TECHCOMMUNITY.MICROSOFT.COM



OverviewOn October 19, 2017, the Microsoft Tech Community hosted a Co-management with Microsoft Intune and System Center Configuration Manager AMA. The live hour of Q&A provided members the opportunity to ask questions and voice feedback with the product team. We hope you join us live next time! Resources Windows 10 & Office 365 ProPlus deployment and management Microsoft Ignite 2017 sessions:Microsoft 365: Modern management and deployment (general session with Brad and Rob)Overview: Modern Windows 10 and Office 365 ProPlus management with EMSTransition to cloud-based management of Windows 10 and Office 365 ProPlus with EMSModernize deployment & servicing of Windows 10 & Office 365 ProPlus with EMSSecure Windows 10 with Intune, Azure AD and System Center Configuration ManagerIntune/ConfigMgr Microsoft Ignite 2017 sessions:Mobile device and app management overview with Microsoft IntuneSystem Center Configuration Manager overview and roadmapConduct a successful pilot deployment of Microsoft IntuneManage and secure Android, iOS, and MacOS devices and apps with Microsoft IntuneLearn how to use Microsoft Intune with the new admin console and Microsoft Graph APISecure access to Office 365, SaaS and on-premises apps with EMSManage and protect Office 365 mobile apps with Microsoft IntuneDeploying and using Outlook mobile in the EnterpriseManage mobile productivity with EMSCloud Management Gateway documentation:Plan for CMG (requirements, features, cost estimates, FAQs): and assign Configuration Manager Windows 10 clients using Azure AD for authentication (using CMG with Azure AD and Intune): DiscussionThat's a wrap!IntroductionWelcome to the Co-management with Microsoft Intune and System Center Configuration Manager Ask Microsoft Anything! View the list of introductions in this thread.General DiscussionQ: How does Licensing work for Co-Management between ConfigMgr and Microsoft Intune? (thread)A: EMS license includes Intune license and the rights to use ConfigMgr. This is in addition to rights for Azure AD Premium, Azure Information Protection, Advanced Threat Analytics, and Cloud App Security. Since ConfigMgr license is included in Intune/EMS/Microsoft 365 licenses, you can choose to continue using ConfigMgr or start transitioning the management of all of your devices (Windows, Android, iOS, macOS) to Intune. You can learn more here. As a side note, Microsoft 365 license includes Office 365, Windows 10, and EMS licenses. So many customers are moving from traditional EA to Microsoft 365 as it gives them one license to build a modern workplace. You can learn more. Q2: What of device-based licensing??I'm in retail and the overwhelming majority of our devices are not assigned to users.? Our price tag was $7 million?per-year?to extend Intune to those devices.? I'm told that got negotiated down to two million but even that rate was impossible to rationalize.A2: Intune has a?per-device licensing option. I don't know the details, so I would suggest to reach out to your account/licensing contact at Microsoft and ask about per-device license option with Intune. Intune/EMS?user?license allows up to 15 devices. You might want to also take a look at Microsoft 365 Firstline. Q: Are there any plans to give more granular control over moving to the next Win10 "Current Branch,” like a separate release cycle, scheduling etc, like the upcoming Windows 10 Fall Creators Update rollout. (thread)A: Are you asking about granular Windows Update for Business deferral policies than we currently have with scheduling capability??Q2: Yes, is deferral the only scheduling possible? Instead of rolling out Fall Creators Update on 12.12.2017 12:12.A2: Currently yes, but AFAIK, granular control like scheduling is on the radar for Windows Update for Business team. I don't think there is a committed plan yet.Q: We are a provider of Cloud Solutions are investigating extending this to management of the end points with Intune. Intune works great from a compliance stand point but lacks the breadth of configuration options afforded with Group Policy. Would a device enrolled in co-management be able to be controlled by Group Policy? Will there be any restrictions to this?We are investigating solutions to users that have a highly mobile workforce. Intune has been great at deploying VPN settings to get them dialed back in to their existing infrastructure.However, with them no longer being Domain Joined devices, we are missing the ease of configuration. Can you envision a scenario where a VPN profile is deployed, connected a log on and allow for a standard processing of Group Policy? Kind of like a cloud based traditional corporate infrastructure. (thread)A: Co-management is SCCM + AD + Intune + AAD so you still get to leverage all your existing GPOs. One thing we know from speaking to customers is that GPOs are complex, and organizations often don't fully understand what they actually need or even what they have in place. Co-management allows you to begin a journey to modern management without having to make a leap. Co-management bridges the gap from traditional to modern giving you time to rationalize what you have and to plan and implement the controls you need through Intune device configuration profiles. Additionally, you are not required to have Active Directory joined devices that are Co-Managed.? What that means is that as you transition to modern management, you can reduce your dependence on Active Directory.Q2: But do you have to have SCCM in order to utilize co-manage? Can I Domain Join a 1709 Windows 10 device that has only been connected to Intune so far? I understand that some organizations have complex setups where they don't fully understand what they need or have in place however this is not us. We are trying to make up the shortcomings of Intune for device configuration with a proven technology. Other than wrapping a script up in an MSI how can I provision printers or make other changes that are no exposed by Intune configuration templates or the OMA-URI schema?A2: You do have to have SCCM to Co-Manage - that is the definition - Co-Manage is Intune & SCCM co-managing a device.? However, you do not need the device to be joined to on-prem Active Directory to be co-managed.? You may have the device AAD Joined or Hybrid AD/AAD joined and still co-manage with both SCCM & Intune.Q: Is there a way I can add more than one device to a dynamic group? Under the Dynamic membership rules I want to add 5 specific iOS devices that are no user affinity in DEP. (thread)A: The way you can do this is to create a DEP enrollment profile that's targeted to your 5 specific devices, and then create a dynamic device group where membership is based on the name of the enrollment profile.Q: I heard of about this tool, which is supposed to migrate the SCCM content to Intune. You say that it migrates policies/packages/CIs/VPN or Wi-Fi profiles, and stuff like this. I understand there are some limitations, explained in the documentation, but are you not afraid that vast majority of users will not be able to use this tool in a prod way, because of the various current Intune limitations like no PS script support yet available, not all GPOs are existing in the "LocalSecurityPolicies" CSP, packages that are EXE-based or contains several MSI files, and so on... ? (thread)A: The tool that you linked to is actually to migrate MDM policies from a hybrid ConfigMgr/Intune configuration to an Intune standalone configuration. It will not to translate GPO to MDM – check out? that. BTW, PowerShell script execution is in fact coming to Intune with the Intune Management Extension that will be released in a few weeks!Q2: I thought that if you offer co-management, then this can be seen as a "long transition phase", and you believe that one day, your customers will not stay with SCCM and Intune running in parallel forever, even if these "authority sliders" in SCCM 1710 let you choose what backend is doing what. Then sooner or later, the Data Importer tool and MMAT tools will need to translate the GPOs and other advanced SCCM options to their MDM equivalents...or you will somehow "simplify" things by dropping lot of SCCM options, no?A2: You are right. Co-management is a temporary state and not an end goal (though it may last years in some organizations). Modern management is about simplifying IT processes. For settings this means that policies are more intent based, and not as granular as the thousands of GPOs available today - we have no intention to replicate all of those to MDM. We are making sure that all the critical settings are addressed in MDM (and you will see?that most gaps are addressed in the Fall creators update) and?looking to our customers to continue to provide the feedback on any settings gaps they see in the MDM model.?We are working on?experiences in SCCM to help with the transition, through MMAT and by leveraging the Management Insights framework that we added in 1708 TP.Q: I?installed ConfigMgr TP1709, configured Cloud Management (Azure AD user sync worked), Cloud gateway management, and Co-Management is assigned to a collection.I have installed Windows 10 1709, domain joined, ConfigMgr client installed, Azure AD joined. (Not joined to work place). In Intune portal I only see my machine is Hybrid Azure AD joined, I don't see it is managed by MDM/ConfigMgr. Did I miss something, or just Co-Management feature is not yet for everyone? CoManagementHandler.log said Failed to enroll into device management with error (0x80180015 - Mobile device management generally not supported). Unknown MDM Enrollment URL. (thread)A: Dune answered this in another conversation."?Intune pieces that will arrive soon (late October early November)". Q: Is it Co-Management feature already available to everyone?who has Intune??(thread)A: It will be, with the 1710 updates to SCCM and Intune and the Windows 10 Fall Creators Update.Q2: So, it is not yet with ConfigMgr TP 1709?A2: Yes, it's in ConfigMgr TP 1709.Q3: Yes, can be configured in ConfigMgr TP 1709, and I did. But I don't see my machine is controlled in Intune as MDM/ConfigMgr.A3: There are a few pre-requisites that are in the midst of falling into place. You will need: Intune pieces that will arrive soon (late October early November), ConfigMgr 1710 CB for production deployment (1709 TP+ for labs!), Windows 10 Fall Creators Update on client devices. So, the answer is "Not right now, but it will be soon"!Q: Once we enable co-management, will we have to choose for specific capabilities whether they are managed by on-prem (SCCM and GPO) or Cloud (Intune), or will both?platforms be able to manage the same type of capabilities at once???For example, can some settings on a computer be configured via group policy, while others are configured by an Intune configuration policy?? Or if I have compliance policies in both SCCM and Intune that target a computer, will it evaluate both policies? (thread)A: You will be able to choose workloads to move from SCCM to Intune for management.? When you first enable CoMgmt, SCCM will manage all workloads.? Then you can use a wizard in SCCM to move workloads to Intune - for example: Software Update -> WuFB, resource access profiles, conditional access.Q2: So, it will not be possible to have a computer have updates managed in the cloud, but also get additional updates published through system center? If I move that workload over, do I lose the ability to push third party software updates to clients using SCUP and SCCM? Is moving a workload an all or nothing thing, or can management of a workload be configured per client or collection?A2: You are right that third-party updates are not part of Windows Update for Business (at least not at the moment, it is a common ask and we are looking into it). In a co-management environment you can continue to use SCCM to manage those. In a cloud-only environment Intune can help manage these updates with the Intune Management Extension through PowerShell scripts.Q3: Ok, so even if we move management of windows updates to Intune/WUFB, clients will still get updates that are pushed out from SCCM as well if they aren't in WUFB?A3: You have the option to move a set of pilot device to be fully Intune managed and those that you don't move are still managed by SCCM.? But, once you have moved a client workload for software updates to Intune, that will be fully managed by Intune and WUfB.? The previous response applies - SCUP only applies to those devices managed by SCCM.Q: If we are talking about Microsoft 365, I would very much like to see "Folder Redirection" to OneDrive, so that Desktop, Documents can be easily retained during a "Reset/Recovery" process. Like State Migration. (thread)A: You can configure this today via policy, but it is more challenging than it needs to be. We are working to simplify this for a future Windows 10 release.?Q2: Will the two methods be compatible? Can I set with GPO today, and the new 'simplified' way take over later?A2: It's still a little early to say.?Today, you have to manually set up OneDrive for Business, which gets the folders in place; once that's done, policies to redirect the folders work fine (although existing data doesn't move). Hence the reason to make it easier overall. I wouldn't expect the changes to cause any problems if you've already set this up.Q: Is Co-Management just for Intune and SCCM or can it be used with Intune and AD/GPO? (thread)A: Co-management is SCCM+AD+Intune+AAD. It allows you to bridge the current SCCM+AD state of traditional devices into Intune+AAD by allowing all of them simultaneously whilst rationalizing your on prem dependencies to allow you to make the full step into modern, but if your question is JUST Intune and AD, then no.Q: One of the concerns with "Cloud first" approach is network bandwidth on larger deployments, for example, 2000 users in the same building. Any plans to "proxy" these downloads via local DP or similar solution? (thread)A: Not at this time. Our solution for network bandwidth controls for cloud/Intune delivered are based on Windows 10 Delivery Optimization (native peer caching in Windows 10). Delivery Optimization is the content management technology for cloud services including app management and update management. Q: Are there going to be any licensing features added for EDU volume licensing customers?? We have Win 10 EDU devices Azure joined, but currently it requires MAK keys as it doesn't automatically activate once joined to AAD like the Enterprise edition of Windows 10 does.? Not sure if the SCCM side could address this or if this is going to be an adjustment that needs to take place with the AAD team. (thread)A: We are looking at having automatic step-up to the Education SKU via Windows 10 Subscription Activation in a future Windows 10 release.Q: At present the Intune gets updated with new features etc. If we move to Intune that is integrated with SCCM, would we then be limited to the development cycle of SCCM if there were features in Intune we wanted or have the development cycles for Intune and the integrated versions become more aligned? (thread)A: It sounds like you are already in a modern management state and concerned about whether introducing SCCM management in your environment- Co-Management is designed as a path towards modern management paradigms for customers who heavily leverage on-premises SCCM management today.??If you are already using Intune and modern management technologies in your environment, then?adding?SCCM could very well introduce unnecessary complexity/overhead- It could be worth evaluating your business requirements and gaps to see what is missing and then potentially looking into the Intune Management Extension to see if leveraging that could help close some of these gaps.?One more clarification: Co-Management and Hybrid (using the Intune connector to manage Intune devices in the SCCM console) are separate and different states- The latter provides basic support for windows 10 devices managed with Intune using the SCCM console UI, and?would?be bound in all cases to the slower SCCM release cycle (every 4 months or so), whereas Co-Management allows you to use the Intune Azure portal experience to manage specific workloads that have been migrated to modern management with Intune. With Co-Management, there are certain pieces, for example the specific workloads that would be tied to the SCCM release cadence but otherwise the Intune release cadence would apply.Q: We have Office 365 and EMS licenses and have SCCM deployment. User devices run Win7,8,10, and MacOS; mobile devices are iOS and Android.Now we would like to start managing mobile devices and would like to have full stack of capabilities like endpoint encryption, protection, security policies, conditional and risk based access etc. Should we go with Intune standalone and start on a clean slate: manage what we can with Intune, and leave Win7 in SCCM while we gradually upgrade them to Win10, or there is benefit from running SCCM+Intune hybrid? Some of benefits of hybrid scenario based on my research: 1. better support for MacOS in SCCM (through plugins like Parallels) than it there is today in Intune (Intune has upcoming integration with JAMF, are there other integrations?) 2. endpoint protection for MacOs is included in SCCM 3. SCCM has centralized management of antivirus 4. reporting today is richer in SCCM (thread)A: No, our Mac focus is on the Mac MDM side, with native Intune management and our JAMF integration.?I think you're referring to co-management, not Hybrid, right??Can you clarify??Co-management allows you to persist SCCM management on Windows, move workloads for Windows 10 to Intune over time, and use Intune for cross-platform MDM and MAM.Q2: Well, in my question I meant hybrid. Once we have implemented Intune standalone, we can then utilize co-management. Will co-management besides Windows also support transition for MacOs, iOS, Android? What about Linux? A2: Seems you're mixing two things, Hybrid migration and co-management.?One, Hybrid migration moves existing Hybrid configurations to Intune SA (iOS,Android).?After that's done, and you're on SCCM and Intune SA, then you can use co-management start moving Windows 10 management workloads.?There's no Linux support in Intune, so nothing to migrate there.? No plans for Mac workload migration (from SCCM to Intune).Q: When do we get our hands on this? (thread)A: Co-management will be available with 1710?updates to SCCM and Intune and the Windows 10 Fall Creators Update.Q2: When can we expect the new version of SCCM to be available?A2: ConfigMgr 1710 CB will be shipping before the end of the year -- similar release cadence to our 1610 CB release last year. In the meanwhile, you may also want to try out 1709 Technical Preview.Q: Does co-management require any additional infrastructure? We currently have a single site SCCM environment, all on prem.? Will we need to add any additional servers, site servers, roles, etc. to use co-management? (thread)A: No, you won't. Just Intune Standalone. To extend the reach of SCCM to Internet Based clients, the Cloud Management Gateway role is important, as it provides a way to provision new machines using Autopilot and OOBE, with AAD registration, Intune enrollment, which can then deliver the SCCM agent. With CMG in place, clients not even on the corporate network can start getting SCCM policy and apps.Q: We are in the process of trying to migrate from BES to Intune and are having significant issues trying to deploy a WIFI profile to iOS devices. What is the preferred method of authentication, or the most popular one that is used? Currently with BES we are using WPA2 Enterprise with a username and password.? This can't be used with SCCM/Intune. (thread)A: You may be here already but here is the current Intune documentation around Wi-Fi settings for iOS. We support several different authentication methods and would encourage you to poke through these docs and choose the method that makes most sense for your environment and security requirements. Unfortunately, there is no one "preferred" method as every environment is different.Q: So, on your demo at Ignite, you showed how to move certain workloads to the cloud, one of which was windows updates. how do I manage that in Intune? (thread)A: Intune management of Windows Updates is through Windows Update for Business. You can set the policies directly from the Intune console, see here. Q2: Thanks for your reply. If I'm not mistaken, Intune only manages Win10 update rings (servicing branches) and not full windows updates which allows updates to other products, definitions updates and etc.A2: You are right that third-party updates are not part of Windows Update for Business (at least not at the moment, it is a common ask and we are looking into it). In a co-management environment you can continue to use SCCM to manage those. In a cloud-only environment, Intune can help manage these updates with the Intune Management Extension through PowerShell scripts.Q3: So, it means once a machine is switched to being Intune-managed, even if the device is physically connected my company LAN, it will not be able to use our SCCM internal distribution points, to cache the updates files, and only the Intune "Delivery optimization download mode" options found in the "Update Ring" configurations will apply, right??Asking this, as we want to avoid all Internet links to collapse every 6 monthsA3: If you move the Windows Update for Business workload to Intune then yes, OS updates will be delivered over the internet with Delivery Optimization and not via SCCM DPs. Other content that is managed by ConfigMgr (like apps) will continue to use DPs. Note that this is true even if you manage WUfB policies directly from SCCM and not through Intune - the capability to manage WUfB policies in SCCM was added in 1706.Q: I have a client who is looking to implement Intune Hybrid, and I am recommending Intune Standalone for obvious reasons. The TechNet article of "Choosing between Intune Hybrid and Standalone" doesn’t seem to have an effect on my recommendation. How do I start the conversation with the client to convince them into using Intune Standalone as oppose to Hybrid? (thread)A: Yes, we'd recommend going Intune Standalone. Most of the gaps that Hybrid addressed (RBA, scale, API exposure) have been addressed with our move of Intune to Azure and the Azure Portal. Co-management also only works with SCCM and Intune Standalone, not in a Hybrid configuration.Q: After turning on the co-management, will there be a way to add SCCM features to devices that were already Intune joined, but not domain joined or a part of our on-premise SCCM?? If so, will they need to be upgraded to Fall Creators or will it work with 1703 as well? (thread)A: Co-management requires Win10 version 1709. For these devices that are currently Intune managed (and running at least 1709), you can deploy the SCCM client bootstrap (ccmsetup.msi) with the proper command line parameters to add the SCCM client.Q: I have a recently acquired business unit that does not have infrastructure in place for an SCCM rollout at this time. If I join them to Intune will I be able to bring them into SCCM as their Infrastructure is remediated and I have capacity for DPs at their remote locations. (thread)A: Yeah, we have the ability to create an app in Intune with the SCCM client bootstrap (ccmsetup.msi) with the proper command lines. If the device is on the corporate network, then the command line is short-ish, but if it's Internet-connected, then you can have it register through the Cloud Management Gateway connected with Azure AD. So, you could do this at any time in the future for Intune-devices to bring them into a co-managed state. At the same time, you should consider whether those devices are sufficiently managed in this modern state. Remember that co-management is not the end goal; modern management is the north star. So, if you're starting with devices there, perhaps consider if that meets your business requirements!Q2: Do you have a link for best practice or instructions on setting this up with co-management if we need it.?"If it's Internet-connected then you can have it register through the Cloud Management Gateway connected with Azure AD." A2: Start here. We still have some updates to publish but this will get you started.Q3: I wondered about this when presented at Ignite.?The docs have long stated not to use the MSI directly and only use the EXE.?Is that no longer the case?A3: We quietly added ccmsetup.msi which can bootstrap the client install files over the Internet with CMG. Shameless plug: check out my Ignite session where I demo just that. Q: In this article, it said Command line to install Configuration Manager client: ccmsetup.msi CCMSETUPCMD="/mp:<URL of cloud management gateway mutual auth endpoint>/ CCMHOSTNAME=<URL of cloud management gateway mutual auth endpoint> SMSSiteCode=<Sitecode> SMSMP= of MP> AADTENANTID=<AAD tenant ID> AADTENANTNAME=<Tenant name> AADCLIENTAPPID=<Server AppID for AAD Integration> AADRESOURCEURI= ID>” Shouldn't AADCLIENTAPPID=<Native Client?AppID for AAD Integration> ? (thread)A: Refer to the current branch topic here. It has more detail on the parametersQ: According to the?current documentation, co-management is only supported if you have Intune standalone. Since this is for managing Windows 10 with both ConfigMgr and Intune, it would appear that lots of people will currently have Intune hybrid configured. Will this be updated to work with hybrid or mixed authority mode for organizations during the transition to standalone? (thread)A: No. Co-management is SCCM and Intune Standalone only, no support for hybrid. Otherwise you're moving Workloads from SCCM to.... SCCM.?For Hybrid customers looking to adopt co-management we recently release migration tools to allow you to switch your management authority it Intune standalone. Here’s more information.Q2: Just a piece of feedback. Some of us will be looking to implement Intune simply to implement autopilot to avoid OS imaging. As soon as we get the machine managed by Intune, we will want to install security applications and then join the domain and begin management with SCCM.A2: Absolutely, this is what we'd call modern provisioning. You can push SCCM with Intune using a quietly added CCMSETUP.MSI that can bootstrap the full client setup over the Internet. We also added AAD auth pieces to allow client registration to happen over CMG to result in a fully managed device from the Internet all user driven. If you haven't already, check out my session from Ignite. I show this flow. Q: We've already seen some very good information in the first half of this AMA (similar questions have been asked by some customers). Any plans to publish in-depth information like this in the future for some of us who would like to deep-dive in a "behind the scenes" way? (thread)A: Yes, our documentation is published in alignment with our GA release (e.g. 1710 is when co-management lands, so that's when the relevant TechNet in-depth documentation would land).Q: I have many clients that are hybrid - sometimes the work inside the network and sometimes outside. Previously, with IBCM, I could set them up as a hybrid client, meaning that when the client was connected to the internal network it was connected directly to the SCCM server and when roaming it connected to the SCCM server in the DMZ. Can I achieve that with Co-Management? (thread)A: We added the Cloud Management Gateway feature to simplify this scenario and reduce the infrastructure impact and exposure, see?here for a comparison of the two. Both IBCM and CMG are for SCCM-managed workloads. Co-management can leverage CMG to allow Internet-based devices to receive SCCM managed workloads. Co-management is really about giving you flexibility and control over which workloads (compliance, resource access, updates, etc.) are managed by which service. And remember that co-management is not the intended end-state; it is just a bridge between the current traditional management methodologies and the modern cloud-based management.Q: Are there any plans to give the community greater visibility to errors that we see in standalone Intune? e.g. instead of seeing that an error occurred. It would be nice to see what the error was, and what service is affected within the tenant rather than just a generic error code. If we could have access to reporting tools and logs, then it would greatly help speed up the process when it came to troubleshooting issues that arise from time to time. (thread)A: I totally agree.? If you haven't checked out the new Intune "troubleshoot" option on the bottom left of the console, it's worth a look. We're investing a lot in this area, exposing more troubleshooting info all the time.? For example, in the next month or so you'll be able to see error messages for enrollment failures and what you can do to address the failure.? And we have much more coming.Q: If we moved to an integrated SCCM/Intune platform, would we be limited by features within the SCCM environment in regard to features we can implement? or has the Intune features cycle and the SCCM integration aligned better so that the SCCM/Intune integrated environments isn't lagging behind the stand-alone Intune platform? Would moving to the integrated platform provide us with better logging for troubleshooting diagnosis for example or give us better visibility as to when there are issues in the environment? (thread)A: Sam, by integrated are you referring to co-management or to a hybrid Intune/SCCM configuration??With co-management (which is not supported on hybrid), you get to manage some workloads in Intune while managing other workloads in SCCM - this is the main benefit of the co-management model.?For hybrid, you will see basic Win10 management in the SCCM console, but new features (like co-management) are only available in the Intune portal. If you are trying to decide between hybrid and SA, in most cases our recommendation will be SA. See?this article.Q: Will I be able to use Intune to enroll a device in to Active Directory once Co-Management is in the wild? (thread)A: This is on the roadmap and will be coming soon.Q: Can you add Intune MDM to Windows 10 1709 device with ConfigMgr client if you haven't configured co-management between Intune tenant & ConfigMgr site? (thread)A: The capability in SCCM to auto-enroll a client to MDM is part of the onboarding experience to connect the site with Intune. So yes, you do need to configure co-management for the automated enrollment. However, I think you can manually MDM enroll.Q: How will you solve the Windows Update settings battle? In SCCM it is between SCCM policy and GPO. Now we have MDM policy. How we can ensure that the MDM policy wins over whatever is left on a migrated PC? (thread)A: It's work in progress for MDM policy winning over others in general. For Windows Updates specifically, since co-management between ConfigMgr and Intune is a coordinated effort, once update workload is handed over from ConfigMgr to Intune, update policies will be from Intune MDM and no conflicts between the two.Q2: Is it safe to infer from this statement that co-management will not mean that an Intune managed client where the windows update role has been moved to Intune will not enable managed devices on a corporate network to make use of on-premise distribution points for update content? If so, that will make it very difficult to justify making this switch. Large corporations will never want thousands of devices going out through the outbound proxy to get that content when it could be acquired internally.A2: Windows Updates for Business does leverage Delivery Optimization to better handle the content delivery that Intune MDM can configure.?That said, we do understand that for some customers they still prefer the on-prem content distribution mechanism for many clients on the corpnet and co-management still would enable you leverage other workloads in Intune and have ConfigMgr SUM manage updates for these clients. So, it's a decision for customers to make if they are ready to move this workload to Intune for a specific population.Q: With customers in hybrid mode, SCCM/Intune, will they now be able to switch their authority to Co-Management between Intune/SCCM and deploy policies in Intune, which SCCM will be able to see and implement, or vice versa? Also, with Co-Management coming into focus for Intune/SCCM, will these Hybrid customers be able to now fully use the new Intune Portal, versus mainly still deal with the Classic? (thread)A: In regard to the hybrid mode, you will be able to have a "Mixed Authority" mode where some devices are managed in SCCM/Intune hybrid mode (those will not be Co-Managed).?Then you could also have devices managed in a Standalone Intune instance and those would be Co-Managed.?That is managing in mixed authority. Customers should be migrated to the new Intune Azure Portal and no longer need to manage via the classic portal.? This should be the case for customers managing with Co-Management.Q: Our company is using ZenWorks for our Windows 7 machines. We have begun deploying Windows 10 machines under Intune MDM (joining to Azure) with great success so far. We do not have SCCM in place (yet). However, our biggest pain point right now is Windows 10 users accessing on-prem domain services like printing, file share, etc. These services are not going to the cloud anytime soon. As we all know, we cannot domain join a machine that is already Azure AD joined. Is co-management required for Windows 10 MDM'ed machine to gain access to these services? Or can we leverage AAD Connect to solve this issue? (thread)A: No, co-management does not resolve traditional auth challenges for AAD Joined Win10 clients (e.g. printing, NTLM, Kerb Auth).? This can be somewhat addressed by having a Server 2016 DC and using Windows Hello for auth.? The co-management intent is to provide AD+AAD Joined and SCCM+Intune, but to your point, this can't be done for machines already AAD Joined.Q2: You mentioned that co-management is required for AD+AAD joining. So even if it won't allow for SSO, Windows 10 MDM'ed machines will be able to at least access these services when co-managed? A2: With AAD joined devices and AAD Connect synchronizing user accounts between AD and AAD, devices will realize when they see a domain controller and automatically get a Kerberos ticket for authenticating to domain-joined resources.? So yes, the AAD joined machine will get single sign-on access to domain-joined servers, IIS sites, etc.Q: Is the plan to eventually move all SCCM functionality to Intune?? If so, how much longer will SCCM on prem be around? (thread)A: No, the plan is not to move all SCCM functionality to Intune. Modern management is different than traditional management (e.g. Win32 apps vs. Modern Apps, GPO vs. MDM policy, Imaging vs. Modern Provisioning). Co-management is the path to migrate workloads over time, by persisting traditional management in SCCM and moving modern workloads to Intune. Over time. SCCM on-prem will be around for as long as traditional workloads are around (years).Q2: To clarify, for the features which will not be moved to Intune, is that because they are considered 'legacy' features which won't be needed going forward? Imaging, for example, seems like a hard feature to move to a cloud service, but it also seems that MS is pushing hard to eliminate the need for that feature. I'm not yet sure I agree, but MS clearly sees a day coming when we don't need to wipe and reload brand new computers, or even to fix an issue on an existing computer. Maybe someday...A2: Right, workloads like imaging are inherently complex and not in line with the lightweight management constructs of Intune. So, we don't want to move the inherent complexity to the cloud and call it "modern."?That said, we've very invested in ensuring our customers have practical bridge solutions to modernize, so we expect to iterate on solutions like AutoPilot?with you as quickly as possible to make sure they work.Q: When a device joins AzureAD and is re-imaged, we notice the device appears multiple times in AAD/Intune as it receives a unique ID.? Obviously, this does not happen on the domain joined side.? Is the co-management going to handle this differently when a device is re-imaged?? I know that the Fall Creator's update has a way to reset a device to its original state which would probably help with the multiple instances getting created in AAD/Intune…just wondering if there will be any known issues when the device appears multiple times after a re-image process. (thread)A: Co-management in itself will not create issues, as turning on co-management will simply create that first Intune device record.? However, your point on multiple device records as PCs get reset over time is fair.? I'm making a note to see if we can better reconcile these records when we know it's the same physical PC.Q2: Maybe consider also the option to remember the installed Apps. I mean Apps that were "Available" and were chosen by the User, resetting the device would be smoother then (on the Admin).?A2: The Windows 10 1709 feature that you referenced, Windows 10 Automatic Redeployment, preserves existing MDM and AAD enrollment information, so no new objects are created. See here. Overall, this is better than reimaging, as long as you want to start clean.Q: Will co-management support many to many relationships? i.e. if we have a prod and dev Azure tenant can we manage devices from both of those tenants with a single config client? And vice versa, if we have numerousSCCM hierarchies, can devices in different SCCM hierarchies be managed by disparate Intune instances? (thread)A: We currently don't have plans to support multiple tenants yet.Q: I have a domain joined Windows 10 1709 VM and running ConfigMgr CB 1702, what are the next steps to begin testing co-management? (thread)A: Co-Management will ship with the 1710 updates to SCCM and Intune and the Windows 10 Fall Creators Update. Once you have updated your environment to meet these requirements, take a look at the documentation that we shipped along with the 1709 Tech Preview.Q: A lot of the co-management story has been around using Windows AutoPilot to AAD DJ a device, enroll it in Intune, and use Intune to push the ConfigMgr Client. Since 70%+ of managed devices today are managed with ConfigMgr, is there a path to take existing AD joined ConfigMgr managed devices and enroll them into Intune for co-management? (thread)A: There are two routes to co-management. Modern provisioning is one of them, but you are absolutely correct that customers have way more devices in a traditional state (AD+SCCM) and with 1710 we will have the ability to uplift them to a co-managed state by registering with AAD and enrolling into Intune.?Q: Do we need to re-enroll all of our mobile devices when we move from Intune to Intune SA + Com-management? Is it seamless for the users? (thread)A: No, if you have Intune SA, and you use SCCM+Intune SA with co-management, you don't have to re-enroll anything.Q: If I manage the same things from ConfigMgr and Intune, which will take effect on the client is there something like a priority to avoid/control conflicts? (thread)A: You won’t get into a situation where Intune and SCCM are managing the same workloads. With co-management you move over whole workloads. Once a device has had a workload moved to Intune, SCCM no longer provides policy for that feature. So, for instance, if you move over to Windows Update for Business, SCCM stops providing update policy to the clients. You'll have the capability to phase, by specifying a pilot collection. But once a device has been swung over for a particular workload, the way we handle conflict resolution is that Intune replaces SCCM as the source of authority for that feature.Q: If being asked today to start supporting Windows 7 and 10 laptops when connected to the internet, what is the best option given all the new features? Current environment, ConfigMgr 1706, ADFS, Azure AD P1. No PKI yet but working towards it. (thread)A: See the response to this other question.Q: New feature in 1706 "Cloud Management". Does it support Windows 7 devices in an environment with ADFS, Azure AD Premium P1 and ConfigMgr 1706? (thread)A: No, this requires the client device to be Windows 10 in order to register with Azure Active Directory. One aspect of the co-management strategy is to allow you to do modern cloud management with Windows 10 devices while continuing traditional management in SCCM of your existing Windows 7 and Windows 8 devices.Q: Can you give us any information on a timeline when the extra resources will be available in Intune to be used in a co-management scenario? Also, any news on Sidecar and its capabilities? (thread)A: Co-Management will be available with the 1710 updates to ConfigMgr and Intune and the Windows 10 Fall Creators Update. The Intune Management Extension is also going to be available with Intune 1710.That’s a wrap!Thank you for joining for?this fun and action-packed hour! We hope you'll continue to ask questions and share your feedback in this group.?See you next time!? ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download