Microsoft System Center Configuration Manager (SCCM) is a systems management tool that primarily manages on-prem Windows devices. Meanwhile, Intune boasts a cloud-native architecture that simplifies managing hybrid and remote Windows, iOS, Android, and macOS environments.
Combining them strikes a balance between on-prem and cloud-based software features from both endpoint management solutions. This guide discusses co-management with SCCM and Intune, allowing for a hybrid, modern approach in device management.
Configure co-management between SCCM and Intune
Originally, SCCM supported only on-prem environments, which limited cloud scalability. However, its co-management integration with Intune enables organizations to bridge on-prem infrastructure with modern, cloud-based management.
Co-management allows simultaneous endpoint management using SCCM’s deep on-prem features and Intune’s cloud-native capabilities. This provides a gradual transition to modern cloud-based management, like remote actions and conditional access, without abandoning an existing SCCM environment.
📌 Prerequisites:
- SCCM Current branch version 1710 or later
- Cloud Management Gateway is optional but recommended.
- Microsoft Entra ID (P1 or P2 license)
- Enabled Windows Intune automatic enrollment
- Azure AD Connect syncing to local AD devices
- Admin access to Configuration Manager
- Intune license and access to the Microsoft Intune admin center
- Windows 10/11 Pro, Enterprise, or Education devices
📌 Recommended deployment strategies:
Enrollment method 1: Enable co-management via the Configuration Manager Console (SCCM)
📌 Use Case: Administrators can enroll SCCM-managed clients into Intune via the Configuration Manager console, avoiding the need for reimaging or re-enrollment.
⚠️ Warning: It’s important to first test co-management on a pilot group before integrating all SCCM devices into Intune. (See ⚠️ Things to look out for.)
📌 Prerequisite: Configuration Manager, current branch 2111 or later
- Press Win + S, type Configuration Manager, right-click, and select Run as administrator.
- Go to Administration > Cloud services > Cloud Attach.
- Right-click Cloud Attach, then select Configure Cloud Attach.
- Press the drop-down bar beside Azure environment, then select the appropriate version:
- AzurePublicCloud
- AzureUSGovernmentCloud
- AzureChinacCloud
- 💡 AzureChinaCloud doesn’t support Endpoint analytics and device upload to the Microsoft Intune admin center.
- Press Sign in, then log in with your Microsoft Endpoint Manager account.
- Click the radio button beside the Cloud attach settings that reflect your enrollment preference:
- Use default settings (recommended).
- Automatically enrolls all eligible SCCM devices into Intune.
- Turns on Endpoint analytics for the target devices.
- Automatically uploads all devices to the Microsoft Endpoint Manager admin center and uploads Microsoft Defender for Endpoint data.
- Customize settings.
- Allows custom enablement of the options under default settings.
- Use default settings (recommended).
- If you choose Customize settings, confirm the Create AAD application prompt and do the following steps:
- Choose whether to upload all devices managed by Microsoft Configuration Manager or a specific device collection.
- To enable the setting, select the checkbox beside Endpoint Analytics, Role-based Access Control, and Microsoft Defender for Endpoint.
- Select next to proceed to the Enablement process, then select which group of devices will automatically enroll in Intune.
- All: automatically uploads all eligible devices to Intune.
- Pilot: allows the administrator to browse a specific collection as a pilot group for testing.
- None: disables co-management for all devices.
- Finish the Cloud Attach Configuration Wizard steps by pressing Next until the Completion tab, then press Close.
Enrollment method 2: Auto-enrollment via GPO for Hybrid Azure AD Devices
📌 Use Case: Administrators handling SCCM-managed on-prem devices that are joined via Hybrid Azure AD can enroll the devices centrally via GPO.
📌 Prerequisites:
- At least Windows 10 version 1709 or later
- Hybrid Azure AD-joined SCCM devices
- Enabled auto-enrollment in the Microsoft Intune admin center
- WinRM and PowerShell remoting (optional for refreshing Group Policy)
⚠️ Important: GPO misconfiguration for automatic enrollment causes partial join states or failed enrollments to Intune. (See ⚠️ Things to look out for.)
- Open the Group Policy Management Console.
- Right-click Group Policy Objects, press New, and name the GPO.
- E.g., Hybrid Azure AD Auto Enrollment
- Right-click the newly created GPO and select Edit.
- Navigate the following path:
Computer Configuration > Policies > Administrative Templates > Windows Components > MDM
- Double-click Enable automatic MDM enrollment using default Azure AD credentials and set the policy to Enabled.
- Press the drop-down menu beside Select Credential Type to Use and select User Credential.
- Press Apply and OK to apply the policy configuration, then close the policy window.
- Right-click the target OU, select Link an Existing GPO…, click the auto-enrollment GPO under Group Policy objects, and press OK.
- To apply the change, enter the following script in an elevated PowerShell:
Import-Module ActiveDirectoryGet-ADComputer -SearchBase "OU=Workstations,DC=yourdomain,DC=com" -Filter * | ForEach-Object {Invoke-Command -ComputerName $_.Name -ScriptBlock { gpupdate /force } -ErrorAction SilentlyContinue}
- Change “OU=Workstations,DC=yourdomain,DC=com” with the Distinguished Name (DN) or your target OU.
Validation method 1: Command-line troubleshooting with dsregcmd
📌 Use Cases: After auto-enrolling a device in Intune via Hybrid Azure AD Join, administrators can use dsregcmd to verify its co-management status. Administrators can also use this as a diagnostic method for partial or failed Intune device enrollment.
📌 Prerequisites: Co-management enrolled device.
- Press Win + R, type cmd, then select OK.
- Enter the following command:
dsregcmd.exe /status
- Look for the following outputs and verify their status:
| Setting | What the setting means | What the status must be |
| AzureADJoined | Confirms if the device is joined to Entra ID | YES |
| MDMUrl | Indicates a device’s MDM enrollment | Must match any Intune URL. For example: https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc |
| DeviceAuthStatus | Confirms if the device’s authentication with Entra ID is successful | SUCCESS |
- Misalignment of the settings above could cause the co-management bridge to fail.
Validation method 2: Navigate Registry keys for co-management status
📌 Use Cases: After enrolling an SCCM device to Intune, you can check its co-management status via the Registry Editor.
📌 Prerequisites:
- Co-management enrolled device.
- Windows 10, version 1607 or later.
💡 Note: This section is strictly for validating a device’s MDM enrollment and co-management status using the Registry. Changing values inside the Registry can cause instability and broken device functionality.
- Press Win + R, type regedit, then select OK.
- Navigate the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments
- Expand the GUID subkeys inside Enrollments and look for values that indicate MDM enrollment status.
- DiscoveryServiceFullURL: Contains the URL for Intune enrollment.
- UPN: Specifies the user’s Azure AD identity used for enrollment.
- EnrollmentType: Indicates MDM enrollment, usually set at 6.
- EnrollmentID: Contains the unique ID assigned to the MDM session.
- After, go to the following path to verify the device’s co-management status.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DeviceManageabilityCSP\CoManagement
- Look for the following DWORD (32-bit) values,
- CoManagementEligible = 1: States that the device is suitable for co-management.
- CoManagementConfigured = 1: Co-management is active on the device.
Validation method 3: Co-management status verification and management of workload settings via PowerShell
📌 Use Cases: Administrators can use PowerShell to validate co-management status and manage the workload settings of devices.
📌 Prerequisites:
- Configuration Manager PowerShell module
- Access to Microsoft Graph Intune PowerShell SDK
- Co-management supported device
⚠️ Important: Precise cmdlet input and script syntax are required when working with the PowerShell prompt. (See ⚠️ Things to look out for.)
- Open the Configuration Manager Console.
- Right-click anywhere in the console navigation area, then select Connect via Windows PowerShell.
- Enter the cmdlet below to check the global co-management configuration for the entire SCCM environment:
Get-CMCoManagementConfiguration
- This cmdlet shows if co-management is configured, what workloads are managed by Intune, and the method used for enrollment.
- You can also use cmdlets to configure co-management settings in SCCM.
- For example, this command pilots co-management in a test group:
Set-CMCoManagementPolicy -PolicyName "CoMgmtPolicy01" -AutoEnroll $true -PilotCollectionName "CoMgmtPilot" -Workloads "CompliancePolicy","WindowsUpdate"
- To verify Intune-enrolled devices, open an elevated PowerShell Prompt and execute the following commands separately:
- To install the required PowerShell modules:
Install-Module Microsoft.Graph.Intune
- Skip this method if you already have the module installed.
- After installing, connect to the Graph by entering the following:
Connect-MSGraph
- You will be prompted to sign in using your admin account.
- Execute the following cmdlet to get a view of your Intune devices:
Get-IntuneManagedDevice
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Directly integrating all SCCM devices to Intune. | Enabling co-management on SCCM devices without proper planning and workload shifting can result in policy conflicts and inconsistent device behavior. | Test co-management on small, low-risk pilot groups to ensure consistent behavior across devices, and gradually transfer workloads to Intune. |
| GPO misconfigurations. | Misconfigurations can lead to partial or failed join states, breaking the co-management enrollment process. | Ensure that the SCCM devices you’re integrating with Intune are hybrid-joined and verify the GPO before linking to an OU. |
| Multiple MDM conflicts. | Multiple MDM enrollments can overlap, causing conflicts and breaking co-management functionality. | Remove existing MDM enrollments, assign workload ownership between SCCM and Intune, then re-enroll devices through the recommended co-management enrollment strategies. |
| Rolling back from Intune enrollment to SCCM-only environment. | When reverting to an SCCM-only environment, Intune may leave settings that can interfere with SCCM behavior and workload control. | Move the assigned workloads to Intune back to SCCM (ConfigMgr), then retire the device from Intune. |
| Typographical errors when working with PowerShell scripts and cmdlets. | Typos and syntax inaccuracies when working with PowerShell can lead to errors and misconfigurations. | Double-check the syntax of scripts before executing them, or copy the scripts provided in this guide directly to avoid typos. |
Key considerations for SCCM and Intune co-management
Although co-management combines SCCM and Intune capabilities, it’s important to understand several factors that affect the feature’s functionality. The following key considerations discuss platform limitations and constraints that can affect co-management’s effectiveness under specific conditions.
Limitations of Device Enrollment Manager (DEM)
Device Enrollment Manager allows administrators to enroll devices in Intune, but it lacks the user-identity evaluation required for hybrid management. To circumvent this, use Hybrid Azure AD join for auto-enrollment to guarantee co-management compatibility.
Co-management is limited to Windows devices
Although Intune extends support across other OS, like Linux and macOS, SCCM is Windows-exclusive, making co-management limited to Windows devices.
Troubleshooting SCCM and Intune co-management issues
Issue #1: Device not enrolling in Intune
Intune enrollment will fail due to insufficient licenses, incorrectly linked GPOs, or improper device joining to Hybrid Azure AD. Validating that all three requirements are met ensures eligibility for automated MDM enrollment.
Issue #2: SCCM and Intune conflicting policies
SCCM and Intune policies may conflict regarding the ownership of certain management areas, like Windows Updates and compliance policies. If left uncoordinated, this could lead to inconsistent behavior or failure in policy enforcement.
In co-management, workload sliders assign device management tasks to an authority, which in this case is Configuration Manager or Intune. Administrators can tweak these sliders within pilot groups to test which configuration is most effective before rollout.
Issue #3: Configuration Manager is not showing as co-managed
If the Configuration Manager client doesn’t report as co-managed, administrators can verify the co-management status by checking ComanagerHandler.log. This log confirms if the co-management policy was applied, Intune enrollment was triggered, and whether errors during the process occurred. To do this, go to C:\Windows\CCM\Logs\CoManagementHandler.log and check for co-management-related logs.
Issue #4: Hybrid Azure AD Join fails
When Hybrid Azure AD join fails, the likely culprits are misconfigured or missing Service Connection Point (SCP) or incorrect Azure AD Connect sync settings.
You can validate these via PowerShell by entering the following commands:
- Enter the following to import the AD module:
Import-Module ActiveDirectory
- Enter the following to query the SCP object:
Get-ADObject -SearchBase "CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=yourdomain,DC=com" `-Filter * -Properties keywords
- Replace yourdomain and com with your domain components.
- Afterward, you should see your Azure AD tenant name, GUID, and whether the device registration is enabled.
- If the keywords property is empty, the SCP may not have been configured during the Azure AD Connect setup.
- As a workaround, rerun Azure AD Connect > Configure device options, then enable Hybrid Azure AD join for the correct forest.
Using NinjaOne to support co-management workloads
While co-management provides granular on-prem and remote control over endpoint workloads, NinjaOne can enhance this setup through the following features:
| NinjaOne service | Definition | How it helps co-management workloads |
| Cross-platform visibility | Cross-platform visibility allows administrators to manage endpoints using various operating systems using a single software. | NinjaOne provides a single pane of glass endpoint monitoring and management for co-managed environments. |
| Active Directory user management | Administrators typically manage Active Directories through ADUC consoles or PowerShell cmdlets, which becomes repetitive and inefficient when implemented at scale. | View, manage, and execute tasks across endpoints while integrating with Active Directory to streamline user account management from a unified platform. |
| Scripting | Although not mandatory, scripting allows for the automation of repetitive tasks, especially when making bulk workload transitions within co-managed environments. | Administrators can use NinjaOne to remotely deploy PowerShell scripts that audit or report co-management status, helping verify device readiness and compliance. |
| Proactive, real-time monitoring and automated alerting | Real-time monitoring and automated alerting keep administrators updated regarding the health, performance, and compliance of IT assets. | IT teams can use custom alerts when devices fall out of sync or miss a workload transfer, reducing possible downtime. |
| Custom field tagging | Custom field tagging classifies endpoints by management method, such as SCCM-only, Intune-only, or co-managed. | With NinjaOne, administrators can create custom fields for the organization of data for reporting, auditing, and inventory purposes. |
Handle workloads between SCCM and Intune through co-management
Co-management allows administrators to assign workloads between SCCM and Intune, providing flexibility between on-prem and remote management. By enabling co-management, MSPs and IT teams can gradually shift towards modern, cloud-native workloads without abandoning their on-prem investments.
Administrators can integrate SCCM and Intune via the Configuration Management console or GPO for Azure Hybrid AD devices. After enabling co-management, its status can be verified using CMD, the Registry, or PowerShell.
Related topics:
