Hi Andreas,

Just moved to co-management a year ago for 10.000 clients, now moving workloads to Windows Update for Business. Below a summary of the work done.
A goo start and recommended, is (if you have the required subscription) to ask help from Microsoft FastTrack engineers to guide you through the process: https://www.microsoft.com/en-us/fasttrack. It is an excellent service!

Johan

* Step 1: Enable Hybrid AAD Join (AAD connect) --> brings your devices to Azure AD
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-managed-domains
* Step 2: Enable co-management in ConfigMgr --> configMgr client will do the work for you
https://docs.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients#enable-co-managem...
*Step 3: Tenant/Cloud Attach --> recommended for enhanced device management
* Step 4: you can now start moving workloads to Windows Update for Business.

The prerequisites including licensing are detailed in the official docs at https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview#prerequisites. Also, check out https://docs.microsoft.com/en-us/mem/configmgr/core/understand/product-and-licensing-faq#what-change... as this details the license grant we made a couple of years ago.

As for devices having an AAD identity, yes, this is a requirement for devices to be enrolled in and managed by Intune. This can either be full AAD joined (which is our strong preference for new devices) or hybrid AAD join (which requires AAD Connect and is the path of least resistance for existing devices).