Co-management SCCM

Co-management SCCM

Co-management for Windows 10 devices

Co-management for Windows 10 devices

Co-management can meet several requirements:

  • If you have a Microsoft 365 subscription and want to use the included Windows 10 licenses.

In both cases co-management must be used. In previous versions of Windows 10, it was impossible to join a machine to an Active Directory domain and to make the Azure AD Join. It was necessary to make a choice between traditional management (join to an AD domain) or modern management (join to Azure AD).

With System Center Configuration Manager 1710, it is possible to manage Windows 10 1709 workstations with SCCM or Intune at the same time. In this way, a bridge is established between classical and modern management.


The prerequisites for activating co-management are as follows:

  • System Center Configuration Manager 1710
  • Azure AD
  • EMS/Intune license assigned to all users
  • MDM Authority set to Intune
  • Azure AD join Hybrid

It is necessary to configure the Intune platform. To do this, go to the Intune console (Azure portal) then in Azure Active Directoy click on Mobility (data management) then Microsoft Intune.

Co-management for Windows 10 devices - Configure Azure for manage device on Intune

In GDR User scope, click All and Save.

Co-management for Windows 10 devices - Configure autoenrollment

Configuring the Service Connection Point

The service connection point is used by devices at the time of registration to detect Azure AD customer information. First, we will retrieve the domain name naming context.
To do this, execute the powershell commande Get-ADRootDSE.

Co-management for Windows 10 devices - Verify context

If the SCP (Service Connexion Point) object has already been configured, it must be present in the following location
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration Naming Context].

However, if the object has not been configured, it is necessary to create it. First, the MSol PowerShell module must be install. MSol Module Powershell
On your Azure AD Connect server, execute the PowerShell command

  • Import PowerShell module :Import-Module -Name “C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1”
  • Enter Azure AD Credential : $aadAdminCred = Get-Credential
  • Initialize AD Sync Domain Joined Computer Sync : Initialize-ADSyncDomainJoinedComputerSync –AdConnectorAccount [connector account name] -AzureADCredentials $aadAdminCred;;

It’s necessary to check that the configuration has been carried out. To do this, the following PowerShell commands must be executed

  • $scp = New-Object System.DirectoryServices.DirectoryEntry
  • $scp.Path = “LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=formation,DC=local”
  • $scp.Keywords
Co-management for Windows 10 devices - Verify SCP

Configure Azure Services

It is necessary to configure this featureinto sccm this role if you want activate co-management on Computer already enrolled up at Intune. If it’s not configured, the following message appears when creating co-management :

Please ensure the proper prerequisites are installed

In the SCCM console, go to the Administration tab and expand Cloud Services node. Select Azure Services and click to Configure Azure Services

Co-management add azure services

A wizard launches, enter the desired name and click Next.

Co-management for Windows 10 devices

Click Browse to create a new Webapp and click Create in the window that appears;

Co-management Select authentification

Enter the Application Name and click to Sign-in. Enter your Intune Credentials and click ok. Do not touch other fields

Co-management configure application

In the wizard, click the Browse button to configure Native Client App and click Create in the window that appears.

Configure native application

Enter the Application Name and click to Sign-in. Enter your Intune Credentials and click ok. Do not touch other fields

Co-management create application

Validate the different windows without making any changes.

Co-management Azure services has been configured

It is necessary to give permissions to applications in Azure. On, log in as an Intune administrator. Click Azure Active Directory and then click Application Registration.

Co-management for Windows 10 devices

Click View All Applications and then click Azure AD Discovery.

Application has been present on Azure

Click on Settings and to Required permissions.

Co-management for Windows 10 devices

Click to Grant Permissions and to Yes.

Co-management Grant permissions

On the SCCM console, click on Administration Tab and expand Cloud Services Node. Sélection Azure Services ans click to Run Full Discovery Now. Click Yes to lauch Discovery.

Co-management discovery

You can use SCCM Logs for validate good sync.

Co-management view log

SCCM Configuration

In the SCCM console, expand the Cloud Services node. Right-click CoManagement and select Configure co-management.

Co-management for Windows 10 devices - configure co-management

A new wizard is displayed, click Sign-in and enter the Intune administrator credentials. Click Next for validate Windows.

SignIn Microsoft Intune

From the Automatic enrollment in Intune drop-down list, select Pilot and click Next.

Commend line

Configure Workloads to specify management by Intune or System Center Configuration Manager

Select level

Create a computer collection. This collection will be used by the co-management functionality. In the wizard select the collection with the Browse button.

Co-management for Windows 10 devices

You can now finish the wizard. You need add Windows 10 computer into sccm collection.

Add device on collection

Windows 10 with SCCM Client

The SCCM Client has now been installed on the Windows 10 machine.

Sccm agent has updated

The Computer is join to domain AD, we will now also join it to a domain Azure AD. From the Windows 10 computer, open the Windows settings.

Configure hybrid ad join

Click Professional or School Access and then Connect.

Connect device

It is now necessary to enter the user name and password.

Connect to device

The Azure AD Join is now OK. And the computer appear in Azure AD.

Connextion is now ok
Device are on Azure

Windows 10 without SCCM Client

You need to configure Cloud Distribution point and Cloud Management Gateway first.
It is necessary to deploy the CA Root certificate on the different equipment. This will be done using Microsoft Intune. On a workstation join to the domain, go to the MMC console and click Add/Remove snap-in. Add Certificate and select Computer Certificate in the window that appears. Access the Trusted Root Certification Authorities folder, then export your Root CA certificate.

Download certificates

Access the Azure portal ( then login using the Intune admin account. Click on Device Configuration and on Profiles. Click on Create Profiles to create news profiles.

Create rules on Intune

Enter the name of the desired profile and in the Platform drop-down list select Windows 10 and later. In Profile type, select Trusted certificate.

Select Root certificate previously exported and click on OK.

Profile on Intune

Click on Create button to create new profiles. Le profiles a été assigné a l’ensemble des utilisateurs et à un groupe dynamique (ordinateur exécutant Windows 10).

Assign profile

Importing the SCCM client into Intune is now required. As a first step, it is necessary to recover the silent line. In the SCCM console, expand the Cloud Services node and double click on the present line.

Co-management are present on SCCM

On the Enablement tab click on copy button. Paste the silent installation line into a Notepad and add the arguments /nocrlcheck and CCMHTTPSSTATE=31 (see below). The installation line is used later.

Copy command line
CCMSETUPCMD=”/nocrlcheck /mp:https://NBONNET.CLOUDAPP.NET/CCM_Proxy_MutualAuth/720578523579 CCMHTTPSSTATE=31 CCMHOSTNAME=NBONNET.CLOUDAPP.NET/CCM_Proxy_MutualAuth/720578523579 SMSMP=https://SRV-SCCM.FORMATION.LOCAL SMSSiteCode=NIB AADTENANTID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx AADTENANTNAME=SMSBOOT AADCLIENTAPPID=9177fa1c-xxxx-xxxx-xxxx-xxxxxxxxxxxx AADRESOURCEURI=https://ConfigMgrService”
  • /nocrlcheck : You can use this argument if you didn’t publish your CRL to internet.
  • /MP : Link of download source. you need to configure Cloud Management Gateway.
  • CCMHTTPSSTATE=31 : I need to add this argument on my lab (without this argument client failed communicate with server).
  • CCMHOSTNAME : This argument contain the name of the Internet management point.
  • SMSMP : This argument containe the name of the local management point.
  • AADTENANTID, AADTENANTNAME : It’s The ID and name of your Azure AD tenant, linked to Configuration Manager.

For the CCMHTTPSSTATE=31 argument, see below :
Lien Blog Technet

It is now possible to create a new application in Intune. From the portal, click Mobile Apps then Apps. Click on Add to add new application.

Add Apps on Intune

In the App type drop-down list, select Line-of-business app and click on Select File.

Co-management import application on intune

Select the MSI file CCMSETUP file present in E:\InstallFolderSccm\bin\i386 and click OK.

Import MSI file

Select App Information tab, enter Description and Publisher. Copy the silent installation line previously put in Notepad and paste it into the Command Line Argument field. Click on OK and Add for add application to Microsoft Intune.

Co-management command line
Co-management for Windows 10 devices

Assign the application to a user group affected by co-management.

Configure assignment

The client computer must have the certificate for use of the https protocol with SCCM. Request this certificate to the Authority Certification. Without this certificate, the SCCM Client cannot install it. After that you can join your Windows 10 computers to Azure AD.

Add professionnal account

The installation of the SCCM client is done, the Root CA certificate is also present.

SCCM agent is installing
Co-management ca root has added

The sccm client is well installed, after retrieving the different policy, the software is present in the software center (if Administrator deploy software).

Co-management for Windows 10 devices
Application has been present

If I try to install the software, computer try to download to the Cloud Distribution Point.

Co-management for Windows 10 devices

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.