- Article
Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. It helps you unlock more cloud-powered capabilities like conditional access.
Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization.
When a Windows device has the Configuration Manager client and is enrolled to Intune, you get the benefits of both services. You control which workloads, if any, you switch the authority from Configuration Manager to Intune. Configuration Manager continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.
You're also able to pilot a workload with a separate collection of devices. Piloting allows you to test the Intune functionality with a subset of devices before switching a larger group.
Note
When you concurrently manage devices with both Configuration Manager and Microsoft Intune, this configuration is called co-management. When you manage devices with Configuration Manager and enroll to a third-party MDM service, this configuration is called coexistence. Having two management authorities for a single device can be challenging if not properly orchestrated between the two. With co-management, Configuration Manager and Intune balance the workloads to make sure there are no conflicts. This interaction doesn't exist with third-party services, so there are limitations with the management capabilities of coexistence. For more information, see Third-party MDM coexistence with Configuration Manager.
Paths to co-management
There are two main paths to reach to co-management:
Existing Configuration Manager clients: You have Windows 10 or later devices that are already Configuration Manager clients. You set up hybrid Microsoft Entra ID, and enroll them into Intune.
New internet-based devices: You have new Windows 10 or later devices that join Microsoft Entra ID and automatically enroll to Intune. You install the Configuration Manager client to reach a co-management state.
For more information on the paths, see Paths to co-management.
Benefits
When you enroll existing Configuration Manager clients in co-management, you gain the following immediate value:
Conditional access with device compliance
Intune-based remote actions, for example: restart, remote control, or factory reset
Centralized visibility of device health
Link users, devices, and apps with Microsoft Entra ID
Modern provisioning with Windows Autopilot
Remote actions
For more information on this immediate value from co-management, see the quickstarts series to Cloud connect with co-management.
Co-management also enables you to orchestrate with Intune for several workloads. For more information, see the Workloads section.
Note
Co-management by itself isn't a solution to manage remotely connected Windows systems. The Configuration Manager client still needs to communicate with its assigned site. To manage remotely connected Windows systems with Configuration Manager, enable a cloud management gateway (CMG). A CMG isn't required for co-management, and co-management isn't required with a CMG, but they can be used together.
Prerequisites
Co-management has these prerequisites in the following areas:
- Licensing
- Configuration Manager
- Microsoft Entra ID (Microsoft Entra ID)
- Microsoft Intune
- Windows
- Permissions and roles
Licensing
Microsoft Entra ID P1 or P2
Note
An Enterprise Mobility + Security (EMS) subscription includes both Microsoft Entra ID P1 or P2 and Microsoft Intune.
At least one Intune license for you as the administrator to access the Microsoft Intune admin center.
Tip
Make sure you assign an Intune license to the account that you use to sign in to your tenant. Otherwise, sign in fails with the error message An unanticipated error occurred.
You may not need to purchase and assign individual Intune or EMS licenses to your users. For more information, see the Product and licensing FAQ.
Configuration Manager
Co-management requires a supported version of Configuration Manager current branch.
You can connect multiple Configuration Manager instances to a single Intune tenant.
Enabling co-management itself doesn't require that you onboard your site with Microsoft Entra ID. For the second path scenario, internet-based Configuration Manager clients require the cloud management gateway (CMG). The CMG requires the site is onboarded to Microsoft Entra ID for cloud management.
Microsoft Entra ID
Windows devices must be connected to Microsoft Entra ID. They can be either of the following types:
Microsoft Entra hybrid joined, where the device is joined to your on-premises Active Directory and registered with your Microsoft Entra ID.
Note
Devices that are only registered with Microsoft Entra ID aren't supported with co-management. This configuration is sometimes referred to as workplace joined. They need to be either joined to Microsoft Entra ID or Microsoft Entra hybrid joined. For more information, see Handling devices with Microsoft Entra registered state.
Microsoft Entra joined only. This type is sometimes referred to as cloud domain-joined.)
Tip
As we talk with our customers that are using Microsoft Intune to deploy, manage, and secure their client devices, we often get questions regarding co-managing devices and Microsoft Entra hybrid joined devices. Many customers confuse these two topics. Co-management is a management option, while Microsoft Entra ID is an identity option. For more information, see Understanding hybrid Microsoft Entra ID and co-management scenarios. This blog post aims to clarify Microsoft Entra hybrid join and co-management, how they work together, but aren't the same thing.
Intune
Set up Intune
Enable Windows automatic enrollment
Windows
Update your devices to a supported version of Windows 11 or Windows 10. For more information, see Adopting Windows as a service.
Permissions and roles
| Action | Role needed |
|---|---|
| Set up a cloud management gateway in Configuration Manager | Azure Subscription Manager |
| Create Microsoft Entra apps from Configuration Manager | Microsoft Entra ID Global Administrator |
| Import Azure apps in Configuration Manager | Configuration Manager Full Administrator No other Azure roles needed |
| Enable co-management in Configuration Manager | A Microsoft Entra user Configuration Manager Full Administrator with All scope rights. |
For more information about Azure roles, see Understand the different roles.
For more information about Configuration Manager roles, see Fundamentals of role-based administration.
Workloads
You don't have to switch the workloads, or you can do them individually when you're ready. Configuration Manager continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.
Co-management supports the following workloads:
Compliance policies
Windows Update policies
Resource access policies
Endpoint Protection
Device configuration
Office Click-to-Run apps
Client apps
For more information, see Workloads.
Monitor co-management
The co-management dashboard helps you review machines that are co-managed in your environment. The graphs can help identify devices that might need attention.
For more information, see How to monitor co-management.
Next steps
Learn more about immediate value and getting started with co-management
Tutorial: Enable co-management for existing Configuration Manager clients
