什么是共同管理?What is co-management?

共同管理是将现有 Configuration Manager 部署附加到 Microsoft 365 云的主要方式之一。Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. 它可帮助解锁其他由云提供支持的功能,例如条件访问。It helps you unlock additional cloud-powered capabilities like conditional access.

通过共同管理,可以使用 Configuration Manager 和 Microsoft Intune 同时管理 Windows 10 设备。Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. 它允许通过添加新功能在 Configuration Manager 中云附加现有投资。It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. 通过使用共同管理,可以灵活地使用最适合组织的技术解决方案。By using co-management, you have the flexibility to use the technology solution that works best for your organization.

如果某台 Windows 10 设备既具有 Configuration Manager 客户端又已注册到 Intune,用户将同时获得这两项服务的优势。When a Windows 10 device has the Configuration Manager client and is enrolled to Intune, you get the benefits of both services. 可以控制将颁发机构从 Configuration Manager 切换到 Intune 时的工作负载(如果有)。You control which workloads, if any, you switch the authority from Configuration Manager to Intune. Configuration Manager 持续管理所有其他工作负载(其中包括不切换到 Intune 的那些工作负载)以及共同管理不支持的的所有其他 Configuration Manager 功能。Configuration Manager continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.

用户还可以使用单独的设备集合来试验工作负载。You're also able to pilot a workload with a separate collection of devices. 借助试验功能,可以在切换大型组之前使用设备子集测试 Intune 功能。Piloting allows you to test the Intune functionality with a subset of devices before switching a larger group.

共同管理的概述图

以完整尺寸查看关系图View the diagram at full size

备注

同时使用 Configuration Manager 和 Microsoft Intune 来管理 Windows 10 设备,这种配置称为“共同管理”。When you concurrently manage Windows 10 devices with both Configuration Manager and Microsoft Intune, this configuration is called co-management. 使用 Configuration Manager 管理设备并注册第三方 MDM 服务,这种配置称为“共存”。When you manage devices with Configuration Manager and enroll to a third-party MDM service, this configuration is called coexistence. 如果没有在两者之间进行适当协调,为一个设备设置两个管理权限可能会很有挑战性。Having two management authorities for a single device can be challenging if not properly orchestrated between the two. 通过共同管理,Configuration Manager 和 Intune 共同平衡工作负荷,以确保没有冲突。With co-management, Configuration Manager and Intune balance the workloads to make sure there are no conflicts. 由于第三方服务中不存在这种交互,因此共存的管理功能存在一些限制。This interaction doesn't exist with third-party services, so there are limitations with the management capabilities of coexistence. 有关详细信息,请参阅第三方 MDM 与 Configuration Manager 共存For more information, see Third-party MDM coexistence with Configuration Manager.

共同管理的路径Paths to co-management

有两个实现共同管理的主要方式:There are two main paths to reach to co-management:

  • 现有 Configuration Manager 客户端:拥有已经是 Configuration Manager 客户端的 Windows 10 设备。Existing Configuration Manager clients: You have Windows 10 devices that are already Configuration Manager clients. 设置混合 Azure AD,并将其注册到 Intune。You set up hybrid Azure AD, and enroll them into Intune.

  • 基于 Internet 的新设备:拥有联接 Azure AD 并自动注册到 Intune 的新 Windows 10 设备。New internet-based devices: You have new Windows 10 devices that join Azure AD and automatically enroll to Intune. 安装 Configuration Manager 客户端以实现共同管理。You install the Configuration Manager client to reach a co-management state.

有关这些方式的详细信息,请参阅实现共同管理的方式For more information on the paths, see Paths to co-management.

好处Benefits

在共同管理中注册现有的 Configuration Manager 客户端时,将获得以下直接价值:When you enroll existing Configuration Manager clients in co-management, you gain the following immediate value:

  • 遵守设备符合性的条件访问Conditional access with device compliance

  • 基于 Intune 的远程操作,例如:重启、远程控制或恢复出厂设置Intune-based remote actions, for example: restart, remote control, or factory reset

  • 设备运行状况的集中可见性Centralized visibility of device health

  • 将用户、设备和应用与 Azure Active Directory (Azure AD) 相关联Link users, devices, and apps with Azure Active Directory (Azure AD)

  • 通过 Windows Autopilot 进行新式预配Modern provisioning with Windows Autopilot

  • 远程操作Remote actions

若要详细了解共同管理的直接价值,请参阅快速入门系列启用了共同管理的云For more information on this immediate value from co-management, see the quickstarts series to Cloud connect with co-management.

借助共同管理,还可以使用 Intune 协调多个工作负载。Co-management also enables you to orchestrate with Intune for several workloads. 有关详细信息,请参阅工作负荷部分。For more information, see the Workloads section.

必备条件Prerequisites

共同管理具有以下方面的先决条件:Co-management has these prerequisites in the following areas:

许可Licensing

  • Azure AD PremiumAzure AD Premium

    备注

    企业移动性 + 安全性 (EMS) 订阅包括 Azure Active Directory Premium 和 Microsoft Intune。An Enterprise Mobility + Security (EMS) subscription includes both Azure Active Directory Premium and Microsoft Intune.

  • 以管理员身份访问 Intune 门户至少需要一个 Intune 许可证。At least one Intune license for you as the administrator to access the Intune portal.

    提示

    确保将 Intune 许可证分配到用于登录租户的帐户。Make sure you assign an Intune license to the account that you use to sign in to your tenant. 否则,登录将失败,并显示错误消息“无法识别用户”。Otherwise, sign in fails with the error message "User not recognized".

    也许不需要为用户购买和分配单独的 Intune 或 EMS 许可证。You may not need to purchase and assign individual Intune or EMS licenses to your users. 有关详细信息,请参阅产品和许可常见问题解答For more information, see the Product and licensing FAQ.

配置管理器Configuration Manager

共同管理需要 Configuration Manager 1710 版或更高版本。Co-management requires Configuration Manager version 1710 or later.

自 Configuration Manager 1806 版起,可将多个 Configuration Manager 实例连接到单个 Intune 租户。Starting in Configuration Manager version 1806, you can connect multiple Configuration Manager instances to a single Intune tenant.

启用共同管理本身并不要求使用 Azure AD 登录站点。Enabling co-management itself doesn't require that you onboard your site with Azure AD. 对于第二种方式,基于 Internet 的 Configuration Manager 客户端需要云管理网关 (CMG)。For the second path scenario, internet-based Configuration Manager clients require the cloud management gateway (CMG). CMG 要求站点加入 Azure AD 以进行云管理The CMG requires the site is onboarded to Azure AD for cloud management.

Azure ADAzure AD

  • Windows 10 设备必须连接到 Azure AD。Windows 10 devices must be connected to Azure AD. 它们可以是以下任一类型:They can be either of the following types:

    • 混合 Azure AD 加入,其中设备已加入到本地 Active Directory 且使用 Azure Active Directory 注册。Hybrid Azure AD-joined, where the device is joined to your on-premises Active Directory and registered with your Azure Active Directory.

    • 仅限已联接 Azure ADAzure AD-joined only. (此类型有时称为“已加入云域”)(This type is sometimes referred to as "cloud domain-joined")

IntuneIntune

Windows 10Windows 10

将设备升级到 Windows 10 版本 1709 或更高版本。Upgrade your devices to Windows 10, version 1709 or later. 有关详细信息,请参阅采用 Windows 即服务For more information, see Adopting Windows as a service.

重要

Windows 10 移动设备不支持共同管理。Windows 10 mobile devices don't support co-management.

权限和角色Permissions and roles

操作Action 所需角色Role needed
在 Configuration Manager 中设置云管理网关Set up a cloud management gateway in Configuration Manager Azure 订阅管理员Azure Subscription Manager
从 Configuration Manager 中创建 Azure AD 应用Create Azure AD apps from Configuration Manager Azure AD 全局管理员Azure AD Global Administrator
在 Configuration Manager 中导入 Azure 应用Import Azure apps in Configuration Manager Configuration Manager 完全权限管理员Configuration Manager Full Administrator
无需任何其他的 Azure 角色No additional Azure roles needed
在 Configuration Manager 中启用共同管理Enable co-management in Configuration Manager Azure AD 用户An Azure AD user
具有所有范围权限的 Configuration Manager 完全权限管理员 。Configuration Manager Full Administrator with All scope rights.

要详细了解 Azure 角色,请参阅了解不同角色For more information about Azure roles, see Understand the different roles.

有关 Configuration Manager 角色的详细信息,请参阅基于角色的管理基础For more information about Configuration Manager roles, see Fundamentals of role-based administration.

工作负载Workloads

不必切换工作负载,或可以在准备好后单独执行这些工作负载。You don't have to switch the workloads, or you can do them individually when you're ready. Configuration Manager 持续管理所有其他工作负载(其中包括不切换到 Intune 的那些工作负载)以及共同管理不支持的的所有其他 Configuration Manager 功能。Configuration Manager continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.

共同管理支持以下工作负载:Co-management supports the following workloads:

  • 相容性策略Compliance policies

  • Windows 更新策略Windows Update policies

  • 资源访问策略Resource access policies

  • Endpoint ProtectionEndpoint Protection

  • 设备配置Device configuration

  • Office 即点即用应用Office Click-to-Run apps

  • 客户端应用Client apps

有关详细信息,请参阅工作负载For more information, see Workloads.

监视共同管理Monitor co-management

此共同管理仪表板可帮助你查看环境中共同管理的计算机。The co-management dashboard helps you review machines that are co-managed in your environment. 图形有助于标识可能需要注意的设备。The graphs can help identify devices that might need attention.

共同管理仪表板的屏幕截图

有关详细信息,请参阅如何监视共同管理For more information, see How to monitor co-management.

后续步骤Next steps