How to prepare internet-based devices for co-management
This article focuses on the second path to co-management, for new internet-based devices. This scenario is when you have new Windows 10 devices that join Azure AD and automatically enroll to Intune. You install the Configuration Manager client to reach a co-management state.
For new Windows 10 devices, you can use the Autopilot service to configure the out of box experience (OOBE). This process includes joining the device to Azure AD and enrolling the device in Intune.
For more information, see Overview of Windows Autopilot.
To configure your devices to be automatically enroll into Intune when they join Azure AD, see Enroll Windows devices for Microsoft Intune.
Gather information from Configuration Manager
Starting in version 1802, use Configuration Manager to collect and report the device information required by the Microsoft Store for Business and Education. This information includes the device serial number, Windows product identifier, and a hardware identifier. It's used to register the device in the Microsoft Store to support Windows Autopilot.
In the Configuration Manager console, go to the Monitoring workspace, expand the Reporting node, expand Reports, and select the Hardware - General node.
Run the report, Windows Autopilot Device Information, and view the results.
In the report viewer, select the Export icon, and choose the CSV (comma-delimited) option.
After saving the file, upload the data to the Microsoft Store for Business and Education.
For more information, see Add devices in Microsoft Store for Business and Education.
Autopilot for existing devices
Windows Autopilot for existing devices is available in Windows 10, version 1809 or later. This feature allows you to reimage and provision a Windows 7 device for Windows Autopilot user-driven mode using a single, native Configuration Manager task sequence.
For more information, see Windows Autopilot for existing devices task sequence.
Install the Configuration Manager client
For internet-based devices in the second path, you need to create an app in Intune. Deploy this app to Windows 10 devices that aren't already Configuration Manager clients.
Before deploying this app to devices, you must ensure that the devices trust the CMG server authentication certificate. For more information, see CMG trusted root certificate to clients. If the device does not trust the CMG server authentication certificate, you would see WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA error in the ccmsetup.log on the client.
Get the command line from Configuration Manager
In the Configuration Manager console, go to the Administration workspace, expand Cloud Services, and select the Co-management node.
Select the co-management object, and then choose Properties in the ribbon.
On the Enablement tab, copy the command line. Paste it into Notepad to save for the next process.
The following command line is an example:
Starting in version 1806, fewer command-line properties are now required.
The following command-line properties are required in all scenarios:
The following properties are required when using Azure AD for client authentication instead of PKI-based client authentication certificates:
If the client roams back to the intranet, the following property is required:
If using your own PKI SSL certificate and your CRL isn't published to the internet, the following parameter is required:
For more information, see Planning for CRLs
Starting in version 1810, the site publishes additional Azure AD information to the cloud management gateway (CMG). An Azure AD-joined client gets this information from the CMG during the ccmsetup process, using the same tenant to which it's joined. This behavior further simplifies enrolling devices to co-management in an environment with more than one Azure AD tenant. Now the only two required ccmsetup properties are CCMHOSTNAME and SMSSiteCode.
If you're already deploying the Configuration Manager client from Intune, update the Intune app with a new command line and new MSI.
The following example includes all of these properties:
ccmsetup.exe CCMHOSTNAME=CONTOSO.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72186325152220500 SMSSiteCode=ABC AADCLIENTAPPID=7506ee10-f7ec-415a-b415-cd3d58790d97 AADRESOURCEURI=https://contososerver SMSMP=https://mp1.contoso.com
For more information, see Client installation properties.
Create the app in Intune
Go to the Azure portal, and then open the Intune page.
Select Client Apps > Apps > Add.
Under Other, select Line-of-business app.
Upload the ccmsetup.msi app package file. Find this file in the following folder on the Configuration Manager site server:
<ConfigMgr installation directory>\bin\i386.
When you update the site, make sure you also update this app in Intune.
After the app is updated, configure the app information with the command line that you copied from Configuration Manager.
If you customize this command line, make sure it isn't more than 1024 characters long. When the command line length is greater than 1024 characters, the client installation fails.