Chatting with a new customer, and the common need came up, a formal document outlining the needed changes to implement Microsoft Endpoint Manager in a Configuration Manager only environment. These changes are available on Microsoft’s Docs website, but found through various links and products. This will be an attempt to centralize and simplify the change request.
This post will cover the changes for Azure AD, Intune, and Configuration Manager to implement co-management and a cloud management gateway. If your organization is implementing these solutions, below will be a guide for the Microsoft Endpoint Manage environment changes.
The Intune application for Mobility (MDM and MAM) will get configured in Azure AD. This will allow automatic enrollment. Here we limit the scope to our test group based on either an on-premises synchronized security group or an Azure AD security group.
- Sign into https://portal.azure.com
- Go to Azure Active Directory
- Select Mobility (MDM and MAM)
- If this is for production rollout select All. If for a pilot or proof of concept select Some and select to be targeted group(s)
- Turn back MDM and MAM settings back to None
End User Impact
Azure AD Connect
To properly configure hybrid join for your Windows 10 devices, there are pre-requisites required for the device to properly enroll.
Devices will need access to the following URLs (Configure hybrid Azure Active Directory join for managed domains | Microsoft Docs):
- https://autologon.microsoftazuread-sso.com (If you use or plan to use seamless SSO)
[su_note note_color=”#90bcc9″ text_color=”#ffffff”]When deploying this in a controlled deployment, note if Azure AD Connect’s OU synchronization configuration includes devices, these will automatically attempt to hybrid join. Before proceeding validate the OU configuration/filtering match your desired outcome. [/su_note]
[su_note note_color=”#90bcc9″ text_color=”#ffffff”]Configuring Hybrid Device Join requires a service connection point (SCP) to be created and registered in the on-premises domain. The Azure AD Connect wizard can create one for you or can be created manually by running the script provided. More information can be found here: Configure hybrid Azure Active Directory joined devices manually | Microsoft Docs [/su_note]
Configuration Manager Client Settings
By default, Configuration Manager’s default client settings will automatically register Windows 10 with Azure AD. To control your rollout, validate this setting is set to No
- Exclude device OU(s) in Azure AD Connect configuration settings for OU filtering
- Rollback Configuration Manager client setting
Cloud Management Gateway
A cloud management gateway is a platform as a service (PaaS) offering at its core, the resources it creates in Azure are a storage account and a cloud service. The storage account is named exactly the same and is managed by the cloud service resource. When integrating these services into Configuration Manager, it will need to integrate into Azure AD. The three changes that occur in Azure AD and Configuration Manager are:
- Azure AD Discovery
- Azure AD App Registrations (x2)
- Web/Server App
- Native/Client App
In each case, these changes are handled during the cloud management gateway deployment wizard.
Below are standard requirements to successfully deploy a cloud management gateway
- Valid Azure Subscription with Owner and Global Admin permissions
- Full Administration rights in Configuration Manager
- Service Connection Point in online mode
- At least one on-premises server to host the cloud management gateway connection point
- The environment site servers meet one of the following requirements
- All run and communicate over PKI generated certificate via HTTPS
- Site servers are running under enhanced-HTTP
- Server authentication certificate for the cloud management gateway
- It is recommended to utilize a wildcard certificate
- One of the following scenarios
- Client authentication certificate deployed by an internal certificate authority
- Windows 10 devices are hybrid joined
Client Settings to Allow CMG Communication
If you are deploying this in controlled rollout, validate that deployed client settings don’t allow communication with a cloud management gateway
The setting Enable clients to use a cloud management gateway is configured to Yes in the default client settings. To control the rollout for PoC and/or Pilot disable this setting.
Cloud Management Gateway Dataflow
Cloud Management Gateway (CMG) Connection Point
The CMG connection point is the site system role for communicating with the CMG. This allows the on-premises management point and software update points to service internet clients. This is typically installed on the management point that will be used to service those clients.
- Remove the following from the Configuration Manager console
- Cloud management gateway connection point role
- Cloud management gateway
- The Azure AD tenant connections and Azure Apps
- Delete the resource group in the Azure portal
Enabling co-management in Configuration Manager requires minimal changes. These steps are detailed over on the Microsoft Docs’ website: Enable co-management – Configuration Manager. Below is the centralized changes that occur when enabling.
Starting in version 1906, Configuration Manager gives the possibility of splitting each workload to different device collections. Before going through the enablement wizard, eight device collections will need to be created.
- One collection for Intune auto enrollment
- Seven collections for workload management
Co-Management Configuration Settings
Once completing the co-management wizard, a configuration item will be created in the administration section of cloud services in the console.
- Delete the CoMgmtSettingsProd configuration item located in Administration > Overview > Cloud Services > Co-management
- Delete the co-management collection created to auto enroll and assign workloads