Microsoft Endpoint Manager Environment Changes

Chatting with a new customer, and the common need came up, a formal document outlining the needed changes to implement Microsoft Endpoint Manager in a Configuration Manager only environment.  These changes are available on Microsoft’s Docs website, but found through various links and products.   This will be an attempt to centralize and simplify the change request. 

This post will cover the changes for Azure AD, Intune, and Configuration Manager to implement co-management and a cloud management gateway.   If your organization is implementing these solutions, below will be a guide for the Microsoft Endpoint Manage environment changes. 

Azure AD

The Intune application for Mobility (MDM and MAM) will get configured in Azure AD.  This will allow automatic enrollment. Here we limit the scope to our test group based on either an on-premises synchronized security group or an Azure AD security group. 

  1. Sign into
  2. Go to Azure Active Directory
  3. Select Mobility (MDM and MAM)
    Azure AD Mobility MDM & MAM Settings
  4. If this is for production rollout select All. If for a pilot or proof of concept select Some and select to be targeted group(s)
    MDM Enrollment Configuration


  • Turn back MDM and MAM settings back to None

End User Impact

  • None

Azure AD Connect

To properly configure hybrid join for your Windows 10 devices, there are pre-requisites required for the device to properly enroll. 

Devices will need access to the following URLs (Configure hybrid Azure Active Directory join for managed domains | Microsoft Docs):

  • (If you use or plan to use seamless SSO)
When deploying this in a controlled deployment, note if Azure AD Connect’s OU synchronization configuration includes devices, these will automatically attempt to hybrid join.   Before proceeding validate the OU configuration/filtering match your desired outcome.  
Configuring Hybrid Device Join requires a service connection point (SCP) to be created and registered in the on-premises domain.  The Azure AD Connect wizard can create one for you or can be created manually by running the script provided. More information can be found here: Configure hybrid Azure Active Directory joined devices manually | Microsoft Docs  

Configure hybrid Azure Active Directory join for managed domains | Microsoft Docs

Azure AD Connect Additional Tasks

Configure Hybrid Azure AD Join

Select Operating System

Configuration Manager Client Settings

By default, Configuration Manager’s default client settings will automatically register Windows 10 with Azure AD. To control your rollout, validate this setting is set to No


  • Exclude device OU(s) in Azure AD Connect configuration settings for OU filtering
  • Rollback Configuration Manager client setting

End-User Impact

  • None

Cloud Management Gateway

A cloud management gateway is a platform as a service (PaaS) offering at its core, the resources it creates in Azure are a storage account and a cloud service.  The storage account is named exactly the same and is managed by the cloud service resource.  When integrating these services into Configuration Manager, it will need to integrate into Azure AD.  The three changes that occur in Azure AD and Configuration Manager are:

  • Azure AD Discovery
  • Azure AD App Registrations (x2)
    • Web/Server App
    • Native/Client App

In each case, these changes are handled during the cloud management gateway deployment wizard. 

Below are standard requirements to successfully deploy a cloud management gateway

  • Valid Azure Subscription with Owner and Global Admin permissions 
  • Full Administration rights in Configuration Manager 
  • Service Connection Point in online mode 
  • At least one on-premises server to host the cloud management gateway connection point
  • The environment site servers meet one of the following requirements
    • All run and communicate over PKI generated certificate via HTTPS
    • Site servers are running under enhanced-HTTP
  • Server authentication certificate for the cloud management gateway 
    • It is recommended to utilize a wildcard certificate 
  • One of the following scenarios 
    • Client authentication certificate deployed by an internal certificate authority 
    • Windows 10 devices are hybrid joined 

Client Settings to Allow CMG Communication

If you are deploying this in controlled rollout, validate that deployed client settings don’t allow communication with a cloud management gateway

The setting Enable clients to use a cloud management gateway is configured to Yes in the default client settings.  To control the rollout for PoC and/or Pilot disable this setting.

Cloud Management Gateway Dataflow

Data flow for cloud management gateway – Configuration Manager | Microsoft Docs

CMG Data Flow

CMG Data Flow Definition

Cloud Management Gateway (CMG) Connection Point

The CMG connection point is the site system role for communicating with the CMG.  This allows the on-premises management point and software update points to service internet clients.   This is typically installed on the management point that will be used to service those clients. 


  • Remove the following from the Configuration Manager console
    • Cloud management gateway connection point role
    • Cloud management gateway
    • The Azure AD tenant connections and Azure Apps
  • Delete the resource group in the Azure portal

End-User Impact

  • None

Co-Management Changes

Enabling co-management in Configuration Manager requires minimal changes.   These steps are detailed over on the Microsoft Docs’ website: Enable co-management – Configuration Manager.  Below is the centralized changes that occur when enabling.

Device Collections

Starting in version 1906, Configuration Manager gives the possibility of splitting each workload to different device collections.   Before going through the enablement wizard, eight device collections will need to be created. 

  • One collection for Intune auto enrollment
  • Seven collections for workload management

ConfigMgr Device Collections for Co-Management

Co-Management Configuration Settings

Once completing the co-management wizard, a configuration item will be created in the administration section of cloud services in the console. 

Co-Management Config Item in ConfigMgr Console


  • Delete the CoMgmtSettingsProd configuration item located in Administration > Overview > Cloud Services > Co-management
  • Delete the co-management collection created to auto enroll and assign workloads

End-User Impact

  • None