Co-management for Windows 10 devices – Configuration Manager

Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. It helps you unlock additional cloud-powered capabilities like conditional access.

Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization.

When a Windows 10 device has the Configuration Manager client and is enrolled to Intune, you get the benefits of both services. You control which workloads, if any, you switch the authority from Configuration Manager to Intune. Configuration Manager continues to manage all other workloads, including those workloads that you don’t switch to Intune, and all other features of Configuration Manager that co-management doesn’t support.

You’re also able to pilot a workload with a separate collection of devices. Piloting allows you to test the Intune functionality with a subset of devices before switching a larger group.

Overview diagram of co-management

View the diagram at full size


When you concurrently manage Windows 10 devices with both Configuration Manager and Microsoft Intune, this configuration is called co-management. When you manage devices with Configuration Manager and enroll to a third-party MDM service, this configuration is called coexistence. Having two management authorities for a single device can be challenging if not properly orchestrated between the two. With co-management, Configuration Manager and Intune balance the workloads to make sure there are no conflicts. This interaction doesn’t exist with third-party services, so there are limitations with the management capabilities of coexistence. For more information, see Third-party MDM coexistence with Configuration Manager.

Paths to co-management

There are two main paths to reach to co-management:

  • Existing Configuration Manager clients: You have Windows 10 devices that are already Configuration Manager clients. You set up hybrid Azure AD, and enroll them into Intune.

  • New internet-based devices: You have new Windows 10 devices that join Azure AD and automatically enroll to Intune. You install the Configuration Manager client to reach a co-management state.

For more information on the paths, see Paths to co-management.


When you enroll existing Configuration Manager clients in co-management, you gain the following immediate value:

  • Conditional access with device compliance

  • Intune-based remote actions, for example: restart, remote control, or factory reset

  • Centralized visibility of device health

  • Link users, devices, and apps with Azure Active Directory (Azure AD)

  • Modern provisioning with Windows Autopilot

  • Remote actions

For more information on this immediate value from co-management, see the quickstarts series to Cloud connect with co-management.

Co-management also enables you to orchestrate with Intune for several workloads. For more information, see the Workloads section.


Co-management has these prerequisites in the following areas:


Configuration Manager

Co-management requires Configuration Manager version 1710 or later.

Starting in Configuration Manager version 1806, you can connect multiple Configuration Manager instances to a single Intune tenant.

Enabling co-management itself doesn’t require that you onboard your site with Azure AD. For the second path scenario, internet-based Configuration Manager clients require the cloud management gateway (CMG). The CMG requires the site is onboarded to Azure AD for cloud management.

Azure AD


Windows 10

Upgrade your devices to Windows 10, version 1709 or later. For more information, see Adopting Windows as a service.


Windows 10 mobile devices don’t support co-management.

Permissions and roles

Action Role needed
Set up a cloud management gateway in Configuration Manager Azure Subscription Manager
Create Azure AD apps from Configuration Manager Azure AD Global Administrator
Import Azure apps in Configuration Manager Configuration Manager Full Administrator
No additional Azure roles needed
Enable co-management in Configuration Manager An Azure AD user
Configuration Manager Full Administrator with All scope rights.

For more information about Azure roles, see Understand the different roles.

For more information about Configuration Manager roles, see Fundamentals of role-based administration.


You don’t have to switch the workloads, or you can do them individually when you’re ready. Configuration Manager continues to manage all other workloads, including those workloads that you don’t switch to Intune, and all other features of Configuration Manager that co-management doesn’t support.

Co-management supports the following workloads:

  • Compliance policies

  • Windows Update policies

  • Resource access policies

  • Endpoint Protection

  • Device configuration

  • Office Click-to-Run apps

  • Client apps

For more information, see Workloads.

Monitor co-management

The co-management dashboard helps you review machines that are co-managed in your environment. The graphs can help identify devices that might need attention.

Screenshot of the co-management dashboard

For more information, see How to monitor co-management.

Next steps

Source Article

Next Post

WATCH | Life throwing you lemons? Make ice cream: Retrenched chef starts business during lockdown

Tue Mar 23 , 2021
Maxine Wiehe, a chef in Johannesburg, decided to make her dream of owning her own ice-cream business a reality after being retrenched. A few months after opening her doors, mmmMoo’s Creamery is stocked in seven stores across Gauteng with the 125ml tubs retailing at R35. During the business’ busiest time, they […]