This chapter covers co-management between Microsoft Intune and Configuration Manager, a critical hybrid management solution for organizations transitioning to modern device management. Co-management allows you to simultaneously manage Windows devices using both Configuration Manager (on-premises) and Intune (cloud), enabling you to gradually migrate workloads to the cloud. On the MS-102 exam, co-management typically appears in 5-10% of questions, often in scenarios involving device enrollment, workload slider configuration, and conditional access integration. Master this topic to confidently answer questions about hybrid device management and migration strategies.
Jump to a section
Imagine a large commercial aircraft that requires two pilots to fly: a Captain and a First Officer. Each pilot has their own set of controls but they share the same cockpit, instruments, and autopilot system. The Captain (Configuration Manager) handles the traditional flight controls—takeoff, landing, navigation—while the First Officer (Intune) manages the modern avionics and in-flight entertainment. The pilots agree on which workloads each will handle: for example, the Captain controls engine settings (Windows Updates) and the First Officer manages cabin systems (Device Compliance). They communicate constantly via the intercom (CMG/cloud gateway) and share a common flight plan (Azure AD and CM co-management settings). If the Captain is busy, the First Officer can take over certain tasks, but both must agree on the division of responsibilities (workload slider). The autopilot (MDM authority) is set to either pilot's preferences, but the other pilot can still monitor and intervene. Importantly, the plane cannot be flown by both pilots simultaneously on the same control—each workload is assigned to one pilot exclusively. Passengers (end users) don't see which pilot is flying; they just experience a smooth flight. If the pilots disagree on who controls the cabin temperature (policies conflict), the plane's systems (Intune) will follow the pilot with primary authority for that workload. This analogy mirrors co-management: Configuration Manager and Intune coexist, with each managing specific workloads, sharing a common device identity (Azure AD), and using a workload slider to decide which tool has authority for each management area.
What Is Co-Management and Why Does It Exist?
Co-management is a Microsoft solution that allows you to concurrently manage Windows 10/11 devices using both Configuration Manager (ConfigMgr) and Microsoft Intune. It was introduced to bridge the gap between traditional on-premises management and modern cloud-based management, enabling a phased migration without a 'big bang' cutover. The core idea is that you attach your ConfigMgr-managed devices to Intune, then selectively move management authority for specific workloads (e.g., Windows Update policies, endpoint protection) from ConfigMgr to Intune using a workload slider.
Co-management exists because many organizations have invested heavily in Configuration Manager and cannot migrate all devices overnight. It provides a path to modern management by allowing you to:
Enroll existing ConfigMgr clients into Intune without reimaging.
Gradually shift workloads to Intune while retaining ConfigMgr for others.
Use cloud-based features like conditional access, compliance policies, and remote actions.
How Co-Management Works Internally
Co-management relies on a device being enrolled in both ConfigMgr and Intune. The device must be Azure AD joined (or hybrid Azure AD joined) and have an Intune license. The process works as follows:
Device Enrollment: A Windows device that is already managed by ConfigMgr is enrolled into Intune. This can be done automatically via a GPO or manually. The enrollment creates an MDM relationship with Intune while the ConfigMgr client remains active.
Workload Assignment: The co-management workload slider in the ConfigMgr console (or Intune admin center) determines which tool manages each workload. The workloads are:
- Compliance Policies - Windows Update Policies - Resource Access Policies - Endpoint Protection - Device Configuration - Office Click-to-Run - Client Apps
Policy Application: For each workload, the device receives policies from the assigned authority. If the slider is set to 'Intune' for a workload, Intune policies apply; if set to 'ConfigMgr', ConfigMgr policies apply. The device has both management agents installed, but only the authoritative agent enforces policies for that workload.
Health Reporting: The device reports its co-management state to both ConfigMgr and Intune. ConfigMgr shows the device as co-managed, and Intune shows it as an MDM enrolled device. Health data (e.g., compliance status) is shared via the cloud management gateway (CMG) or via direct internet connectivity.
Key Components, Values, Defaults, and Timers
Prerequisites:
Windows 10 version 1709 or later (or Windows 11).
Azure AD hybrid join or Azure AD join.
Intune license assigned to the user or device.
Configuration Manager version 1710 or later (current branch).
Cloud Management Gateway (CMG) or on-premises internet-based client management.
Workload Slider: Located in the ConfigMgr console under Administration > Cloud Services > Co-management. The slider has five positions: 'ConfigMgr' (all workloads managed by ConfigMgr), 'Pilot Intune' (pilot group for Intune), 'Intune' (all workloads managed by Intune), and intermediate steps. The default is all workloads managed by ConfigMgr until you move the slider.
- Enrollment Methods: - Automatic enrollment via GPO: Deploy a GPO that sets the MDM enrollment URL to Intune. This triggers auto-enrollment for devices that are hybrid Azure AD joined. - Manual enrollment: Users can enroll via Settings > Accounts > Access work or school > Connect. - Configuration Manager client push: The ConfigMgr client can trigger Intune enrollment during client installation.
Timers:
Co-management status refresh interval: Every 24 hours by default (configurable via registry).
Policy polling interval: ConfigMgr client polls every 60 minutes; Intune MDM agent polls every 8 hours (or when a policy change is triggered).
CMG (Cloud Management Gateway): Required for internet-based clients to communicate with ConfigMgr. CMG is an Azure PaaS service that relays management traffic to the on-premises ConfigMgr site. Without CMG, clients must be on the corporate network or VPN to receive ConfigMgr policies.
Configuration and Verification Commands
To enable co-management, you typically use the ConfigMgr console, but you can also use PowerShell. Key commands:
Check co-management status on a client:
Get-CimInstance -Namespace root\CCM\CoManagement -ClassName CoManagementStatusEnable co-management via PowerShell (on ConfigMgr site server):
Set-CMCoManagementSetting -SiteCode XYZ -EnableCoManagement $trueSet workload slider via PowerShell:
Set-CMCoManagementSetting -SiteCode XYZ -Workload 'CompliancePolicies' -PilotIntune $trueVerify Azure AD join status:
dsregcmd /statusLook for 'AzureAdJoined' and 'DomainJoined' status.
Interaction with Related Technologies
Co-management interacts with: - Azure AD: Devices must be Azure AD joined or hybrid joined. Co-management uses Azure AD for device identity and conditional access. - Conditional Access: Co-managed devices can be marked as compliant in Intune, enabling conditional access policies that require compliant devices. However, if the device is not enrolled in Intune (only ConfigMgr), conditional access may not work unless you use the ConfigMgr connector for Exchange/SharePoint. - Desktop Analytics: Co-management can be integrated with Desktop Analytics to gather data from co-managed devices for upgrade readiness. - Windows Autopilot: While Autopilot is for new devices, co-management is for existing devices. They can be used together in a migration scenario.
Common Pitfalls
Workload overlap: If both Intune and ConfigMgr apply policies for the same workload (e.g., both set device restrictions), conflicts can occur. The authoritative tool's policy wins, but it's best to avoid overlap.
License issues: Each user or device must have an Intune license. Without it, enrollment fails.
CMG availability: For internet-based clients, a properly configured CMG is essential. Without CMG, clients can only get ConfigMgr policies when on the corporate network.
Hybrid Azure AD join: Devices must be hybrid joined. If a device is only domain-joined but not synced to Azure AD, co-management enrollment will fail.
Prepare Environment for Co-Management
Ensure prerequisites are met: Windows 10/11 devices, Azure AD hybrid join configured via Azure AD Connect, Intune licenses assigned, and Configuration Manager version 1710 or later. Deploy the Cloud Management Gateway (CMG) if clients are internet-based. Verify that devices can communicate with both ConfigMgr and Intune endpoints. This step is critical because missing prerequisites cause enrollment failures, which are common exam traps.
Configure Azure AD Hybrid Join
Use Azure AD Connect to synchronize on-premises AD objects to Azure AD. Configure device writeback and hybrid join settings. The devices must be registered in Azure AD as hybrid joined. Check using dsregcmd /status on a client. Hybrid join is required because co-management relies on Azure AD device identity for Intune enrollment. Without it, the device cannot be enrolled into Intune while retaining ConfigMgr management.
Enable Co-Management in ConfigMgr
In the ConfigMgr console, navigate to Administration > Cloud Services > Co-management. Click 'Configure co-management' and follow the wizard. You must specify the Intune tenant, enable automatic enrollment, and select the pilot collection. The wizard creates a cloud attach point and configures the workload slider initially set to 'ConfigMgr' for all workloads. This step links your ConfigMgr hierarchy to Intune.
Deploy Co-Management Enrollment Policy
Deploy a group policy that sets the MDM enrollment URL to 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc'. Alternatively, use ConfigMgr client settings to trigger enrollment. The policy is applied to the pilot collection. Devices in the collection will automatically enroll into Intune upon next policy refresh. Enrollment creates an MDM relationship without affecting the ConfigMgr client.
Adjust Workload Slider
After enrollment, gradually move workloads from ConfigMgr to Intune using the workload slider. For example, move 'Compliance Policies' to 'Pilot Intune' to test. Monitor the co-management dashboard in ConfigMgr for health. The slider controls which management authority enforces policies for each workload. Moving a workload to Intune means Intune policies become authoritative; ConfigMgr policies for that workload are ignored.
Monitor and Validate Co-Management
Use the ConfigMgr console's Co-management dashboard to view enrollment status, workload distribution, and device health. On clients, run 'Get-CimInstance -Namespace root\CCM\CoManagement -ClassName CoManagementStatus' to verify co-management state. Validate that Intune policies apply correctly and that devices appear in Intune as managed. This step ensures the configuration is working and helps troubleshoot issues.
Enterprise Scenario 1: Phased Migration to Modern Management
A large enterprise with 50,000 Windows 10 devices managed by Configuration Manager wants to adopt Intune for cloud-based management but cannot migrate all devices at once. They use co-management to gradually shift workloads. First, they enable co-management for a pilot group of 500 devices, moving the Compliance Policies workload to Intune. They discover that Intune's compliance policies are simpler to manage and integrate with conditional access. Over six months, they move all workloads to Intune, then eventually retire the ConfigMgr infrastructure. Key considerations: they needed to ensure all devices were hybrid Azure AD joined and had Intune licenses. They used CMG for internet-based clients. A common issue was that some devices were not hybrid joined due to Azure AD Connect sync delays; they had to run delta syncs to expedite.
Enterprise Scenario 2: Conditional Access with Co-Managed Devices
A financial institution requires all devices to be compliant before accessing corporate email. They already use ConfigMgr for device management but want to leverage Intune's compliance policies for conditional access. They enable co-management and set the Compliance Policies workload to Intune. Intune evaluates device compliance (e.g., encryption, antivirus) and marks devices as compliant. Azure AD conditional access then grants access to Exchange Online only for compliant devices. They configure a custom compliance policy in Intune that mirrors their existing ConfigMgr baselines. The challenge: devices that are not enrolled in Intune (due to licensing or connectivity issues) are blocked. They had to ensure all users had Intune licenses and that CMG was properly configured for remote devices.
Enterprise Scenario 3: Co-management for Non-Persistent VDI
A company uses non-persistent VDI (Virtual Desktop Infrastructure) with Windows 10. They want to manage these virtual desktops with Intune but also need ConfigMgr for software distribution. Co-management is not supported for non-persistent VDI because Intune enrollment is per-device and virtual desktops are reimaged frequently. Instead, they use ConfigMgr for software updates and Intune for compliance policies on persistent VDI only. This scenario highlights a limitation: co-management requires persistent device identity. The exam may test this as a trick—co-management does not work with non-persistent VDI or multi-user Windows 10/11 Enterprise.
What MS-102 Tests on Co-Management
The MS-102 exam objective 2.4 includes co-management under 'Manage devices with Intune and Configuration Manager co-management'. You should know:
Prerequisites: Windows 10 1709+, Azure AD hybrid join, Intune license, ConfigMgr 1710+.
Workloads: The seven workloads (Compliance Policies, Windows Update Policies, Resource Access Policies, Endpoint Protection, Device Configuration, Office Click-to-Run, Client Apps).
Workload slider: How to move workloads from ConfigMgr to Intune.
Enrollment methods: GPO-based auto-enrollment vs. manual.
Cloud Management Gateway (CMG): Its role for internet-based clients.
Co-management vs. cloud attach: Cloud attach is a broader term that includes co-management and tenant attach.
Common Wrong Answers and Traps
Wrong answer: 'Co-management requires Windows 10 Enterprise' - Reality: Windows 10 Pro and Enterprise are supported, but not Windows 10 Home. The exam may list 'Windows 10 Enterprise' as a requirement to trick you.
Wrong answer: 'Co-management can be used on non-persistent VDI' - Reality: Intune enrollment is per-device and not supported for non-persistent VDI. Co-management requires persistent device identity.
Wrong answer: 'All workloads must be moved to Intune at once' - Reality: The workload slider allows incremental migration. You can move one workload at a time.
Wrong answer: 'Co-management requires the device to be Azure AD joined only (not hybrid)' - Reality: Hybrid Azure AD join is required for co-management; pure Azure AD join is also supported, but the device must have a ConfigMgr client. The exam may test the difference.
Specific Numbers and Terms
Windows 10 version 1709 (minimum) or Windows 11.
ConfigMgr version 1710 (minimum).
Seven workloads (memorize them).
Workload slider positions: 'ConfigMgr', 'Pilot Intune', 'Intune'.
CMG: Cloud Management Gateway.
Edge Cases and Exceptions
Devices that are not hybrid Azure AD joined cannot enroll.
If a device is already enrolled in MDM by another provider (e.g., third-party), co-management enrollment may fail.
Co-management does not support macOS or Linux; it is Windows-only.
The workload slider is configured per collection; different collections can have different slider positions.
How to Eliminate Wrong Answers
Focus on the mechanism: co-management is about attaching existing ConfigMgr devices to Intune. If an answer suggests that co-management replaces ConfigMgr entirely or requires reimaging, it is wrong. Look for keywords like 'hybrid Azure AD join', 'workload slider', and 'CMG'. If a question mentions 'non-persistent VDI' or 'Windows 10 Home', eliminate those options.
Co-management allows simultaneous management by ConfigMgr and Intune with workload-specific authority.
Prerequisites: Windows 10 1709+, Azure AD hybrid join, Intune license, ConfigMgr 1710+.
There are seven workloads: Compliance Policies, Windows Update Policies, Resource Access Policies, Endpoint Protection, Device Configuration, Office Click-to-Run, Client Apps.
Workload slider controls which tool manages each workload; can be set per collection.
Co-management enrollment can be automatic via GPO or manual; CMG required for internet-based clients.
Co-management does not support non-persistent VDI, Windows 10 Home, or macOS/Linux.
Tenant attach is different: it only syncs device data to Intune without workload management.
Reversible: you can move workloads back to ConfigMgr at any time.
These come up on the exam all the time. Here's how to tell them apart.
Co-Management
Manages workloads via workload slider; ConfigMgr and Intune share management.
Requires Intune enrollment and hybrid Azure AD join.
Supports seven workloads including compliance, updates, and apps.
Allows gradual migration to Intune.
Devices appear in both ConfigMgr and Intune consoles.
Tenant Attach
Only attaches ConfigMgr devices to Intune for reporting and actions, no workload management.
Does not require Intune enrollment or hybrid join; just syncs device data.
No workload slider; Intune cannot manage the device directly.
Used for cloud-based reporting and remote actions from Intune.
Devices appear in Intune console but are not MDM enrolled.
Mistake
Co-management requires devices to be Azure AD joined only (not hybrid).
Correct
Co-management supports both Azure AD join and hybrid Azure AD join. However, the device must have a ConfigMgr client, which typically requires domain join. Hybrid join is the most common configuration. Pure Azure AD join without domain join is possible but less common.
Mistake
Co-management means both Intune and ConfigMgr manage the same workloads simultaneously.
Correct
For each workload, only one management authority is active. The workload slider determines which tool's policies apply. The other tool's policies for that workload are ignored. There is no simultaneous management of the same setting.
Mistake
You can use co-management with Windows 10 Home edition.
Correct
Windows 10 Home does not support MDM enrollment. Co-management requires Windows 10 Pro, Enterprise, or Education. Windows 11 Home also does not support MDM.
Mistake
Co-management enrollment requires a user to sign in to Intune.
Correct
Enrollment can be automatic via GPO without user interaction. The device enrolls using a device identity (hybrid Azure AD join). User sign-in is only required if using manual enrollment or if the device is not hybrid joined.
Mistake
Once co-management is enabled, you cannot revert workloads back to ConfigMgr.
Correct
You can move the workload slider back to 'ConfigMgr' at any time. However, Intune policies already applied may persist until the next policy refresh. The slider is reversible.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The minimum requirements are: Windows 10 version 1709 (or Windows 11), Azure AD hybrid join (or Azure AD join), an Intune license assigned to the user or device, and Configuration Manager version 1710 or later. Additionally, a Cloud Management Gateway (CMG) is needed for internet-based clients to communicate with ConfigMgr. The device must be domain-joined to have the ConfigMgr client.
Yes, Windows 11 is fully supported for co-management, provided it meets the same prerequisites as Windows 10 (version 1709 is not applicable; Windows 11 is based on Windows 10 version 21H2+). The device must be hybrid Azure AD joined and have an Intune license. Windows 11 Pro, Enterprise, and Education are supported; Windows 11 Home is not.
Co-management allows you to manage workloads on devices from both ConfigMgr and Intune, with a workload slider to decide authority. Tenant attach only synchronizes ConfigMgr device data to the Intune admin center for reporting and remote actions, but Intune does not manage the device. Tenant attach does not require Intune enrollment or hybrid join; co-management does.
In the Configuration Manager console, go to Administration > Cloud Services > Co-management. Select the co-management settings, then use the Workload slider to move a specific workload to 'Pilot Intune' or 'Intune'. You can target a pilot collection first. The change takes effect on the next policy refresh. Intune policies will then override ConfigMgr policies for that workload.
No, co-management is not supported for non-persistent VDI (Virtual Desktop Infrastructure) because Intune enrollment is per-device and non-persistent VDI sessions are temporary. Co-management requires a persistent device identity. For VDI, consider using Configuration Manager alone or Intune for persistent VDI only.
The workload reverts to Configuration Manager authority. Intune policies for that workload will no longer be enforced. However, Intune policies already applied may remain until the next policy refresh cycle. The device will reapply ConfigMgr policies for that workload. There is no automatic cleanup of Intune policies.
No, co-management is only for Windows 10/11 devices. macOS devices can be managed by Intune alone or by ConfigMgr with the Configuration Manager client for macOS (which is deprecated). Co-management specifically refers to Windows device management with both tools.
You've just covered Co-Management: Intune and Configuration Manager — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?