing to deliver those apps via ConfigMgr also allows you to leverage the investment in packaging and testing those apps while examining modern app packaging methods and development methods.

Securing Your Office 365 Access Using Azure AD Conditional Access: Enabling co-management allows you to configure conditional access for Windows 10 PCs with Microsoft Intune, so you can require that PCs are managed, encrypted with BitLocker, and up-to-date with the latest features and cumulative updates for Windows 10. ConfigMgr continues to enable and deploy the configuration. This helps prevent access to unmanaged PCs, such as a home PC, from Office 365. Compliance policies should be the first workload to consider moving from ConfigMgr to Intune.

Enabling Your Remote Workers to Setup PCs over the Internet: You can combine co-management with Windows AutoPilot and/or Azure AD Join automatic MDM enrollment. This combination allows you to leverage AutoPilot or Azure AD Join to automate provisioning of off-the-shelf devices during the Windows 10 out of box experience (OOBE). Azure AD Join, either manually or via AutoPilot, during OOBE causes the PC to register with Microsoft Intune. You can configure Intune as part of co-management to install the ConfigMgr agent and thus light up co-management, combining the flexibility of MDM with the detailed control of ConfigMgr.

Piloting Highly Mobile Users Who Use SaaS Apps: Most organizations have a set of users who are primarily mobile or remote workers in a field role. If you use Office 365 and other SaaS solutions for these users, they might be a good fit for initial co-management of devices with minimal workloads delivered from ConfigMgr. Office 365 ProPlus (a.k.a. Click2Run) can be delivered directly via Intune over the MDM channel in Windows 10, and most SaaS apps rely on web-based portals or simply client apps that self-update. In addition, SaaS solutions do not require intranet connectivity.

Leveraging Intune to Provision Wi-Fi Profile and Associated Certs: Organizations requiring WPA2-Enterprise or 802.1x using x.509 certificates for access are often challenged with issuing certificates, as certificates must be issued and renewed to devices over a wired network while on-premise or via a virtual private network (VPN). Co-management enables you to leverage Intune’s ability to deploy certificates using Personal Information Exchange (PFX) (or Public Key Cryptography Standards #12 [PKCS#12]). This negates the need to stand up a Simple Certification Enrollment Protocol (SCEP) Connector and Network Device Enrollment Service (NDES) server. Intune can then bind the issued certificates to a Wi-Fi profile issued by Intune. This means those devices can be ready to use the corporate Wi-Fi as soon as users get to work.

Subsequent sections explain how to configure co-management on Windows 10 devices. Each is based on the starting states of those clients: existing Intune clients, existing ConfigMgr clients, or new devices. Use one or more of these sections to move your selected clients to co-management.

The final section explains how to select and transition workloads from ConfigMgr to Intune. This should be performed when you are ready to move those workloads. You do not need to move all clients when you move a workload; you can phase out that change across a group of client devices.

ConfigMgr Version: Configuration Manager Current Branch version 1710.

Licenses: Microsoft Enterprise Mobility + Security (EMS) license for users or Microsoft Intune and Azure AD Premium. While Azure AD Premium is not strictly required for co-management, it is required for conditional access to Office 365 and other SaaS apps protected by Azure AD, MDM auto-enrollment, self-service BitLocker recovery, and Enterprise State Roaming.

Microsoft Intune Tenant Authority: The Microsoft Intune tenant should be set to a standalone authority and configured via the Microsoft Azure portal. The documentation at https://docs.microsoft.com/sccm/mdm/deploy-use/change-mdm-authority discusses moving from hybrid to standalone. The tenant should also be configured for Windows 10 device enrollment. For details on how to configure Intune for Windows 10 device enrollment, see https://docs.microsoft.com/intune/windows-enroll.

Windows 10 Version: Windows 10 devices should be running the Fall Creators Update or later (version 1709 or later).

Configure Hybrid Azure AD Join: To join existing ConfigMgr clients, you must set up hybrid Azure AD Join in your Active Directory environment. The Azure AD documentation discusses how to do so at https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup.

Cloud Management Gateway (Optional): Installing ConfigMgr clients from the Internet using Microsoft Intune requires that you deploy a cloud management gateway (CMG). The CMG site system acts as a Microsoft Azure hosted channel for Internet-connected ConfigMgr clients. You cannot use an Internet-based client management (IBCM) management point (MP), as that requires the client to be on-premise for initial installation. You do not require a CMG to enable co-management; however, it does enable ConfigMgr to manage co-managed clients on the Internet. For more information on the CMG, see Chapter 4, “Architecture Design Planning,” and Chapter 9, “Client Management.”

Cloud Distribution Point (Optional): To leverage the CMG and fully manage ConfigMgr clients, consider deploying a cloud distribution point (DP), which you can use to deploy complex applications to co-managed Windows 10 devices.

1. In the ConfigMgr console, navigate to Administration -> Overview -> Cloud Services -> Co-management. Choose Configure co-management to launch the wizard.

2. On the Subscription page, click Sign In and enter the credentials of an Intune service administrator or a tenant global administrator. Click Next.

3. On the Staging page, choose how you want to enable co-management on your ConfigMgr clients:

Pilot group: This is the inclusive method of enabling co-management, where you must include each collection where you want to enable co-management. This allows you to granularly control enabling co-management. You can either change the definition of the collections as required or change the pilot group collections by using the co-management properties.

Production: This is an exclusive method of enabling co-management, where you must exclude each collection in which you do not want to enable co-management. This allows you to automatically opt in any new ConfigMgr clients for co-management, regardless of their collection membership, while excluding any Windows 10 devices where you do not want to enable co-management.

4. On the Enablement page, choose either Pilot or All, depending on what you chose on the Staging page in step 3. This triggers the configured enablement of co-management of Windows 10 devices with the ConfigMgr agent.

1. In the ConfigMgr console, navigate to Administration -> Overview -> Cloud Services -> Co-management.

2. Select Configure co-management to launch the wizard.

3. On the Subscription page, click Sign In to sign in as an Intune service administrator or tenant global administrator.

4. In the Enablement page, see the Devices enrolled in Intune section of the wizard for the command line required to install the client from Intune.

To enable this method, follow these steps:

1. Configure AutoPilot for new Windows 10 devices with the help of the documentation at https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot.

2. Have AutoPilot trigger Azure AD Join automatically by following the documentation at https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment. This also causes manually configured Azure AD Join to be automatically enrolled in Microsoft Intune. Manual Azure AD Join can be triggered during OOBE, when the user selects My work or school owns it when asked who owns the PC; in this case, the user can select Join Azure AD. Azure AD Join can also be performed on an existing Windows 10 device by using the Settings app: Go to System -> About and select Join Azure AD.

3. Configure Intune to install the ConfigMgr agent by following the steps outlined earlier in this appendix, in the “Windows 10 Devices Enrolled in Intune” section.

Compliance Policies: Moving this workload to Intune enables you to leverage Intune to assess device compliance for the purposes of Azure AD conditional access. For more information, refer to the “Choosing Where to Start with Co-Management” section, earlier in this appendix. For information on how to configure compliance policies for Windows 10 devices in Microsoft Intune, see https://docs.microsoft.com/intune/compliance-policy-create-windows.

Resource Access Profiles: Moving this workload to Intune enables you to push resource access profiles to Windows 10 via MDM. Resource access profiles include VPN, certificate, Wi-Fi, or email account (for the Mail Universal Windows Platform [UWP] app) profiles. For information on how to configure resource profiles for Windows 10 devices in Microsoft Intune, see the following links:

Certificates: https://docs.microsoft.com/intune/certificates-configure

Wi-Fi Profiles: https://docs.microsoft.com/intune/wi-fi-settings-configure

VPN Profiles: https://docs.microsoft.com/intune/vpn-settings-configure

Windows Update for Business Policies: Moving this workload to Intune enables you to move to modern servicing, where you define deferral policies for Windows 10 feature and/or quality updates. This is accomplished by configuring Windows 10 update rings in Microsoft Intune. For more information, see https://docs.microsoft.com/intune/windows-update-for-business-configure. These updates are then delivered directly from Windows Update for Business.

You can switch workloads from ConfigMgr to Intune by modifying the properties of the co-management configuration at Administration -> Overview -> Cloud Services -> Co-management. For more details on how to switch workloads from ConfigMgr, see the co-management documentation at https://docs.microsoft.com/sccm/core/clients/manage/co-management-switch-workloads.

In addition to these workloads, you can also trigger remote actions on Windows 10 devices co-managed with Intune and ConfigMgr. These actions are triggered from the Microsoft Intune blade in Azure Portal:

Factory reset

Selective wipe (not applicable for Azure AD Join devices)

Delete device

Restart device

Fresh start