As mentioned in our article, "co-management" or co-management is the first fundamental step on the road to modern management to be able to use existing Windows devices and configuration "as is", while adding a modern management tool. After that, you can move on to Modern Management, as the transition to the modern world will not happen overnight for most organisations. There are several scenarios for doing this, which we describe below:
Clients Windows 10 without ConfigMgr
Option 1: (the only option for clients without ConfigMgr): Hybrid attachments
(Active Directory On-Premise associated + Azure AD registered/ joined+ GPO to set automatic enrollment to MDM)
If you are not using ConfigMgr, to enable "co-management" you simply need to ensure that your Windows 10 clients (1709 and later) are configured with the GPO setting to enable automatic enrolment at MDM.
After that, start moving the GPO configuration and add a new configuration to MDM instead of using GPOs. Disconnect the local infrastructure such as WSUS and start relying on Windows Update for Business. Also look into AutoPilot.
Clients with ConfigMgr (System Center Configuration Manager - SCCM )
Option 2: Hybrid attachments (with co-management in ConfigMgr not configured)
(Active Directory On-Premise joined + Azure AD registered/ joined+ GPO to set automatic registration MDM + ConfigMgr agent installed via ConfigMgr)
This option means that you simply connect your Windows 10 clients to your MDM solution with the GPO setting to enable automatic enrolment at MDM. The next step is to stop doing what you do with GPOs and ConfigMgr, and start doing it directly from your solution MDM. This is the cheapest option when you are trying to keep the ConfigMgr solution to a minimum and immediately start moving away from ConfigMgr.
This option is more suitable for smaller and rather simple ConfigMgr environments.
Option 3: Hybrid attachments (with co-management in ConfigMgr enabled)
(Active Directory On-Premise joined + Azure AD registred / joined + co-management enabled in ConfigMgr + ConfigMgr Agent installed via ConfigMgr)
We assume that according to what Microsoft describes this is the real "co-management".
This is the recommended method for most organisations wishing to engage in Modern Management.
Option 4: Machines attached to cloud (with co-management in ConfigMgr enabled)
(Azure AD joined + MDM joined + ConfigMgr agent deployed via Intune)
This is an interesting option, but as the devices are not connected to a local Active Directory directory, you must have moved all GPOs and successfully provided access to all local resources to users when they are outside the corporate network.
This option is more for future use, although it may already be suitable for some customers.
Note: Even if devices are not connected to Active Directory On-Premise, they can use single sign-on to access recourses on the internal network, such as printers, network shares and other domain resources Active Directory. This is true as long as the device is on an internal network and is in contact with an on-premises domain controller, with a Kerberos TGT being issued to access on-premises resources.