Forum Discussion

Copper Contributor

Oct 19, 2017

Is co-management (or hybrid) required for Azure-joined machines to access domain services?

Our company is using ZenWorks for our Windows 7 machines. We have begun deploying Windows 10 machines under Intune MDM (joining to Azure) with great success so far. We do not have SCCM in place (yet)...

Co-management with Microsoft Intune and System Center Configuration Manager AMA

Jason_Githens

Microsoft

Oct 19, 2017

No, co-management does not resolve traditional auth challenges for AAD Joined Win10 clients (e.g. printing, NTLM, Kerb Auth). This can be somewhat addressed by having a Server 2016 DC and using Windows Hello for auth. The co-management intent is to provide AD+AAD Joined and SCCM+Intune, but to your point, this can't be done for machines already AAD Joined.

Graeme Bent

Copper Contributor

Oct 19, 2017

Jason_Githensyou mentioned that co-management is required for AD+AAD joining.

So even if it won't allow for SSO, Windows 10 MDM'ed machines will be able to at least access these services when co-managed?

Michael Niehaus
Former Employee
Oct 19, 2017
With AAD joined devices and AAD Connect synchronizing user accounts between AD and AAD, devices will realize when they see a domain controller and automatically get a Kerberos ticket for authenticating to domain-joined resources. So yes, the AAD joined machine will get single sign-on access to domain-joined servers, IIS sites, etc.