Co-Management – Combined Compliance from Both Intune and SCCM

In this post I am going to show you how to evaluate compliance from both SCCM and Intune for Co-Managed devices when the workload has been moved to Intune. The way this is done is you deploy a compliance policy from Intune which also has the setting configured to “Require Device Compliance from System Center Configuration Manager”. This way both the Intune compliance policy and the compliance from SCCM are evaluated to give a combined result.

  • First step is to ensure that the workload in Co-Management is moved to Intune

image

  • Next we need to create a compliance policy in Intune and ensure we add the setting “Require Device Compliance from System Center Configuration Manager”.

image

  • Once you have created the policy in Intune you need to assign it

image

I also have a compliance policy in SCCM called test which is looking for all required updates to be installed on the device. As you can see from the screenshot below this is currently compliant.

image

The result of this is my compliance policy in Intune is also Compliant as I only have the “Require Device Compliance from System Center Configuration Manager” setting configured and min OS version.

image

  • Result in Company Portal:

image

  • Result in Software Center:

image

Now as a test for this blog post I am going to edit the SCCM Compliance policy to also require encryption which would make the device not compliant as it is not encrypted. Note: You probably wouldn’t use encryption in your SCCM policy in Production as you can natively evaluate encryption directly from Intune but it is the easiest way for me to demo getting a non compliant state.

As you can see the test policy is now not-compliant and as a result this is also shown in Intune.

image

image

  • Result in Company Portal:

image

  • Result in Software Center:

image

In conclusion you can have the workload moved to Intune but still evaluate compliance from both to give a combined result. To get the most out of this you would also leverage conditional access to control access to corporate resources by only allowing compliant devices access.


Jake Stoker

Jake Stoker

Enteprise Mobility + Security SME