This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 48%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi,
We have hybrid AD Win 10 devices that are managed by SCCM. Now we need to enrol those hybrid AD devices to Intune and we are able to do it by pushing the MDM GPO. We haven't done anything in SCCM co-management settings so far like enablement of Co-management
Are there any changes we need to do for achieving our target? We are after patching (Quality / Feature / Office Updates) those devices via Intune instead of SCCM.
TIA
Shijin M
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 50%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Need more information. Are you saying,
1) Machines managed by SCCM
2) They are Hybrid Azure AD joined
3) MDM GPO deployed to this PC
4) No co-management setting turned ON
Still a machine managed by SCCM enrolled in Intune? Ideally this is not possible.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 48%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYG%3C/text%3E%3C/svg%3E)
Hi,
there are 2 things here which we need to see ,
Firstly if you are enrolling the devices Via GPO, and the sccm is already there in the machine , the state of the machine will be a co-managed state once the sccm client is detected . Now since you are opting to go for the intune enrollment via sccm client ,you can also utilize it but first you need to make sure the autoenrollment collection it should a Pilot collection (You can take it as a test collection) , the devices in this group will be enrolled via sccm client for a reference the flow is too large you can check the basic things in the task scheduler the task name "Enterprise management" will be created and the you can check the comanagementhandler.log.
You mentioned that you need to enable the patching on the machines for this you need to configure the workloads which are defined , the 2 workloads which you need to move to the Intune pilot / Intune (based on the environment) is the office click to run apps and the windows update policy . The office click to run apps will make sure the apps are deployed via intune There's a new global condition, Are Office 365 applications managed by Intune on the device. This condition is added by default as a requirement to new Microsoft 365 applications. You can then enable the updates to them via ADMX in intune https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-update-office
For the quality updates and the feature updates , you have the windows update rings which you can target accordingly from MEM console.
Just for FYI : If the workload remains on SCCM and you target policy via Intune /MEM it will be shown as not applicable as the machine will not be able to determine the policy is coming from MEM since workload is still on sccm
You definitely need to enable co-management otherwise the ConfigMgr client will prevent nearly all Intune management of the devices. There's also no need to enroll the devices in MDM using a GPO as that's part of the functionality included in co-management.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@shmo-MS . For the Hybrid Azure AD joined device which are not managed by SCCM, we can put these devises into one OU and assign the GPO for the enrollment. For the Hybrid Azure AD joined device which are manged by SCCM, we can consider co-management.
Here is an article describe the prerequisites and steps to enable co-management for existing configuration Manager Clients. We can read it as a reference:
https://learn.microsoft.com/en-us/mem/configmgr/comanage/tutorial-co-manage-clients
Hope it can help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 28.000000000000004%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Do you guys think I can have any issue in my IT environment if I decide to enable the Hybrid Ad Join ?