Co-management SCCM
Co-management for Windows 10 devices
Co-management can meet several requirements:
- If you have a Microsoft 365 subscription and want to use the included Windows 10 licenses.
In both cases co-management must be used. In previous versions of Windows 10, it was impossible to join a machine to an Active Directory domain and to make the Azure AD Join. It was necessary to make a choice between traditional management (join to an AD domain) or modern management (join to Azure AD).
With System Center Configuration Manager 1710, it is possible to manage Windows 10 1709 workstations with SCCM or Intune at the same time. In this way, a bridge is established between classical and modern management.
Prerequisites
The prerequisites for activating co-management are as follows:
- System Center Configuration Manager 1710
- Azure AD
- EMS/Intune license assigned to all users
- MDM Authority set to Intune
- Azure AD join Hybrid
- Cloud Management Gateway (mandatory for Windows 10 without SCCM Client). This point will be documented here Install and Configure Cloud Management Gateway
- Cloud Distribution Point (mandatory for Windows 10 without SCCM Client). This point will be documented here Install and Configure Cloud Distribution Point
It is necessary to configure the Intune platform. To do this, go to the Intune console (Azure portal) then in Azure Active Directoy click on Mobility (data management) then Microsoft Intune.
In GDR User scope, click All and Save.
Configuring the Service Connection Point
The service connection point is used by devices at the time of registration to detect Azure AD customer information. First, we will retrieve the domain name naming context.
To do this, execute the powershell commande Get-ADRootDSE.
If the SCP (Service Connexion Point) object has already been configured, it must be present in the following location
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context].
However, if the object has not been configured, it is necessary to create it. First, the MSol PowerShell module must be install. MSol Module Powershell
On your Azure AD Connect server, execute the PowerShell command
- Import PowerShell module :Import-Module -Name “C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1”
- Enter Azure AD Credential : $aadAdminCred = Get-Credential
- Initialize AD Sync Domain Joined Computer Sync : Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;;
It’s necessary to check that the configuration has been carried out. To do this, the following PowerShell commands must be executed
- $scp = New-Object System.DirectoryServices.DirectoryEntry
- $scp.Path = “LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=formation,DC=local”
- $scp.Keywords
Configure Azure Services
It is necessary to configure this featureinto sccm this role if you want activate co-management on Computer already enrolled up at Intune. If it’s not configured, the following message appears when creating co-management :
Please ensure the proper prerequisites are installed
In the SCCM console, go to the Administration tab and expand Cloud Services node. Select Azure Services and click to Configure Azure Services
A wizard launches, enter the desired name and click Next.
Click Browse to create a new Webapp and click Create in the window that appears;
Enter the Application Name and click to Sign-in. Enter your Intune Credentials and click ok. Do not touch other fields
In the wizard, click the Browse button to configure Native Client App and click Create in the window that appears.
Enter the Application Name and click to Sign-in. Enter your Intune Credentials and click ok. Do not touch other fields
Validate the different windows without making any changes.
It is necessary to give permissions to applications in Azure. On devicemanagement.portal.azure.com, log in as an Intune administrator. Click Azure Active Directory and then click Application Registration.
Click View All Applications and then click Azure AD Discovery.
Click on Settings and to Required permissions.
Click to Grant Permissions and to Yes.
On the SCCM console, click on Administration Tab and expand Cloud Services Node. Sélection Azure Services ans click to Run Full Discovery Now. Click Yes to lauch Discovery.
You can use SCCM Logs for validate good sync.
SCCM Configuration
In the SCCM console, expand the Cloud Services node. Right-click CoManagement and select Configure co-management.
A new wizard is displayed, click Sign-in and enter the Intune administrator credentials. Click Next for validate Windows.
From the Automatic enrollment in Intune drop-down list, select Pilot and click Next.
Configure Workloads to specify management by Intune or System Center Configuration Manager
Create a computer collection. This collection will be used by the co-management functionality. In the wizard select the collection with the Browse button.
You can now finish the wizard. You need add Windows 10 computer into sccm collection.
Windows 10 with SCCM Client
The SCCM Client has now been installed on the Windows 10 machine.
The Computer is join to domain AD, we will now also join it to a domain Azure AD. From the Windows 10 computer, open the Windows settings.
Click Professional or School Access and then Connect.
It is now necessary to enter the user name and password.
The Azure AD Join is now OK. And the computer appear in Azure AD.
Windows 10 without SCCM Client
You need to configure Cloud Distribution point and Cloud Management Gateway first.
It is necessary to deploy the CA Root certificate on the different equipment. This will be done using Microsoft Intune. On a workstation join to the domain, go to the MMC console and click Add/Remove snap-in. Add Certificate and select Computer Certificate in the window that appears. Access the Trusted Root Certification Authorities folder, then export your Root CA certificate.
Access the Azure portal (devicemanagement.portal.azure.com) then login using the Intune admin account. Click on Device Configuration and on Profiles. Click on Create Profiles to create news profiles.
Enter the name of the desired profile and in the Platform drop-down list select Windows 10 and later. In Profile type, select Trusted certificate.
Select Root certificate previously exported and click on OK.
Click on Create button to create new profiles. Le profiles a été assigné a l’ensemble des utilisateurs et à un groupe dynamique (ordinateur exécutant Windows 10).
Importing the SCCM client into Intune is now required. As a first step, it is necessary to recover the silent line. In the SCCM console, expand the Cloud Services node and double click on the present line.
On the Enablement tab click on copy button. Paste the silent installation line into a Notepad and add the arguments /nocrlcheck and CCMHTTPSSTATE=31 (see below). The installation line is used later.
CCMSETUPCMD=”/nocrlcheck /mp:https://NBONNET.CLOUDAPP.NET/CCM_Proxy_MutualAuth/720578523579 CCMHTTPSSTATE=31 CCMHOSTNAME=NBONNET.CLOUDAPP.NET/CCM_Proxy_MutualAuth/720578523579 SMSMP=https://SRV-SCCM.FORMATION.LOCAL SMSSiteCode=NIB AADTENANTID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx AADTENANTNAME=SMSBOOT AADCLIENTAPPID=9177fa1c-xxxx-xxxx-xxxx-xxxxxxxxxxxx AADRESOURCEURI=https://ConfigMgrService”- /nocrlcheck : You can use this argument if you didn’t publish your CRL to internet.
- /MP : Link of download source. you need to configure Cloud Management Gateway.
- CCMHTTPSSTATE=31 : I need to add this argument on my lab (without this argument client failed communicate with server).
- CCMHOSTNAME : This argument contain the name of the Internet management point.
- SMSMP : This argument containe the name of the local management point.
- AADTENANTID, AADTENANTNAME : It’s The ID and name of your Azure AD tenant, linked to Configuration Manager.
For the CCMHTTPSSTATE=31 argument, see below :
Lien Blog Technet
It is now possible to create a new application in Intune. From the portal, click Mobile Apps then Apps. Click on Add to add new application.
In the App type drop-down list, select Line-of-business app and click on Select File.
Select the MSI file CCMSETUP file present in E:\InstallFolderSccm\bin\i386 and click OK.
Select App Information tab, enter Description and Publisher. Copy the silent installation line previously put in Notepad and paste it into the Command Line Argument field. Click on OK and Add for add application to Microsoft Intune.
Assign the application to a user group affected by co-management.
The client computer must have the certificate for use of the https protocol with SCCM. Request this certificate to the Authority Certification. Without this certificate, the SCCM Client cannot install it. After that you can join your Windows 10 computers to Azure AD.
The installation of the SCCM client is done, the Root CA certificate is also present.
The sccm client is well installed, after retrieving the different policy, the software is present in the software center (if Administrator deploy software).
If I try to install the software, computer try to download to the Cloud Distribution Point.
