How to take advantage of SCCM and Intune co-management

IT can combine Microsoft Intune and System Center Configuration Manager to manage users' mobile devices, as well as any legacy systems in its network.

With enterprise workforces becoming more mobile and distributed, IT teams have been transitioning at least part of their administrative workloads from System Center Configuration Manager to enterprise mobility management products, such as Microsoft Intune.

SCCM is systems management software for managing large groups of computers, including those running Microsoft Windows, Apple macOS, Linux and Unix. Administrators can use SCCM to distribute software, enforce security policies, monitor systems and more.

Intune is a cloud-based enterprise mobility management (EMM) service that uses a device's built-in mobile device management (MDM) capabilities to manage the device and its apps. In addition to mobile devices, administrators can use Intune to manage computers running Windows 10.

In the past, IT had to choose between SCCM and Intune to manage Windows computers. Activating the SCCM client on a Windows device automatically disabled any built-in MDM capabilities. Microsoft assumed that customers would migrate devices to Intune as a group, so there would be no need to permit simultaneous management.

Many organizations, however, required co-management capabilities. For example, an organization might still support Windows 7 computers, which require the SCCM client, or have invested in customized products that integrate extensively with SCCM, making an all-out move to an EMM platform impractical.

SCCM software update
Updating software in SCCM

What IT needs is a way to bridge the old and new systems so it can move devices incrementally, taking a phased approach to EMM.

Bridge to modern management

Microsoft added co-management capabilities to the SCCM ecosystem to simplify the transition to Intune. As a result, IT can take incremental steps toward a modern management option, while still supporting its legacy systems.

Co-management delivers a bridge between SCCM and Intune, simplifying the process of moving administrative tasks, while minimizing the risks associated with such a move. Currently, co-management only applies to Intune, not other EMM products. Even so, co-management represents an important step toward easing the burden of transitioning to a modern management tool.

This phased approach is possible because of several important changes to Windows 10 and SCCM technologies. The first occurred when Microsoft released Windows 10 version 1607 -- the Anniversary Update. Prior to this release, IT could not join a Windows 10 computer to both on-premises Active Directory (AD) and Azure AD at the same time.

The next important change came with Windows 10 version 1709 -- the Fall Creators Update. With the new release, the SCCM client could run on a device without the MDM capabilities being disabled, making it possible for SCCM and Intune to manage a Windows 10 device at the same time. Shortly after the update, Microsoft released SCCM version 1710, which included the features necessary for co-management.

Intune web interface
Microsoft Intune's web interface

Together, these changes enable administrators to designate which management workloads SCCM should handle and which workloads Intune should handle. For example, IT can continue to use SCCM to distribute software and manage security, but use Intune to control Windows 10 update policies and resource access policies.

Migrating workloads to Intune

Administrators can use the co-management features for Windows 10 computers whether they manage the devices with SCCM, Intune or another product. Regardless, IT must install the SCCM client on each device. In addition, IT must concurrently join all co-managed clients to on-premises AD and Azure AD and register them as managed devices for both SCCM and Intune.

After IT enables the clients for co-management, administrators can use the SCCM management portal to configure which workloads to move to Intune. SCCM supports three co-management workloads, with each workload tied to a specific set of policies:

  • Compliance policies determine the rules and settings with which a device must comply.
  • Resource access policies configure a device's VPN, Wi-Fi, email and certificate access settings.
  • Windows Update policies control updates for Windows devices managed by Window Update for Business.
SCCM supports three co-management workloads, with each workload tied to a specific set of policies.

For each workload, administrators can choose from three options to manage policies. The default option specifies that SCCM should manage the policies. The second option sets up a pilot for testing policy management in Intune. Administrators can designate which client devices participate in the pilot. The third option specifies that Intune should manage all the client devices for the selected workload.

Microsoft has suggested that additional co-management workloads will eventually be available, but the company has provided no official details on what to expect or when, although it seems inevitable that the company will continue on this trajectory.

SCCM and Intune co-management

The three workloads might represent only a small step toward co-managing Windows 10 computers, but it's important nonetheless. Organizations that have been locked into SCCM might finally be able to move out from under its mammoth shadow without putting their current systems at risk.

The question remains whether Microsoft will open up these co-management features to third-party EMM products so they too can benefit from phased migrations.

Dig Deeper on Desktop management

Virtual Desktop