Co-management for Windows 10 devices

Co-management for Windows 10 devices

Co-management for Windows 10 devices

Co-management can meet several needs:

  • If you have a Microsoft 365 subscription and want to use the included Windows 10 licenses.
  • If you want to manage your Windows 10 devices as a mobile device and thus switch from traditional management to modern management.

In both cases co-management must be used. In previous versions of Windows 10, it was impossible to join a machine to an Active Directory domain and to make the Azure AD Join. It was necessary to make a choice between traditional management (join to an AD domain) or modern management (join to Azure AD).

With System Center Configuration Manager 1710, it is possible to manage Windows 10 1709 workstations with SCCM or Intune at the same time. In this way, a bridge is established between classical and modern management.

Prerequisites

The prerequisites for activating co-management are as follows:

It is necessary to configure the Intune platform. To do this, go to the Intune console (Azure portal) then in Azure Active Directoy click on Mobility (data management) then Microsoft Intune.

Co-management for Windows 10 devices

In GDR User scope, click All and Save.

Co-management for Windows 10 devices

Configuring the Service Connection Point

The service connection point is used by devices at the time of registration to detect Azure AD customer information. First, we will retrieve the domain name naming context.
To do this, execute the powershell commande Get-ADRootDSE.

Co-management for Windows 10 devices

If the SCP (Service Connexion Point) object has already been configured, it must be present in the following location
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context].

However, if the object has not been configured, it is necessary to create it. First, the MSol PowerShell module must be install.

MSol Module Powershell

On your Azure AD Connect server, execute the PowerShell command

  • Import PowerShell module :Import-Module -Name « C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1 »
  • Enter Azure AD Credential : $aadAdminCred = Get-Credential
  • Initialize AD Sync Domain Joined Computer Sync : Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;;

It’s necessary to check that the configuration has been carried out. To do this, the following PowerShell commands must be executed

  • $scp = New-Object System.DirectoryServices.DirectoryEntry
  • $scp.Path = « LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=formation,DC=local »
  • $scp.Keywords

Co-management for Windows 10 devices

Configure Azure Services

It is necessary to configure this featureinto sccm this role if you want activate co-management on Computer already enrolled up at Intune. If it’s not configured, the following message appears when creating co-management :

Please ensure the proper prerequisites are installed

Co-management for Windows 10 devices

In the SCCM console, go to the Administration tab and expand Cloud Services node. Select Azure Services and click to Configure Azure Services

Co-management for Windows 10 devices

A wizard launches, enter the desired name and click Next.

Co-management for Windows 10 devices

Click Browse to create a new Webapp and click Create in the window that appears

Co-management for Windows 10 devices

Enter the Application Name and click to Sign-in. Enter your Intune Credentials and click ok. Do not touch other fields

Co-management for Windows 10 devices

In the wizard, click the Browse button to configure Native Client App and click Create in the window that appears.

Co-management for Windows 10 devices

Enter the Application Name and click to Sign-in. Enter your Intune Credentials and click ok. Do not touch other fields

Co-management for Windows 10 devices

Validate the different windows without making any changes.

Co-management for Windows 10 devices

It is necessary to give permissions to applications in Azure. On devicemanagement.portal.azure.com, log in as an Intune administrator. Click Azure Active Directory and then click Application Registration.

Co-management for Windows 10 devices

Click View All Applications and then click Azure AD Discovery.

Co-management for Windows 10 devices

Click on Settings and to Required permissions.

Co-management for Windows 10 devices

Click to Grant Permissions and to Yes.

Co-management for Windows 10 devices

On the SCCM console, click on Administration Tab and expand Cloud Services Node. Sélection Azure Services ans click to Run Full Discovery Now. Click Yes to lauch Discovery.

Co-management for Windows 10 devices

You can use SCCM Logs for validate good sync.

Co-management for Windows 10 devices

SCCM Configuration

In the SCCM console, expand the Cloud Services node. Right-click CoManagement and select Configure co-management.

Co-management for Windows 10 devices

A new wizard is displayed, click Sign-in and enter the Intune administrator credentials. Click Next for validate Windows.

Co-management for Windows 10 devices

From the Automatic enrollment in Intune drop-down list, select Pilot and click Next.

Co-management for Windows 10 devices

Configure Workloads to specify management by Intune or System Center Configuration Manager

Co-management for Windows 10 devices

Create a computer collection. This collection will be used by the co-management functionality. In the wizard select the collection with the Browse button.

Co-management for Windows 10 devices

You can now finish the wizard. You need add Windows 10 computer into sccm collection.

Co-management for Windows 10 devices

Windows 10 with SCCM Client

The SCCM Client has now been installed on the Windows 10 machine.

Co-management for Windows 10 devices

The Computer is join to domain AD, we will now also join it to a domain Azure AD. From the Windows 10 computer, open the Windows settings.

Co-management for Windows 10 devices

Click Professional or School Access and then Connect.

Co-management for Windows 10 devices

It is now necessary to enter the user name and password.

Co-management for Windows 10 devices

The Azure AD Join is now OK. And the computer appear in Azure AD.

Co-management for Windows 10 devices

Co-management for Windows 10 devices

Windows 10 without SCCM Client

You need to configure Cloud Distribution point and Cloud Management Gateway first.
It is necessary to deploy the CA Root certificate on the different equipment. This will be done using Microsoft Intune. On a workstation join to the domain, go to the MMC console and click Add/Remove snap-in. Add Certificate and select Computer Certificate in the window that appears. Access the Trusted Root Certification Authorities folder, then export your Root CA certificate.

Co-management for Windows 10 devices

Access the Azure portal (devicemanagement.portal.azure.com) then login using the Intune admin account. Click on Device Configuration and on Profiles. Click on Create Profiles to create news profiles.

Co-management for Windows 10 devices

Enter the name of the desired profile and in the Platform drop-down list select Windows 10 and later. In Profile type, select Trusted certificate.

Co-management for Windows 10 devices

Sélectionnez le certificat Root exporté puis cliquez sur OK.

Co-management for Windows 10 devices

Click on Create button to create new profiles. Le profiles a été assigné a l’ensemble des utilisateurs et à un groupe dynamique (ordinateur exécutant Windows 10).

Co-management for Windows 10 devices

Importing the SCCM client into Intune is now required. As a first step, it is necessary to recover the silent line. In the SCCM console, expand the Cloud Services node and double click on the present line.

Co-management for Windows 10 devices

On the Enablement tab click on copy button. Paste the silent installation line into a Notepad and add the arguments /nocrlcheck and CCMHTTPSSTATE=31 (see below). The installation line is used later.

Co-management for Windows 10 devices

Command Line :
CCMSETUPCMD=”/nocrlcheck /mp:https://NBONNET.CLOUDAPP.NET/CCM_Proxy_MutualAuth/720578523579 CCMHTTPSSTATE=31 CCMHOSTNAME=NBONNET.CLOUDAPP.NET/CCM_Proxy_MutualAuth/720578523579 SMSMP=https://SRV-SCCM.FORMATION.LOCAL SMSSiteCode=NIB AADTENANTID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx AADTENANTNAME=SMSBOOT AADCLIENTAPPID=9177fa1c-xxxx-xxxx-xxxx-xxxxxxxxxxxx AADRESOURCEURI=https://ConfigMgrService”

  • /nocrlcheck : You can use this argument if you didn’t publish your CRL to internet.
  • /MP : Link of download source. you need to configure Cloud Management Gateway.
  • CCMHTTPSSTATE=31 : I need to add this argument on my lab (without this argument client failed communicate with server).
  • CCMHOSTNAME : This argument contain the name of the Internet management point.
  • SMSMP : This argument containe the name of the local management point.
  • AADTENANTID, AADTENANTNAME : It’s The ID and name of your Azure AD tenant, linked to Configuration Manager.

For the CCMHTTPSSTATE=31 argument, see below :
Lien Blog Technet

It is now possible to create a new application in Intune. From the portal, click Mobile Apps then Apps. Click on Add to add new application.

Co-management for Windows 10 devices

In the App type drop-down list, select Line-of-business app and click on Select File.

Co-management for Windows 10 devices

Select the MSI file CCMSETUP file present in E:\InstallFolderSccm\bin\i386 and click OK.

Co-management for Windows 10 devices

Select App Information tab, enter Description and Publisher. Copy the silent installation line previously put in Notepad and paste it into the Command Line Argument field. Click on OK and Add for add application to Microsoft Intune.

Co-management for Windows 10 devices

Co-management for Windows 10 devices

Assign the application to a user group affected by co-management.

Co-management for Windows 10 devices

The client computer must have the certificate for use of the https protocol with SCCM. Request this certificate to the Authority Certification. Without this certificate, the SCCM Client cannot install it. After that you can join your Windows 10 computers to Azure AD.

Co-management for Windows 10 devices

The installation of the SCCM client is done, the Root CA certificate is also present.

Co-management for Windows 10 devices

Co-management for Windows 10 devices

The sccm client is well installed, after retrieving the different policy, the software is present in the software center (if Administrator deploy software).

Co-management for Windows 10 devices

Co-management for Windows 10 devices

If I try to install the software, computer try to download to the Cloud Distribution Point.

Co-management for Windows 10 devices

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. Apprenez comment les données de vos commentaires sont utilisées.