How to Set Up Co-Management in Microsoft SCCM to Connect to Microsoft Intune

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is Justin chiffon I'm the engineering lead at patch my PC we develop a third-party patch management solution that integrates into Microsoft configuration manager pride my current role is also a premier field engineer at Microsoft supporting config manager in this video I'm going to be talking about Co management how to set it up and some of the benefits that it's going to give you so first for those of you who aren't that aren't that familiar with what Co management is it's essentially a way that you can manage a device with both the config manager client as well as the intern agent that's going to be doing MDM capabilities so some of the benefits that's going to get you are some of the MDM actions that you can do through Intune that you can't do through config me and things like resets deleting devices selective wipe etc so just a few a few things that you're gonna get right away for things that do overlap you're gonna choose whether you want config manager or in tune to handle those type of capabilities and we'll go through this process so the scenarios that I plan to cover today I'm going to cover the ability to enroll a device into Azure ad only or a cloud domain join how you can enroll that and auto enroll into in tune and then within in tune we can deploy the config manager client through cloud management gateway to essentially get it enrolled co-manage within tune and config manager the second scenario we're going to talk about is if you have devices that are on Prem domain joint only and managed through config manager how we can register those into hybrid asier ad all to enroll them into in tune and then they could then be Co managed with config manager and in tune in your on-prem environment if that's where you're at today so with that said we'll go ahead and jump right in there is a lot of content here so I want to make sure that we go through and get this all covered so the first thing I want to show is some of these settings that I have in Azure ad so within Azure ad under my so within here we are at ad rady then we're at devices and then device settings under azure ad now within the device settings what we've done we made sure that we're allowing users that are a user of azure ad either through a sure ad connect if they're on Prem identities or if they're cloud only we're saying that any of those users have the ability to enroll devices into Azure ad now the next prerequisite that we made sure that we had is back in a sureiy D so if I come back here under mobility MDM and mam under Microsoft Intune what we've done we've made sure that the users can also enroll into MDM so I've done that in the in tune and I also in the intern enrollment I also set it here I'm not sure if you really need to duplicate that but I do have it set in both places all right so I think that that looks good the only other thing I'll cover one of my identities here I have the trial of in tune so within my user account if I look at licenses we have provided the enterprise mobility and security and as well as in Tunes I think the then this one should cover both options but I think I had in tune set first and then I did the trial of enterprise mobility and security 5 so you will want to make sure that if you're doing the cloud scenario where you're enrolling into Azure ad with Auto MDM that your user does also have your license assigned all right I think that's most of what I wanted to show from the prerequisites side from Azure and in tune in order to get this all to work the next thing that we're gonna do is go ahead and jump over to config man now before we talk about the scenario where we enroll into Azure ad through the cloud all to enroll in in tune and then install the config manager client through CMG I do want to cover some of the prerequisites because some of these are covered in a different video so what we've done I'll include a video link somewhere in the top corner of the video right where this red line is now we you need cloud management gateway so that's gonna allow your clients on the internet in this scenario that enroll into Azure and in tune to download the client and register with the config manager environment over the internet through CMG so this topic is covered in another video it's about 45 minutes so I think it made sense to split these up but just looking at the prerequisites for this you know we will need cloud management gateway cloud DP which is now integrated into the cloud management gateway role and creating all the azure ad subscriptions so this is all done in the previous video so you will want to start there if you want to do this scenario that we're talking about first where we enroll through asher ad auto enroll an in tune and in the client so coming back to our console to show you what where we're at kind of today if we look under our cloud services so what we've got from the cloud management gateway video we've already set up our adder ad we've already set up our asher subscription and then we've already set up our cloud management gateway to manage clients over the internet so this is all covered in that video you're gonna want to start there if you want to set up this first scenario so now that we have CMG setup we're actually at a point where we can go ahead and come into our code management node and go ahead and configure that so I'm going to go ahead and open that up we're gonna log in with our asher ad global admin for our tenant so i'll go ahead and enter my credentials in here this setup is the whole just for clicks thing this is when we're actually setting up the subscription but of course there are things that we had to do before that like set up CMG and a few other things now for this lab i'm going to go ahead and choose to enroll all now this is important so this is the command line that we need to upload into Intune as an application for the MDM agent out on the internet to know how to enroll back to our site through cloud management gateway over the Internet so I'll go ahead and choose this copy option here and just in case I end up copying something else we'll go ahead and paste that into notepad so this looks good now this is the workload so this is where when there are things that can be done by both in tune and config manager whether you want to have them handled by config man or in tune now for pretty much everything we're doing here I'll say I'll say for this demo we'll go ahead and put the compliance policies - in tune but of course you're going to get some of those native actions like device wipes you know single sign-on when we've registered a sure and just a few other things you're going to get but this is where there are things that can be handled by both whether you want to offload those two in tune or just have them handled through config man know I'm so I think this is fine for what we're doing today for the staging I'm not worried about this but if you wanted to stage this out to maybe only have like some test collections like some pilot collections enroll here that's where you can choose your pilot collection and then you could have chose just to enroll into the pilot group but for this lab I'm okay with just enabling that for everything and then we are good to go here so that looks good so now that we have the code management setup we need to make sure that our devices that we enroll in in tune can auto come down and get the config manager agent so coming over to my Intune portal under the application so client apps we're going to go through here under apps and create a new app now we're gonna choose the line of business app and this is where we're gonna point out to the config manager CCM set up dot MSI file so this is located in your installation directory bin and then i386 so this is different than the CCM setup EXCI this is actually like a boot trap msi version that's going to connect back to your site over CMG to actually download the files that we need for client installation so CCM setup msi within the i386 folder so that's gonna go ahead and upload will do okay on that now for the configure this is where we need our command line so we'll go ahead and fill out some of this metadata some microsoft config Manager client bootstrap that's fine command line argument so this is the important part here this is where we're adding in all the details that we copied when we went through and configured co-management now i'll include the resources that kind of explain what each of these settings are but basically this is pointing out to our CMG server our CM GMP our adjure resource that we added within the CMG demo but this is all going to be covered within one of the resources I give but what's nice is that if you have CMG setup before you go through the co management you can just copy all the settings that are relevant so that looks good I'll go ahead and copy the name and paste that for the description since that's a required field and then we'll go ahead and add this application so this is going to go ahead and upload that MSI so this will just take a couple seconds alright so it looks like that's done so we'll go ahead and go into that application and click on the assignments and we're going to go ahead and say that this is a required installation and we're going to deploy this to all users and all devices as required in the device context so we'll go ahead and do OK on that and then ok here and then click Save so at this point we have our config manager CCM set up that MSI that's going to be deployed through the client when it gets enrolled into MDM through azure ad join and then it's going to enroll into our config manager site and we'll go through and look what that process looks like alright so that looks good so let's go over to one of our devices that are running Windows 10 1809 this is just in the out-of-the-box experience now this is gonna be where we go through and register this device with Azure ad that's gonna auto enroll into in tune because we enabled those settings within in tune for auto enrolment so we'll go ahead and click yes here we will leave the defaults now you can also use things like Windows autopilot or a provisioning package where you can go through and really automate a lot of this general setup going through ubi where you only have to kind of connect to Wi-Fi and then it could all be automated to enroll for you but just for the sake of this video I think we're fine with just going through this process to get our device enrolled into Azure ad and then MDM and then have the config manager agent Auto deploy alright looks like I do have Windows hello is still configured within my environment so we'll go ahead and get that done in the background alright so we are now asher ad joined let's go ahead and take a look at our account there we go so if we look at this info tab that means that we are also registered with MDM ok so let's take a look let's just see if the CCM setup MSI is actually kicked off yet on this device ah looks like it has so we can see we have the CCM setup folder one interesting thing I will show you kind of what's going on when we install the config man client so we can see that's currently going through the install process so let's just go ahead and verify that with within config man under our code management that we don't have any devices currently Co maintenance so we can see that we're at 0% here so let's come back to our client and we can now see that CCM setup is installed so that looks good so but I do want to show how the client actually downloaded so here's our command line there we go so we can see that it copied all those details within the MSI parameter that we gave it and what that's gonna do is if we look at CCM setup when it actually goes out so that since this is just a bootstrap install it's actually going to go out to CMG for your cloud DP and actually go out and download the content so let's see if I can find that alright here we are so since this is just the wrapper the MSI wrapper now we can see where it's actually going out and actually downloading the latest client through cloud management gateway so things like you know your CCM set up you know all the msi files and different things associated with the client installation we're all going to get downloaded over the Internet to make sure that we have the latest version so that's looking really good so we can see that that process installed the client to show some of the registration information about what actually happens when it registers through Asher within your config manager site if we look at our logs and look at the client ID manager start up so this is the log file that shows your client registering with your config manager site what we're gonna see here is here we go so we can see that since we're registered with Azure ad for your tenant it's going to use that native cert that your clients gonna automatically get with the azure registration so you don't have to worry about PKI for your client side since that's already going to be handled just through the default Azure join so we can see that we went through it registered with our site it used as your ad off and we are now approved within our config manager environment so this is now a managed client we can see that we probably have started getting different policy for this device so that's currently downloading okay so it looks like we've gone through it's got all the initial policy so if we come through here and look at the control panel I'll go ahead and copy my config manager control panel applet to our desktop and we can now see that this is a managed client all right so we are now Co managed as well so that means we have in tune and config manager but I'm also registered with my config manager site and all that happened through cloud management gateway over the internet so this device is actually connected one of my guest networks so everything that we did today could be the same way like if you add remote sites and you just wanted them to Azure ad join but you still wanted the config manager agent for the full capabilities there so we'll just kick off looks like not every action has been enabled yet through policy but this will happen over the next few minutes let's see if we have anything showing up here yet there we go so we now can see that we have one device out of the seven that are compatible with co-management now showing that they are Co managed so that's looking really good so if we come back to our devices let's just see what we have going on here okay so this should be that device so it's just gonna have the generic name since we did everything directly out of the out-of-the-box experience we can see that we are now Co managed so that means the device is now an in tune as well as config man so while we wait through that to go through the normal stages of registering and getting Hardware inventory where we can actually go out and look at it let's go ahead and talk about the other scenario so the next one's going to be what about for those devices on prim if you wanted to also have them in a code management environment where you can get some of the MDM capabilities like conditional access factory resets things like that that's a little bit more challenging so I mean with this first scenario really the bigger requirement would have been getting cloud management gateway setup because then after that it was really just making sure in tune is set to auto enroll in MDM and then making sure that you have your Co management setting configured and config man so that really wasn't hard at all this next scenario is gonna be a little bit more I would say things that we have to make sure we have configured if you wanted your on-prem devices to register with a hybrid Azure ad and enroll into in tune for the co management so what we're going to do first to make sure that we have everything kind of configured and ready to go this is a pretty vanilla lab I thought this could be helpful for those of you who might not have as your ad connect configured on Prem so that's going to be what we do next in order to have our devices on Prem be able to Auto register with Azure ad we need to make sure that we install ad connect so I'm just going to go through the aad connect installation and this is going to be a pretty standard many sites will probably already have this configured but we'll go ahead and install that I think the default should be fine now while we're waiting for that I do want to show you what I currently have here so if I go to the office portal I don't have any of my users currently configured within our on Prem site to sink into Azure ad so for this next scenario we need to make sure that we have that so we can see we currently only have one user and that's a cloud user that I created directly in here so we're gonna go ahead and sync some of our users as well as some of our devices so that we can go through this next scenario now just a quick overview so this is a requisite for getting our users to sync we do need to make sure that we have our users with a public UPN so what that means if I open up my devices and look at one of my user accounts here this is a on-prem user that I want to make sure that I can sink into Azure ad since I want to enroll this device into MDM within this user so the first thing you want to do is make sure that for your user account under your UPN that you're using the domain name that's associated with your tenant and Azure so in my case I'm using setup config manager com so this domains been around awhile I initially created it with this contoso dot local domain name so those type of identities wouldn't be able to sync so what what we can do is if you go into Active Directory domains and trusts you can go under your UPN suffixes and then you would add whatever UPN is being used in Azure so in mine I verified my public domain name setup config manager com but you could always use your tenant name dot on Microsoft com here as well once I did that I went ahead and went into my users and the one that I wanted to use for today I went ahead and changed that UPN suffix now I'll include a few different resources there are of course scripts that can go through and change this if you're using something that is not publicly verifiable within your lab domain name as well where you can kind of automate this host process all right so back to my ad rady what we're gonna do here so user sign-in we're gonna use password hash a lot of these will probably be default this is going to be our global domain admin within our tenant so this is my account for my setup config manager login all right there we go alright so this is the domain that we want to sink our on-prem users into Azure ad so this is gonna allow those on Prem devices as well as the users to have an identity out there that's going to be required in order to us to register our devices within a charade e4 on Prem so there's gonna be an on-prem enterprise admin account there you go so I added my on Prem domain this is gonna be where I want to sync now the next screen we can choose if we want to do any use so I'm not gonna sync everything here for my test I'm only gonna sync a couple different Oh you so this just letting us know that hey your on-prem domain is not resolvable it's contoso dot local this is the few users that have been verified for your public domain name it's just letting you know that you want to make sure that you have your users with that public domain name that's been verified within your account so I've already done that we've gone through and configured those accounts to do that so we should be good here all right so this is where we can go through and select if we only want to sync specific use now that's gonna be the case in my environment so if we look back at my structure here I've got a few different things I'm gonna sync my users oh you so I've got this managed oh you and then I have users under that within here we've got a couple of different users that we want to sync out to Azure ad that could be used to enroll devices but then we need to choose what oh use that we want for computers to sync so within this I don't want all my computers to register with a hybrid a sure ad connection I only want a couple so within this I have a demo oh you so this is going to be the on-prem device that is currently just managed via config man that I want to use to register with a hybrid azure ad connection to enroll into in tune and then become co-managed so I'm going to select my lab demo oh you as well as my users oh you and that's gonna be what I'm sneaking for this test scenario so that looks good so we look under managed we're going to go ahead and get that demo oh you and then we're gonna go ahead and I'll just leave it the öyou level looks like you can even get two devices and then we'll go ahead and select the users oh you and we'll do next here for this I'm just gonna leave the default options for identifying users synchronize that looks good so I don't think I'm worried about anything for pilot I'll just leave it limited to the OU's that I did for the main sync and we'll do password right back as well so if a user changes their password and Azure it will write back to their own Prem account so that's gonna go ahead and install and we will choose to run the initial sync all right so the initial adjure sync has completed it took a couple minutes after it was complete and now if we look back into our office portal we can see that we have a couple of different things going on here so this is the on Prem account that I synchronized so we're going to go ahead and go into that and what we need to make sure is that we assign it a license for that on Prem user that can be used for Intune otherwise the device isn't going to Auto register into Intune when that user signed in so I've already got my enterprise mobility and security 5 trial and I've already assigned that to my user so you will want to make sure that if your users weren't synced already that you make sure that they get assigned a license that can be used for enrolling and in tune so that looks good now what we've done so far with a 3d connect is that we've just started synchronizing some of the identities but we didn't actually configure our devices to automatically register with a hybrid join to Azure ad which means that they would register and Azure in addition to being on Prem domain joined which we get you some of the single sign-on capabilities as well as that feature to auto enroll into MDM or in tune now before I go through and show you what setting you need to enable for that auto registration we do want to make sure we set a group policy to tell the device when it registers with a hybrid azure ad join that we also have it automatically register within MDM or in tune so I'll include a link to this but this has been available since 1709 of Windows 10 there's a group policy that can be configured to have it auto enroll into MDM so that policy I'll go through and actually do what they're doing in the demo which is setting it on a local policy since we only want to do this on one device you could of course through this through GPO as well but under the admin templates windows components MDM this is where we set the policy to Auto enroll in MDM when the device is registered into hybrid Azure ad so let me go ahead and do that before I actually configure our devices to register so we'll go ahead and open up and gpedit.msc so just the local policy on this one device that was in that test though you that we want to auto register so under admin templates windows components MDM and the option to enable automatic MDM enrollment using default asier ad credentials so we'll go ahead and do apply on that so that should tell the device if it registers with Azure ad that it should also auto enroll into MDM so that looks good it was set locally probably don't need to do a GP update but just to be say if I'll do a GP update and then also reboot this shouldn't be required but just to make sure that we have everything good and going faster for this lab we'll go ahead and initiate that all right now what we can do to see if the machine is currently joined Azure ad which it shouldn't be because we haven't configured the enrollment through ad Connect yet there's this command line that we can run and I'll include a link to this article so if we come back to our device and go ahead and run that let me zoom in on that it's a DES reg CMD forward slash status so that's going to tell you if the device is registered with Azure ad or not so that looks good here so actually that's interesting it looks like it might let's see it looks like it has actually registered let me just go back into Azure ad Connect because this might have saved the setting from my previous installation so if I come back into Azure ad Connect because I did uninstall this for this video but let me just see if it retained the settings so once you install this if you click on configure and then there's this option here to configure device options there we go so next here you just connect into my user ad tenant okay so yeah I think this setting did retain if it was your first time setting this up based on my experience the option to configure hybrid adder ad join was not available during the initial configuration when you install it you would have to go back into like what I'm doing here to actually enable the hybrid Asscher ad join so what that setting does is for your on-prem domain join devices it will also have them automatically be registered into Azure ad as well so let me just click Next here it looks like it was already kind of set up here so let me just go through and add this again to show you what it would look like so we'll go ahead and add our domain this is also a enterprise admin for your local domain but it must have had these settings retained for me go ahead and do that we'll do next here and this is where we're gonna select that we want to auto enroll Windows 10 devices or later that's going to Auto register those on-prem domain joint devices with Azure ad so you get things like single sign-on for the adder ad apps as well as auto registering into MDM since we enable that local policy on the device alright so now we're complete I think this was already configured like I said because when we looked at our on Prem device here when we ran that command we could see that it actually did in fact Auto register and when I previously did that it must have retained that configuration when I reinstalled hauser ad Connect alright so let's just take a look if we come back into our accounts here work in school so it looks like it has registered into MDM it looks like because we can see this info tab if it was just a a sure ad registration we would just see the disconnect option here so since we're since we're actually on Prem actually so we're can toes a dot local that's if you wanted to disconnect to the domain but this info tab is what means that we're also in MDM so if we go out and look at that we can see that it is registered so let's just go ahead and force a sync here if we look under our management server we can see that it's in tune if we look at our task scheduler we should see under Windows Enterprise Management that we have some of the MDM scheduled tasks that should be registered this should come in here in a second there we go so we can see all the different MDM tasks are created so we're definitely registered now to actually validate that I did open this before that registration occurred so we can see that co-management is currently one that means that we're not co-managed we can see that it's disabled here so let's just see if this settings actually taken effect yet there we go so reopening the control panel applet we can see that we are now co-managed if we go ahead and run a few actions here I have noticed I think it's the data discovery cycle that will actually stand that we're now co-managed back to the site so I'm just gonna go ahead and kick that one off as well as our hardware inventory so that should hopefully have the site update a little faster so we can see that we now have two devices that are Co managed so this is looking good now let's go back to in tune while we wait for this so if we look back under here let's go back to in tune look at devices all devices alright so now we can see both devices showing up here and I I just did something to hide that and let's see there we go so we can see that we have the device that we enrolled through Azure ad only and that automatically got enrolled into config man through our cesium set up that MSI that we created and deployed and then we also have this on Prem domain join device that was automatically enrolled into in tune when we configure the hybrid asher ad join through ad connect so this one is also now available via in tune and we can see that they're both co-managed here so that looks good let's come back to our console now let's go under monitoring and now we can see that we have 28 percent for the co-manage devices so that's now at 2 I'm gonna see if I can get that so we can also see that the co-manage status we can see that we have one device that was done via a hybrid adder ad join so that's the on-prem device that was registered with Azure ad and auto enrolled into MDM even though it's still a on primmed join device and then we can see that we have one device that is purely a charade II joined out on the cloud only so we can see that we have that we have those two devices so this looks really good we can also see the workloads that you define so we have compliance policies set to in tune everything else is using config man all right so let's come back to our azure ad join device that is purely out on the internet so what we can see here so just look at that it looks like we just had some software update supplied so now that this device is really managed via config man or in tune you could of course through things like deploy apps you would get all your normal hardware inventory deploy packages deploy your software updates now if we come back here we probably will already have Hardware inventory so if we look at this device that is here we'll go ahead and start resource Explorer so we can see it's got all the hardware inventory that you would expect to see with a full client so that looks awesome let me just refresh this and we'll see it looks like it's already refreshed so we can also see that this device that is on Prem also is now Co managed but we can see that if we refresh it's only that one Windows 10 device because when we configured ad Connect we only configured that one oh you so that can be a good way to kind of only sync the devices and register the ones that you want to use so I mean at this point we are pretty much done so you could go through and you could you know if you wanted to play around with the different workloads you could of course come through and say maybe I want in tune to manage device configurations etc and then you could start playing around with the in tune console if you wanted to have any of your workloads go out to MDM as well I'm going to show you some of those MDM capabilities what we will do is we'll click our device this is the one that was a sure ad joint only not on Prem and let's go ahead and perform a wipe so we're gonna do a full wipe here and let's come back to this device real quick so here's the device we initiate it on so within the next few seconds hopefully we should see the device start to reset there we go so at that point it's going to go through the system reset so that looks good so it's resetting and so that was the azure ad joined device only now let's go ahead and come back here so here's our other device this is the one that was domain joined but it was also registered and Auto enrolled into MDM through a sure ad hybrid so let's go back into our Intune console and let's see if we can go back to devices and let's see if we can go ahead and send the wipe command here there we go so this one is on Prem let's see what happens with this all right so that one just kicked off since I was remote today and I just lost the connection but let's see if I can show you that device that was B to 110 and now we could see that it's also in the resetting all right so I think that's all I had to cover at least for the initial setup of co-management maybe we'll go through a few different things in the future around managing devices within tuned so I mean that's all I had so I think it does bring in some interesting scenarios for me I thought it was kind of interesting like if you have devices that are managed on the internet maybe have a lot of retail stores if you had the ability to do everything you need through Azure ad where you could have your devices and users Auto enroll themselves through the out-of-the-box experience with their normal credentials and then Auto have the config manager agent go through CMG I think that that's an interesting scenario as well as the on prim way as well um so I mean that's kind of what I had hopefully that provides you value and thank you for watching

Info

Channel: Patch My PC

Views: 42,175

Rating: undefined out of 5

Keywords: Co-Management, SCCM CO-Management, ConfigMgr co-management, set up co-management sccm, Co-management for Windows 10 devices, What is co-management, How to configure co-management, Enable co-management, Install Configuration Manager client to the devices enrolled in Intune, Monitor co-management

Id: rTapalSHv6U

Channel Id: undefined

Length: 38min 39sec (2319 seconds)

Published: Mon Nov 05 2018