Co-Management in ConfigMgr 1906

In this post I am going to go through configuring co-management in ConfigMgr 1906 and showing some of the key differences from older versions of ConfigMgr. Co-Management has been around since ConfigMgr 1710 but has evolved throughout each version.

Configuring Co-Management

The first step is to navigate to Administration > Cloud Services > Co-Management in ConfigMgr and “Configure Co-Management”.

On the tenant onboarding screen you will be prompted to sign in with your Intune credentials. (Make sure the account you use has a valid licence) The main difference from other versions is you now have an option to select the azure environment “AzurePublicCloud” or “AzureUSGovernmentCloud”.


Note: When signing in, if you dont have a valid licence you will see the error below:


On the next section “Enablement” you have the option to select whether Automatic enrollment into Intune is configured for a pilot collection or All (eligible devices). In previous versions you would have configured the pilot collection later on but as 1906 introduced multiple pilot collections for each workload the auto enrollment collection is now seperate. The collection is only required when using “Pilot” if you change to All you no longer need this.

The collection will contain any devices you want to automatically enroll into intune (providing they meet the requirements i.e. W10 1709 or Later and are hybrid ad joined)

If you get a warning regarding ensuring proper pre-requisites are installed this is relating to the Cloud Management Gateway which is optional and can be ignored.


On the next section of the wizard you configure which workloads you want to move from ConfigMgr to Pilot Intune or Intune. When you move a workload to Pilot Intune you will have the option later on to specify an individual collection for each of those workloads.

Note: You should see 7 workloads. If you only see 6 and the client apps workload is missing then the reason for this is because client apps is a pre-release feature and it needs to be manually enabled in “Administration > Updates & Servicing > Features”


As you can see in the next screen I can now specify a pilot collection for each of the 3 workloads that i moved to pilot Intune. The workload which I moved all the way to Intune does not require a collection to be specified. After specifying the collections I want to use for each workload i can then proceed to finish the wizard and have successfully configured co-management.


Intune Device Enrollment

Next I want to show you the Intune enrollment for a client. With ConfigMgr 1906, Device token enrollment was introduced which means you no longer have to wait for an intune licenced user to sign in for the device to be enrolled into Intune. In this example I am going to sign in as local administrator and open up the comanagementhandler.log so we can see this in action. As you can see the log says “Enrolling device with RegisterDeviceWithManagementUsingAADDeviceCredentials”


Now if I jump over to my Intune console you can see the device has indeed enrolled with the device token as the management name begins with the Azure AD device ID instead of the user and also the enrolled by user is Blank.


If I now sign into the device with an Intune licenced user what will happen is the Enrolled By User field will change from “Blank” to the name of the first Intune licenced user to sign in. The management name does not change.


There we have it, Co-Management in ConfigMgr 1906. Thanks for reading.