Intune
Intune Co-Management: Pros, Cons, and the Journey from SCCM to the Cloud
Topics: Intune
Many enterprises today straddle two worlds of endpoint management: the traditional on-premises Configuration Manager (ConfigMgr/SCCM) and the modern cloud-based Intune. Co-management is Microsoft’s bridge between them—letting you leverage both platforms, migrate at your own pace, and protect your existing investment. In this post, we’ll cover:
- What Intune Co-Management Is
- Key Benefits
- Disadvantages
- High-Level Architecture
- A Roadmap from On-Prem to Cloud-Only
- Recommendations for Hybrid Environments
1. What Intune Co-Management Is
Co-management lets a Windows 10/11 device be managed simultaneously by ConfigMgr and Intune. You install the ConfigMgr client as usual, then enroll the device in Intune (often via Hybrid Entra ID join). At that point, each “workload” (compliance, updates, app deployment, etc.) can be assigned to either ConfigMgr or Intune:
- Selective Workload Management
After enabling co-management, everything stays in ConfigMgr until you “flip the switch” for each workload. For example, you might move compliance policies and Windows Update settings to Intune, while keeping software distribution and OS imaging in ConfigMgr. - Flexible Onboarding Paths
- Existing SCCM Devices → Intune
Enable co-management in ConfigMgr, target a collection, and let those clients auto-enroll in Intune. - New Autopilot Devices → SCCM
Provision via Autopilot into Intune, then install the ConfigMgr agent to bring them under SCCM management as well.
- Existing SCCM Devices → Intune
- Dual Infrastructure
You still run your ConfigMgr site—servers, SQL, distribution points—and you also configure Intune in the cloud. Co-management simply links them at the device level (often using the Cloud Management Gateway and Entra ID integration). - Coordinated Policy Authority
When Intune is made authoritative for a workload, ConfigMgr defers to Intune on co-managed devices—avoiding conflicts that would arise if two systems tried to enforce the same setting.
2. Key Benefits of Co-Management
- Low-Risk Migration
Move workloads one at a time—pilot compliance first, then software updates, and so on—while ConfigMgr continues to do the rest for all devices. - Best of Both Worlds
Retain ConfigMgr’s powerful imaging, complex application packaging, and rich inventory while gaining Intune’s cloud-native MDM, Conditional Access, and internet-based management. - Immediate Cloud Capabilities
Existing ConfigMgr-managed PCs can leverage Intune features—like device compliance for Entra ID Conditional Access—without a forklift migration. - Enhanced Remote Work Support
Intune keeps devices up to date and compliant with policy even when they are off-network, while SCCM takes care of heavier on-prem tasks once the devices reconnect. - Preserve Familiar Processes
IT teams can keep using the ConfigMgr console, along with their existing packages and task sequences, while they learn Intune capabilities in parallel. - Unified Visibility (Long Term)
With Tenant Attach and other integrations, you can view SCCM data in the Intune portal—moving toward a single pane of glass. - Maximize Licensing
Most Microsoft 365 E3/E5 subscriptions include both SCCM and Intune rights, so co-management often incurs no extra cost.
3. Disadvantages
- Increased Complexity
Maintaining expertise, policies, and consoles in both ConfigMgr and Intune can strain smaller teams and double operational overhead. - Policy Overlap Risks
Misconfigurations or unclear boundaries (for example, “Who manages what?”) can lead to duplicate or conflicting settings if they are not strictly governed. - Dual Infrastructure Maintenance
You still need to patch and upgrade your SCCM servers, manage SQL, distribution points, and also configure Intune connectors and auto-enrollment. - Temporary Nature—and Potential Stagnation
Co-management is designed as a transitional state. If you never shift workloads to Intune, you end up running two systems with no real benefit. - Feature Gaps
SCCM’s OS imaging, complex task sequences, or software metering don’t always have direct equivalents in Intune, so some workloads may remain on-prem indefinitely. - Agent and Performance Overhead
Devices run both the SCCM client and the built-in MDM agent, which can occasionally overlap actions (inventory, app installs) and marginally impact performance. - Licensing and Cost Considerations
If you lack Intune licenses, you’ll need to procure Microsoft 365 subscriptions. There’s also the upfront effort—planning, testing, training—to factor into total cost of ownership. - Hybrid Enrollment Prerequisites
Setting up Hybrid Entra ID join, Entra ID Connect, Cloud Management Gateway, and auto-enrollment policies can be complex and error-prone. - Split Tooling for Support
Helpdesk and admins must know where to look—SCCM for some data, Intune for other data—and handle two portals, two sets of logs, two deployment channels.
4. Co-Management Architecture (Split-Model)
Here’s the co-management architecture diagram, showing how Intune and Configuration Manager jointly manage Windows devices (and how legacy clients fit in):

5. Roadmap: From On-Prem to Cloud-Only
- Prepare and Enable Co-Management
- Configure Entra ID Connect and Hybrid Join
- Update ConfigMgr to Current Branch
- Sign into Azure from SCCM, select a pilot collection, and enable co-management (start with Compliance).
- Pilot Workload by Workload
- Pilot Compliance → pilot group → production
- Pilot Windows Update → test Intune WUfB rings → scale
- Pilot Device Configuration, Endpoint Protection, Client Apps
- Tackle Gaps and Conflicts
- Disable overlapping SCCM policies when shifting a workload
- Use custom OMA-URI to cover missing Intune features
- Autopilot for New Devices
- Provision new PCs cloud-only via Autopilot + Intune
- Optionally install SCCM client for co-managed new devices, then phase out
- Migrate Apps and Imaging
- Repackage simple MSI/Win32 apps for Intune
- Evaluate Autopilot and Intune Updates for OS deployment
- Optimize, Monitor, and Report
- Track co-management dashboards, enrollment status, and workload progress
- Measure “% of workloads in Intune” over time
- Scale Down SCCM
- Decommission unneeded site servers and distribution points
- Uninstall SCCM clients as devices become Intune-only
- Full Cloud-Only (Optional)
- Retire SCCM when all essential workloads have mature Intune equivalents
- Transition reporting and analytics to Intune/MEM and Endpoint Analytics
6. Recommendations for Hybrid Environments
- Define a Clear Workload Split
Document which system is authoritative for each management category and enforce it with co-management sliders. - Train Your Team
Update runbooks, train helpdesk on both consoles, and ensure staff know when to use SCCM vs. Intune. - Leverage Cloud-Attach Features
Use Tenant Attach for SCCM data in Intune, and Cloud Management Gateway for SCCM over the internet. - Avoid Permanent Half-Steps
Schedule periodic reviews—if Intune gains a needed feature, be ready to shift that workload off SCCM. - Monitor Health and Compliance
Use Intune reporting and Update Compliance dashboards alongside ConfigMgr client-health tools. - Document and Clean Up
Track which devices are co-managed, Intune-only, or SCCM-only. Remove retired clients and obsolete collections.
Co-Management: Stepping Forward
Intune co-management is a journey, not a destination. It provides a safety net as you cross from on-prem to cloud-centric management, combining familiar SCCM processes with Intune’s modern capabilities. By following a structured roadmap, defining clear workload ownership, and training your team, you can gradually simplify your environment—ultimately arriving at a more agile, secure, and user-centric management posture.