I recently went down the path to enable co-management in our environment. After a lot of Googling and questions I eventually got a working plan.
The 2 things I had to get my head around is that there are 2 aspects to co-management. The first is the actual management of the device which is handled by MECM/Intune and second is the identity of the device which is handled by Active Directory/Microsoft Entra.
According to Microsoft Learn, to enrol existing clients you need to hybrid join devices as a prerequisite to enabling co-management as shown here.
I’m not going to reinvent the wheel and go through the whole setup as this is already covered in the Microsoft documentation. But instead to cover a few bits in the process that weren’t obvious to me in any of the posts/guides I read.
So assuming you have setup your Microsoft 365 tenant, completed the setup of ‘Microsoft Entra Connect‘ to sync your identities and have the correct licensing you are ready to enable co-management. And the first step is to hybrid join your devices.
The first thing I noticed was that it didn’t seem like our local computer objects were being synced. When I checked the ‘Synchronization service manager‘ on our local domain controller it wasn’t showing any computer objects being exported to our tenant. But on closer inspection these objects were being filtered out as they are missing an attribute in Active Directory. More on this later!
The first thing you need to do is let the clients know what tenant they should be trying to attach to. By default all Windows 10/11 devices will trying to hybrid join. But in their default state they don’t have the details to do so. This is where the Service Connection Point (SCP) comes in. This has to be published to your devices.
In most of the guides and in the Microsoft docs it points to publishing the SCP to your local AD using the Microsoft Entra connect tool. When this is published to your local AD all Windows 10/11 devices will find the SCP and attempt to hybrid join. Not really ideal when you want to test it with a selected group of devices . Instead you can use a targeted deployment as covered here, which is how I’m going to proceed.
I found this is a more controlled method as it can be dished out via group policy to only the devices you want to enrol.
So first create a new group policy and using security filtering, scope it to a group which contains the devices you want to enrol. I created a new group and added a couple of test devices. Alternatively you can leave the default security filtering as is and just link the GPO to a single OU which contains the selected devices.
In the new group policy navigate to ‘Computer Configuration > Preferences > Windows Settings > Registry‘ and add the following 2 entries.
The first is TenantName which is normally your main Microsoft custom domain name or your managed domain name e.g. example.onmicrosoft.com.
The second is your TenantID which can be found in your Microsoft Entra tenant, under Identity > Overview > Properties > Tenant ID.
Your GP should look something like this.
Link this GPO to the relevant OU and either wait for it to take effect or run ‘gpupdate /force’ on your chosen devices.
With these registry entries in place, when the device next tries to hybrid join it should have the details it needs.
The hybrid join process is initiated by a task in Task Scheduler called ‘Automatic-Device-Join‘. This task is located in ‘\Microsoft\Windows\Workplace Join‘ and can be run manually if needed.
When this task next runs the device will attempt to join Microsoft Entra. You can check the status in CMD using this command ‘dsregcmd /status‘.
At this point a few things go on in the background and this is the main reason for this guide. It’s no secret that this isn’t an instant process but it’s good to know what should be happening.
First, when the device discovers the SCP details in the register it will attempt to register with Microsoft Entra. It will be issued a couple of certificates which can be seen in the ‘Local Computer > Personal’ store
And also updates an attribute called ‘userCertificate‘ in its computer account in the local AD.
This is important, I mentioned earlier that computer objects are filtered out, they are filtered out if the ‘userCertificate‘ attribute is empty.
Once this attribute has been populated the device will be picked up by ‘Microsoft Entra Connect‘ and exported to Microsoft Entra. As seen below.
In the Microsoft Entra admin center under ‘Identity > Devices > All devices‘ you should now seen an entry for that device with the ‘Join type‘ status of ‘Pending‘.
This should also be reflected when running ‘dsregcmd /status‘ on the client device. Once the device again runs the ‘Automatic-Device-Join‘ task it should find it’s computer account in Microsoft Entra and complete the hybrid join.
This shows that the device has successfully hybrid joined to our tenant. If you check back in ‘Identity > Devices > All devices‘ you should now see that those pending devices are showing as ‘Microsoft Entra hybrid joined‘
With this complete we can go ahead and enable co-management.
In MECM create a new collection, give it an appropriate name and add the devices which earlier you hybrid joined. This will be the collection which co-management is enabled for.
Next navigate to Administration > Cloud Services > Cloud Attach and on the top bar select ‘Configure Cloud Attach‘. On the wizard run through the setup by signing into an account that is present in your tenant with admin privileges which will create a service account to facilitate the connection from MECM to Intune.
By default the wizard will select ‘recommended settings’ which will basically add all devices to co-management. But as we are doing a targeted deployment we only want to select certain devices. When asked, don’t use the recommended settings, instead configure the settings yourself.
Most of these can be left as the default but on ‘Upload to Microsoft Intune admin center‘ select ‘Upload specific collection‘ and choose the collection you created earlier. Do the same under ‘Enablement‘ when asked about ‘Automatic enrolment in Intune‘, select ‘Pilot‘ and again select your device collection.
For workloads, leave these set to ‘Configuration Manager‘ until you have had chance to get established and setup with Intune.
Once this is completed you should see in Intune under ‘Connectors and tokens‘ your MECM instance connected.
This will start out in an ‘Unhealth‘ state but after a few minutes should resolve to ‘Healthy‘. It can take a little time but eventually you should see your devices listed in Intune under ‘Devices‘
At first you might see 2 entries for some devices. Under the ‘Managed by‘ heading one will say ‘Co-managed‘ and the other ‘ConfigMgr‘. I found this to be normal when a device is first onboarded and after a day or so the records are merged.
Once you are happy with the results and have done a bit of testing, you can start to expand and enable co-management for more devices.