Switch Configuration Manager workloads to Intune

In Prepare Windows 10 devices for co-management, you prepared Windows 10 devices for co-management. These devices are joined to AD, Azure AD, they're enrolled in Intune, and have the Configuration Manager client. You likely still have Windows 10 devices that are joined to AD and have the Configuration Manager client, but not joined to Azure AD or enrolled in Intune. The following procedure provides the steps to enable co-management, prepare the rest of your Windows 10 devices (Configuration Manager clients without Intune enrollment) for co-management, and allows you to start switching specific Configuration Manager workloads to Intune.

Switch Configuration Manager workloads to Intune

  1. In the Configuration Manager console, go to Administration > Overview > Cloud Services > Co-management.
  2. On the Home tab, in the Manage group, choose Configure co-management to open the Co-management Configuration Wizard.
  3. On the Subscription page, click Sign In and sign in to your Intune tenant, and then click Next.
  4. On the Enablement page, choose either Pilot or All to enable Automatic enrollment in Intune, and then click Next. When you choose Pilot, only the Configuration manager clients that are members of the Pilot group are automatically enrolled in Intune. This option allows you to enable co-management on a subset of clients to initially test co-management, and rollout co-management using a phased approach. The command line can be used to deploy the Configuration Manager client as an app in Intune for devices already enrolled in Intune. For details, see Windows 10 devices enrolled in Intune.
  5. On the Workloads page, choose whether to switch Configuration Manager workloads to be managed by Pilot Intune or Intune, and then click Next. The Pilot Intune setting switches the associated workload only for the devices in the Pilot group. The Intune setting switches the associated workload for all co-managed Windows 10 devices.


    Before you switch any workloads, make sure the corresponding workload in Intune has been properly configured and deployed. Doing so ensures that workloads are always managed by one of the management tools for your devices.

  6. On the Staging page, configure the following settings and then click Next:
    • Pilot: The pilot group contains one or more collections that you select. Use this group as part of your phased rollout of co-management. You can start with a small test collection, and then add more collections to the pilot group as you roll out co-management to more users and devices. You can change the collections in the pilot group at any time from the co-management properties.
    • Production: Configure the Exclusion group with one or more collections. Devices that are members of any of the collections in this group are excluded from using co-management.
  7. To enable co-management, complete the wizard.

Starting in Configuration Manager version 1806, when you switch a co-management workload, the co-managed devices automatically synchronize MDM policy from Microsoft Intune. This sync also happens when you initiate the Download Computer Policy action from Client Notifications in the Configuration Manager console. For more information, see Initiate client policy retrieval using client notification.

Modify your co-management settings

After you enable co-management using the wizard, you can modify the settings in the co-management properties.

  • In the Configuration Manager console, go to Administration > Overview > Cloud Services > Co-management.
    Select the co-management object, and then on the Home tab, click Properties.

Workloads able to be transitioned to Intune

Certain workloads are available to be switched over to Intune. The following list will be updated as workloads become available to transition:

  1. Device compliance policies
  2. Resource access policies: Resource access policies configure VPN, Wi-Fi, email, and certificate settings on devices. For more information, see Deploy resource access profiles.
    • Email profile
    • Wi-Fi profile
    • VPN profile
    • Certificate profile
  3. Windows Update policies
  4. Endpoint Protection (starting in Configuration Manager version 1802)

    • Windows Defender Application Guard
    • Windows Defender Firewall
    • Windows Defender SmartScreen
    • Windows Encryption
    • Windows Defender Exploit Guard
    • Windows Defender Application Control
    • Windows Defender Security Center
    • Windows Defender Advanced Threat Protection
    • Windows Information Protection
  5. Device Configuration (starting in Configuration Manager version 1806)

    • Moving the device configuration workload also moves the Resource Access and Endpoint Protection workloads starting in version 1806.
    • Starting in version 1806, you can still deploy settings from Configuration Manager to co-managed devices even though Intune is the device configuration authority. This exception might be used to configure settings that are required by your organization but not yet available in Intune. Specify this exception on a Configuration Manager configuration baseline. Enable the option to Always apply this baseline even for co-managed clients when creating the baseline, or on the General tab of the properties of an existing baseline.
  6. Office 365 Click-to-Run apps (starting in Configuration Manager version 1806)
    • After moving the workload, the app shows up in the Company Portal on the device.
    • Office updates may take around 24 hours to show up on client unless the devices are restarted.
    • There is a new global condition, Are Office 365 applications managed by Intune on the device. This condition is added by default as a requirement to new Office 365 applications. When you transition this workload, co-managed clients don't meet the requirement on the application, thus don't install Office 365 deployed via Configuration Manager.
  7. Mobile apps (starting in Configuration Manager version 1806 as a pre-release feature)
    • After you transition this workload, any available apps deployed from Intune are available in the Company Portal.
    • Apps that you deploy from Configuration Manager are available in Software Center.

Monitor co-management

After you enable co-management, you can monitor co-management devices using the following methods:

  • The co-management dashboard
  • SQL view and WMI class: You can query the v_ClientCoManagementState SQL view in the Configuration Manager site database or the SMS_Client_ComanagementState WMI class. With the information in the WMI class, you can create custom collections in Configuration Manager to help determine the status of your co-management deployment. For details, see How to create collections. The following fields are available in the SQL view and WMI class:

    • MachineId: Specifies a unique device ID for the Configuration Manager client.
    • MDMEnrolled: Specifies whether the device is MDM-enrolled.
    • Authority: Specifies the authority for which the device is enrolled.
    • ComgmtPolicyPresent: Specifies whether the Configuration Manager co-management policy exists on the client. If the MDMEnrolled value is 0, the device isn't. co-managed regardless whether the co-management policy exists on the client.


      A device is co-managed when the MDMEnrolled field and ComgmtPolicyPresent fields both have a value of 1.

  • Deployment policies: Two policies are created in Monitoring > Deployments, one for the pilot group and one for production. These policies report only the number of devices where Configuration Manager has applied the policy. They don't consider how many devices are enrolled in Intune, which is a requirement before devices can be co-managed.

Check compliance for co-managed devices

Users can use Software Center to check the compliance of their co-managed Windows 10 devices whether conditional access is managed by Configuration Manager or Intune. Users can also check compliance by using the Company Portal app when conditional access is managed by Intune.

Next steps

Use the following resources to help you manage the workloads that you switch to Intune: