Co-management Series “Merging the Perimeter” – Part 2: Paths to Co-management

In the previous post for this series, we looked at “What is Co-management?”. In this part of the series we will look at the different paths to co-management.

Paths to Co-management

What scenarios qualify us to consider Co-management in our environment? We mentioned this briefly in the introduction to the series. Let me ask the questions below:-

  1. Do you have existing SCCM clients and want to move some workloads to Intune?
  2. Do you have existing SCCM clients and want to just enroll the devices into Intune to get MDM features like device wipe, factory reset and remote control*?
  3. Do you have existing Internet based clients, managed by Intune and joined to Azure AD, and you want to install the SCCM client to have some workloads managed by SCCM?
  4. Do you want to install the SCCM client during an Autopilot enrollment and manage some workloads with SCCM?

If you have answered yes to either of the above, then you qualify!

*Remote Control requires Teamviewer

There are different Pathways to reach a Co-managed state

We can summarize the posed questions into two main categories or “Pathways”:-

1 . Existing Configuration Manager clients: You have Windows 10 devices that are already Configuration Manager clients. You set up hybrid Azure AD, and enroll them into Intune.

2 . Internet Enrolled Clients: You have new Windows 10 devices that join Azure AD and automatically enroll to Intune. You then install the Configuration Manager client to reach a co-management state.

One of the more common scenarios we encounter is pathway 1 “Existing Configuration Manager Clients” and this is where this series will focus.

Series Focus: Existing Configuration Manager clients

We can further split our chosen pathway for this series down into a further two categories

All paths to co-management result in both the Intune and SCCM agents being installed on the client

Existing SCCM managed devices that auto-enroll into Intune

This pathway, sees us taking an existing SCCM Client, performing a Hybrid Azure AD Join and then enrolling it into Intune

Modern Provisioning bootstrap SCCM agent

This pathway would be used during Autopilot. We take a device, perform a Hybrid Azure AD Join or Azure AD Join during the Autopilot process. We then enroll the client into Intune and install the SCCM client

Joining things up

The different pathways to co-management require our device identity to be registered in Azure AD (we talk more about this in Part 3 and 4 of this series). We can achieve this by either performing a Hybrid Azure AD Join for existing SCCM clients or an Azure AD Join for existing internet based clients. If the device identity is not present, we cannot enroll our devices into Intune to leverage Co-management. Remember, for Pathway 1, Co-management requires us to install the Intune agent and this occurs during the Intune enrollment process.


This was the shortest part in the series and I just wanted to make some distinctions between the different pathways to Co-management. We will talk more about the requirements for these pathways in Part 3 of the series “Prerequisites”

5/5 - (1 vote)

5 thoughts on “Co-management Series “Merging the Perimeter” – Part 2: Paths to Co-management”

  1. Pingback: Co-management Series "Merging the perimeter" - Part 1: What is Co-management?

  2. Pingback: Co-management Series "Merging the Perimeter" – Part 3: Co-management Prerequisites

  3. Pingback: Co-management Series “Merging the Perimeter” – Part 4: Configuring Hybrid Azure AD

  4. Pingback: Co-management Series “Merging the Perimeter” – Part 5: Enabling Co-management

  5. Pingback: Co-management Series “Merging the Perimeter” – Part 6: Switching Workloads to Intune

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.


This site uses Akismet to reduce spam. Learn how your comment data is processed.