We're currently using SCCM on premises configured for Intune co-management. All SCCM/Co-managed devices are automatically enrolled with MD-ATP using the SCCM enrollment method. I'm looking at covering the Azure AD workplace only joined computers so that essentially any Windows managed device is enrolled with MD-ATP automatically.
If the device is already enrolled with MD-ATP through SCCM and the Intune deployment method attempts to deploy to the Azure AD device (there because of co-management) - how does the MD-ATP onboarding process handle this?
Is there a way to exclude the already enrolled co-managed devices such as an attribute that I can use to create a group so that only Azure AD devices that are not enrolled have an enrollment attempt made?
Hope that makes sense - any feedback/suggestions appreciated.