Co-Management Mechanism

%3CLINGO-SUB%20id%3D%22lingo-sub-1408929%22%20slang%3D%22en-US%22%3ECo-Management%20Mechanism%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1408929%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20day%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20know%20the%20exact%20mechanism%20co-management%20uses%20to%20communicate%20between%20Intune%20and%20Config%20Man%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScenario%3A%20Computer1%20is%20ConfigMan%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BComputer1%20goes%20home%20and%20never%20connects%20on%20VPN.%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BNo%20IBCM%20or%20CMG%20is%20configured.%20No%20Contact%20with%20MP.%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20You%20enable%20Automatic%20Enrollment%20in%20Azure%20MDM%20and%20assign%20the%20user%20license.%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3BYou%20also%20configure%20Co-management%20On-premise%20and%20add%20the%20machine%20to%20the%20Pilot%20Collection.%3C%2FP%3E%3CP%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%20You%20go%20one%20step%20further%20and%20enable%20Hybrid%20Azure%20Join%20in%20ADConnect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20the%20machine%20know%20it%20is%20co-management%20or%20does%20ConfigMan%20Client%20block%20the%20Intune%20Enrollment%20(due%20to%20no%20policy)%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1408955%22%20slang%3D%22en-US%22%3ERe%3A%20Co-Management%20Mechanism%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1408955%22%20slang%3D%22en-US%22%3ESorry%2C%20to%20specify%20the%20reason%20for%20this%20question%2C%20it%20is%20a%20customer%20that%20wants%20to%20enable%20Windows%20Update%20for%20Business%20for%20machines%20that%20are%20currently%20at%20home%20without%20VPN%20connection%20to%20the%20SCCM%20MP.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1409014%22%20slang%3D%22en-US%22%3ERE%3A%20Co-Management%20Mechanism%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409014%22%20slang%3D%22en-US%22%3ETough%20spot%20for%20sure.%20There's%20not%20really%20going%20to%20be%20a%20good%20solution%20here%20but%20there%20are%20solutions%2C%20that%20are%20outside%20the%20box%2C%20Something%20like%20using%20Intune%2C%20but%20still%20that%20might%20have%20some%20caveats%2C%20and%20pitfalls.%20Feel%20free%20to%20reach%20out%20via%20Direct%20Message%20and%20we%20can%20chat%20about%20some%20interesting%20options.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1409017%22%20slang%3D%22en-US%22%3ERe%3A%20Co-Management%20Mechanism%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409017%22%20slang%3D%22en-US%22%3EIn%20case%20you%20enable%20client%20to%20be%20managed%20by%20Intune%2C%20when%20user%20is%20not%20connected%20to%20VPN%20(meaning%20Config%20Manager%20is%20not%20managing%20it)%20when%20it%20connect%20to%20internet%2C%20it%20will%20be%20managed%20by%20Intune.%20Unless%20if%20there%20are%20any%20specific%20policy%20which%20might%20cause%20conflict%20or%20blocking.%20%3CBR%20%2F%3EI%20recommend%20you%20to%20check%20Intune%20for%20status%20of%20device%20enrollment%20.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20your%20scenario%20%2C%20you%20may%20ask%20user%20to%20enroll%20to%20Intune%20and%20manage%20it.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1409047%22%20slang%3D%22en-US%22%3ERE%3A%20Co-Management%20Mechanism%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409047%22%20slang%3D%22en-US%22%3EThank%20you%20Danny%2C%20will%20do%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1409055%22%20slang%3D%22en-US%22%3ERe%3A%20Co-Management%20Mechanism%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409055%22%20slang%3D%22en-US%22%3EThank%20you%20Reza%2C%20currently%20all%20the%20machines%20have%20the%20ConfigMan%20agent.%20So%20we%20are%20looking%20at%20ways%20to%20enroll%20machines%20into%20Intune%20so%20we%20can%20get%20to%20the%20end%20state%20of%20WuFB.%20For%20now%20at%20least%2C%20these%20machines%20will%20have%20to%20communicate%20with%20the%20MP%20to%20become%20co-managed.%20Just%20needed%20to%20confirm%20this%20is%20what%20I%20suspected.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Good day, 

 

Do you know the exact mechanism co-management uses to communicate between Intune and Config Man?

 

Scenario: Computer1 is ConfigMan client.

                 Computer1 goes home and never connects on VPN.

                 No IBCM or CMG is configured. No Contact with MP.

                 You enable Automatic Enrollment in Azure MDM and assign the user license.

                 You also configure Co-management On-premise and add the machine to the Pilot Collection.

                 You go one step further and enable Hybrid Azure Join in ADConnect.

 

Does the machine know it is co-management or does ConfigMan Client block the Intune Enrollment (due to no policy)?

5 Replies
Highlighted
Sorry, to specify the reason for this question, it is a customer that wants to enable Windows Update for Business for machines that are currently at home without VPN connection to the SCCM MP.
Highlighted
Tough spot for sure. There's not really going to be a good solution here but there are solutions, that are outside the box, Something like using Intune, but still that might have some caveats, and pitfalls. Feel free to reach out via Direct Message and we can chat about some interesting options.
Highlighted
In case you enable client to be managed by Intune, when user is not connected to VPN (meaning Config Manager is not managing it) when it connect to internet, it will be managed by Intune. Unless if there are any specific policy which might cause conflict or blocking.
I recommend you to check Intune for status of device enrollment .

In your scenario , you may ask user to enroll to Intune and manage it.
Highlighted
Thank you Danny, will do
Highlighted
Thank you Reza, currently all the machines have the ConfigMan agent. So we are looking at ways to enroll machines into Intune so we can get to the end state of WuFB. For now at least, these machines will have to communicate with the MP to become co-managed. Just needed to confirm this is what I suspected.