Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. It helps you unlock additional cloud-powered capabilities like conditional access.
Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization.
When a Windows 10 device has the Configuration Manager client and is enrolled to Intune, you get the benefits of both services. You control which workloads, if any, you switch the authority from Configuration Manager to Intune. Configuration Manager continues to manage all other workloads, including those workloads that you don’t switch to Intune, and all other features of Configuration Manager that co-management doesn’t support.
You’re also able to pilot a workload with a separate collection of devices. Piloting allows you to test the Intune functionality with a subset of devices before switching a larger group.
View the diagram at full size
When you concurrently manage Windows 10 devices with both Configuration Manager and Microsoft Intune, this configuration is called co-management. When you manage devices with Configuration Manager and enroll to a third-party MDM service, this configuration is called coexistence. Having two management authorities for a single device can be challenging if not properly orchestrated between the two. With co-management, Configuration Manager and Intune balance the workloads to make sure there are no conflicts. This interaction doesn’t exist with third-party services, so there are limitations with the management capabilities of coexistence. For more information, see Third-party MDM coexistence with Configuration Manager.
Paths to co-management
There are two main paths to reach to co-management:
Existing Configuration Manager clients: You have Windows 10 devices that are already Configuration Manager clients. You set up hybrid Azure AD, and enroll them into Intune.
New internet-based devices: You have new Windows 10 devices that join Azure AD and automatically enroll to Intune. You install the Configuration Manager client to reach a co-management state.
For more information on the paths, see Paths to co-management.
When you enroll existing Configuration Manager clients in co-management, you gain the following immediate value:
Conditional access with device compliance
Intune-based remote actions, for example: restart, remote control, or factory reset
Centralized visibility of device health
Link users, devices, and apps with Azure Active Directory (Azure AD)
Modern provisioning with Windows Autopilot
For more information on this immediate value from co-management, see the quickstarts series to Cloud connect with co-management.
Co-management also enables you to orchestrate with Intune for several workloads. For more information, see the Workloads section.
Co-management has these prerequisites in the following areas:
Co-management requires Configuration Manager version 1710 or later.
Starting in Configuration Manager version 1806, you can connect multiple Configuration Manager instances to a single Intune tenant.
Enabling co-management itself doesn’t require that you onboard your site with Azure AD. For the second path scenario, internet-based Configuration Manager clients require the cloud management gateway (CMG). The CMG requires the site is onboarded to Azure AD for cloud management.
Upgrade your devices to Windows 10, version 1709 or later. For more information, see Adopting Windows as a service.
Windows 10 mobile devices don’t support co-management.
Permissions and roles
|Set up a cloud management gateway in Configuration Manager||Azure Subscription Manager|
|Create Azure AD apps from Configuration Manager||Azure AD Global Administrator|
|Import Azure apps in Configuration Manager||Configuration Manager Full Administrator
No additional Azure roles needed
|Enable co-management in Configuration Manager||An Azure AD user
Configuration Manager Full Administrator with All scope rights.
For more information about Azure roles, see Understand the different roles.
For more information about Configuration Manager roles, see Fundamentals of role-based administration.
You don’t have to switch the workloads, or you can do them individually when you’re ready. Configuration Manager continues to manage all other workloads, including those workloads that you don’t switch to Intune, and all other features of Configuration Manager that co-management doesn’t support.
Co-management supports the following workloads:
Windows Update policies
Resource access policies
Office Click-to-Run apps
For more information, see Workloads.
The co-management dashboard helps you review machines that are co-managed in your environment. The graphs can help identify devices that might need attention.
For more information, see How to monitor co-management.