This document discusses co-management between Microsoft Intune and System Center Configuration Manager (SCCM). Co-management allows devices to be managed by both Intune and SCCM at the same time. The document outlines the prerequisites, architecture, and configuration needed to set up a Cloud Management Gateway (CMG) and Cloud Distribution Point (CDP) to enable co-management. It also describes several co-management scenarios and benefits such as the ability to manage both Azure AD joined and on-premises devices from SCCM.

2. ANOOP C NAIR
17+ YEARS OF EXPERIENCE IN IT
MICROSOFT MVP/VEEAM VANGUARD
@ANOOPMANNUR
WWW.ANOOPCNAIR.COM
HTTP://WWW.YOUTUBE.COM/C/ANOOPCNAIRSCCM

3. RAJUL
13 YEARS OF EXPERIENCE IN IT
@WANDERINGROS
@RAJULROS

4. AGENDA• WHAT IS CO-MANAGEMENT?
• CO-MGMT IN DETAILS
• CO-MGMT SERVER & LICENSE PRE REQUISITES
• CO-MGMT CLIENT & AZURE AD PRE REQUISITES
• CO-MGMT ENTRY POINTS
• CLOUD DP & CLOUD MGMT GATEWAY
• CMG/CDP GENERAL REQUIREMENTS
• CMG CERTS REQUIREMENTS
• CMG CONNECTIVITY FLOW
• CMG WITH EXPRESS ROUTE
• CMG SUPPORTED SCENARIOS
• DEMO
• CMG CAS SCENARIO
• CMG SCALABILITY
• C0-MGMT. BENEFITS

5. WHY CO-
MANAGEMENT ?
• CHANGE ?
• WORLD IS CHANGING
• DESTRUCTIVE PHASE
• WHY TROUBLING IT PROS FOR A
CHANGE ??

6. WHAT IS CO-MANAGEMENT?
• CO MANAGEMENT IS DEVICE MANAGEABILITY FEATURE
OF WINDOWS
• BRIDGE FROM TRADITIONAL MANAGEMENT TO
MODERN MANAGEMENT
• CO EXISTENCE OF MANAGEMENT TOOLS (INTUNE,
SCCM AND OTHER MDM??)

7. CO-MGMT
ARCHITECTURE
WORKLOADS
THIN LINE FUTURE
#JUST4CLICKS

8. CO-MGMT SERVER & LICENSE PRE REQUISITES
SCCM Intune License
SCCM 1710 or later Intune Standalone (or Mixed?) EMS or M365
Cloud Management Gateway* Azure Subscription (PaaS)*
Cloud Distribution Point
Cloud Service Configuration
* Optional

9. CO-MGMT CLIENT & AZURE AD PRE REQUISITES
Client Azure Active Directory or Domain
Windows 10 1709 or Later Domain Joined + AAD Registered (Hybrid AD)
Azure AD Connect
ADFS*
Azure AD automatic enrollment enabled
Azure AD Joined (Cloud)
Conditional Access Policy Changes*
* Optional

10. CO-MGMT ENTRY POINTS
SCCM Managed + Domain Joined  Intune Enrolment Intune Clients + Azure AD Joined  SCCM Client Installation
Windows 10 1709 or Later Windows 10 1709 or Later
SCCM Agent will automatically trigger the Intune enrolment Auto Pilot + Configuration Profiles + PowerShell Script
Firewall or Proxy Requirements (Connected to Corp LAN) CMP and CDP connectivity
AAD Registration/CMG/CDP Client Settings (Domain Joined) Intune Mobile Application to configure install SCCM client
CA, WiFi Profile, VPN Profile, Window Defender, Compliance policies Win 32 complex MSI application support /Appv Support

11. CLOUD DP & CLOUD MGMT GATEWAY
Cloud Distribution Point (CDP) Cloud Management Gateway (CMG)
DP on Azure Cloud Reverse Proxy on Azure?
Azure PaaS Solution Azure PaaS Solution
Azure Classic Deployment - MGMT Certs Authentication Azure Resource Manager (ARM) SCCM 1802 or later – AAD App Authentication
Azure Classic Deployment (1710 or below) - MGMT Certs Authentication
NOT Pre release Feature Anymore

12. CMG/CDP GENERAL REQUIREMENTS
Cloud Distribution Point (CDP) Cloud Management Gateway (CMG)
Azure Subscription admin Access (co-administrator) Azure Subscription admin Access (co-administrator)
Self Signed Management Cert At least 1 On Premise server to host CMG connection Point.
Service Certificate Certificates
Cloud Service name on public DNS Azure AD user discovery is not required (1802 onwards)
Enable Access to CDP on Client Settings Policy Clients must use IPv4
Service Connection Point to be Online Service Connection Point to be Online

13. CMG CERTS REQUIREMENTS
Server authentication certificate Client authentication certificate
CMG creates an HTTPS service for Internet Clients Azure AD Token for AAD joined machines
Azure Management Cert (Classic Deployment Only) Clients must trust the CMG server authentication certificate
Public Provider Certificate (Verisign/Digicert/Entrust/GoDaddy etc) or PKI Public Provider Certificate Root CA
Wildcard server authentication certificate support (1802 onwards) *.anoopcnair.com Root and Intermediate Chain of Client Certs to clients
Manual Upload – SCCM CMG installation wizard Deploy – GPO, SCCM Cert deployment, Any other delivery method
Azure management certificate is required only for classic service deployments

14. CMG CONNECTIVITY FLOW
AD CA
Windows
Update
Connection Point

15. CMG WITH EXPRESS ROUTE

16. CMG SUPPORTED SCENARIOS
Windows Client + Domain Join = (PKI) Windows 10 + Azure AD Join (Cloud or Hybrid) = Azure AD
Software updates & Antivirus Software updates & Antivirus
Inventory & client status Inventory & client status
Compliance settings Compliance settings
Software Deployment to the device Software Deployment to the USERS
Windows 10 in-place upgrade TS (as of version 1802) Software Deployment to the DEVICES
Windows 10 in-place upgrade TS (as of version 1802)

17. DEMO
Co Mgmt Settings
Co Mgmt Workload
CMG/CDP mgmt setup
Co-mgmt collection Query

18. CMG – CAS SCENARIO
• CMG, CMG CP, SCCM SITE SERVER IN SAME REGION
• SCCM CLIENT – CMG IS NOT REGION AWARE.
• HIGH AVAILABILITY – 2 CMG & 2 CMG CP PER REGION

19. CMG – SCALABILITY
1 CMG – 16 VM’s
01
1 VM – 6000
Connections
02
1 CMG CP- 4 VM
03
1 CMG (16VM’s)
= 4 CMG CP
04

20. CO-MGMT BENEFITS
Factory reset
01
Selective
wipe
02
Delete
devices
03
Fresh start
04