Device management has changed significantly since 2020. Different requirements, diverse devices and distributed workplaces pose new challenges for IT departments. While MECM/SCCM continues to play a leading role, hundreds of millions of endpoints are already managed with Microsoft Intune today.
For companies that have used SCCM so far and want to introduce Microsoft Intune, promises Co-management an exciting journey. It allows you to combine traditional and cloud-based management methodologies — without immediately 100% cloud-native having to go. But what exactly is behind it? What are the benefits of it in everyday life and when is it worthwhile to switch?
The most important things in brief
- Co-management combines Intune and MECM/SCCM, so that devices can be managed simultaneously by both systems — ideal for a gradual transition to modern management.
- Workloads can be distributed in a targeted manner, for example for updates, compliance, or device configuration — this is how companies maintain control and increase flexibility at the same time.
- Pilot groups enable risk-free testingbefore functions are rolled out across the company — typical errors such as dual scan can thus be identified at an early stage.
- Requirements are clearly defined: Azure AD Join, Intune licensing, current SCCM version — without these basics, co-management is impossible.
1. What is co-management?
Co-management describes the parallel administration of Windows devices by two systems: Microsoft Intune and MECM/SCCM. Instead of choosing a solution, both platforms work hand in hand.
The advantage? Tasks such as software deployment, updates, or security policies can be assigned flexibly. While MECM/SCCM continues for classic On-premises- is responsible for tasks, Intune is increasingly taking on cloud-based functions.
This combination creates leeway. Companies can gradually move specific areas to the cloud without sacrificing familiar processes. Especially for high-availability devices, it can be very useful to continue to rely on the granular features of SCCM. Co-management is therefore not a decision MECM vs. Intune, but a model that enables customization — right at the pace of the company.
2. Requirements for co-management
Before co-management can be set up, a few basic requirements must be met. These relate to both technical infrastructure and administrative aspects.
Technical requirements:
- Windows 10 or Windows 11 as an operating system (note supported versions)
- MECM/SCCM environment from version 1710 or higher
- Microsoft Intune Tenant with appropriate license (e.g. Microsoft 365 E3/E5 or EMS E3/E5)
Network and communication:
- Devices require Internet access for Intune communication
- Connectivity to Entra ID (formerly Azure AD) must be ensured
Device registration and user accounts:
- Devices must be registered or connected to Entra ID (Entra Join or Hybrid Azure AD Join)
- Users must have valid Intune licenses
These principles ensure that both systems — Intune and MECM/SCCM — be able to work together smoothly. Co-management can only be activated and configured when these points have been met.
3. Set up co-management: step by step
Setting up co-management is divided into several clearly defined steps. The aim is to first manage selected devices in a controlled environment before the functions are extended to all systems.
1 Make preparations
Before the actual configuration begins, all requirements should be met:
- Entra ID Connect must be set up and synchronized.
- MECM/SCCM should run on a supported version.
- Intune must be operational and licensed.
2 Activate co-management in MECM/SCCM
In the MECM console, the Co-Management Assistant connects to Intune:
- Login to Intune with global admin rights.
- Determine which devices are included in co-management (Pilot Collection recommended).
- Activate the co-management policy under “Administration > Cloud Management” tab.
3 Create a pilot collection
A pilot collection makes it possible to initially test co-management with a small number of devices:
- Add devices that are representative of the environment.
- Monitor changes and effects closely before expanding.
Define 4 workloads
Under “Administration > Cloud Management” tab, define which administrative tasks should be taken over by Intune, for example:
- compliance guidelines
- Windows Update for Business
- Endpoint Protection
In this way, the transition to the cloud can be individually designed and tested without abruptly changing existing processes.
4. Workloads and their management
A central aspect of co-management is flexible workload management. This determines whether certain administrative tasks are carried out by MECM/SCCM or by Intune. This enables a gradual and controlled transfer of responsibilities.
What are workloads?
Workloads describe specific areas of responsibility, such as:
- compliance guidelines
- Configuration Profiles
- Windows Update Policies
- Endpoint Protection
- resource access (VPN, certificates, etc.)
Workload handover: From MECM/SCCM to Intune
Co-management can specifically decide on each of these topics:
- Client-side (via the co-management policy) It is determined who takes control.
- The change can step-by-step (pilot devices) or nationwide (all devices) take place.
Benefits of dynamic workload control
- Minimize risks: Activate changes only for pilot groups at first
- Flexibility: Map different scenarios for different device types
- Future security: Gradually move more tasks to the cloud
Through this adaptability, co-management offers a secure way to adapt to the requirements of modern IT environments — without sacrificing proven processes.
5. Best practices and common challenges
Co-management offers great flexibility, but also requires a clear understanding of technical dependencies and organizational processes. Anyone who recognizes typical errors early on and applies proven methods creates a stable basis for operation.
Understanding and Avoiding Dual Scan
One of the most common stumbling blocks is the so-called dual scan. In this scenario, devices access MECM/SCCM and Windows Update for Business simultaneously — which can lead to conflicts with the update source. To avoid this, it should be decided in advance which system will be responsible for Windows updates. The appropriate workload must be consistently configured so that both systems do not attempt to manage updates in parallel.
Control rollout via pilot groups
Switching all devices to co-management immediately entails risks. The step-by-step rollout using defined pilot groups has proven successful. These make it possible to test changes in a controlled manner and to observe the behavior of the devices under real conditions. Only when this phase is stable should the expansion to other systems take place.
Communication and documentation
Technical transitions, such as moving workloads, require more than just configuration changes. Especially in larger IT environments, it is crucial that all teams involved are involved. Roles and responsibilities must be clearly defined. In addition, every adjustment should be documented — ideally in such a way that it remains comprehensible later on.
Support from Microsoft and partners
Even with careful planning, not all challenges can be solved internally. Especially when it comes to in-depth technical problems or strategic decisions, it is worthwhile to draw on the experience of external experts. Microsoft itself provides comprehensive documentation and support platforms. In addition, certified partners can offer valuable inspiration and operational support.
6 use cases and benefits in everyday life
Co-management shows its strengths particularly in practical use. Companies benefit from not having to change everything at once and still being able to use modern administrative approaches.
Typical deployment scenarios:
- Step-by-step migration: Devices can be gradually transferred to the cloud without disrupting operations.
- Flexible management: Different types of devices (stationary PCs, notebooks, mobile devices, high-availability devices) can be managed individually.
- Home office and mobile users: With Intune, policies and updates can also be enforced outside the corporate network.
Key benefits:
- Planned transition:
No hard cut between on-premises and cloud — companies set the pace themselves.
- Lower risk:
Pilot groups make it possible to test new functions under real conditions before they are rolled out across the company.
- Central overview:
Admins maintain control and overview of device health across both platforms.
- Increase safety:
By integrating advanced Intune features such as Conditional Access the security situation is improved.
7. Conclusion
Co-management isn't a compromise solution — it's a strategic bridge. Companies can retain traditional management approaches while taking advantage of modern cloud technologies.
Especially for organizations that have invested heavily in MECM/SCCM, this approach offers an elegant opportunity to break new ground without sacrificing the tried and tested. The flexible management of workloads ensures that every company finds the right pace for itself.
Those planning for long-term Modern Endpoint Management will find co-management hard to ignore. It combines reliability with sustainability — and that is exactly what many IT departments are looking for today.
Since 2011, Thore has focused exclusively on endpoint management and endpoint security topics. Initially focused on software packaging and software distribution with Microsoft MECM/SCCM and Ivanti DSM, he is now a sought-after interlocutor when it comes to unified endpoint management, system hardening, patch management and endpoint protection. The focus is in particular on the Microsoft technologies Intune, Configuration Manager, Entra and Defender. Thore is co-founder of the “Endpoint Management” expert group at IAMCP e.V.
Jahre Erfarung
Verwaltete Endgeräte
