Blog Post

Microsoft Intune Blog
7 MIN READ

Understanding hybrid Azure AD join and co-management

Herman_Arnedo_Byrne's avatar
Herman_Arnedo_Byrne
Icon for Microsoft rankMicrosoft
Mar 18, 2021
As we talk with our customers that are using Microsoft Endpoint Manager to deploy, manage, and secure their client devices, we often get questions regarding co-managing devices and hybrid Azure Activ...
Updated Nov 09, 2023
Version 3.0
configuration manager
microsoft intune
Jason_Sandys's avatar
Jason_Sandys
Icon for Microsoft rankMicrosoft
Jan 03, 2022

Hi khanax0l. Best and straightforward is always in the eye of the beholder and depends on many details specific to your environment, users, management strategy, and usage that are not known.

 

Based on what you've noted though, your best first step here (IMO) is to implement a cloud management gateway (CMG) in ConfigMgr to enable you to manage these off-prem Windows systems (I suggest not calling them Windows Mobile as that means something different). This will enable you to fully utilize all of the management capabilities that you currently have with ConfigMgr for these off-prem Windows endpoints. 

 

You can then set about enrolling the Windows endpoints in Intune. The tricky part here for existing endpoints is that they must be hybrid Azure Active Directory joined (technically they could also be Azure AD registered but that's generally only recommended for BYOD type scenarios). To hybrid Azure Active Directory join an existing WIndows endpoint, the endpoint must have connectivity to the on-prem domain. Alternatively, you could also Azure Active Directory join the Windows endpoints, however, there is no direct, automated path to do this for existing WIndows instances meaning that you would have to reset them -- this may or may not be desirable.

 

Co-management enables ConfigMgr and Intune to simultaneously manage a Windows endpoint. It is not required to enroll an endpoint in Intune, but if will be using ConfigMgr to perform the Intune enrollment, then the result is a co-managed endpoint. Given that you already have ConfigMgr in place, there's no reason to recommend not using co-management.

 

Thus, moving forward, you have one main initial decision to make: do you want to reset the existing endpoints or not? If not, then you will have to HAADJ them which requires connectivity. If you are OK with resetting them, then you should implement Autopilot which will automatically join the endpoints to AAD and Intune enroll them and then add the ConfigMgr agent to them so that they are co-managed. Note that for new devices, you should be pursing this strategy anyway regardless of whether they are on-prem or not.