Co-Management and Certificate Provisioning

This article provides an overview of the co-management options available to organisations including, how to connect SCCM and Intune as well as steps to procure and apply certificates.

Co-Management Overview

The NHSmail Intune service provides a Hybrid solution to enable organisations to Co-Manage devices with SCCM (or MECM) and Intune. This means that LAs can choose which workloads they would like to be managed via SCCM and Intune respectively.

Organisations are only required to set up co-management if they wish to manage their device and associated workloads via both SCCM (or MECM) and Intune.

Utilising pre-existing SCCM infrastructure can be beneficial to organisations; expediting their ability to enrol devices onto the platform and providing more choice on how to manage workloads.

Examples of the workloads LAs could consider co-managing between SCCM and Intune include:

ü Compliance policies

ü Device Configurations

ü Endpoint protection (anti-virus, etc)

ü Client apps

ü Windows update policies

Connecting SCCM and Intune

Connecting your SCCM with Intune to co-manage workloads requires 6 steps. All steps must be completed for the connection to be successful:

1. Set up azure services

There is a requirement to setup the Cloud Management Gateway (CMG) to allow Co-management configuration to be completed

2. Set up Cloud Management Gateway

Setting up the CMG so that the connection with Intune is complete and remote devices can be connected into SCCM requires:

– creating a CMG certificate

– Installing a custom web server certificate

– Exporting the web server certificate

– Installing the CMG

– setting up the CMG connection point

3. Add NHSmail tenant to configuration manager

Once the connection between SCCM and Intune is complete, all Co-managed device workloads that will be controlled via Intune will be managed from the NHSmail Azure Tenant

This tenant needs to be added in the Configuration Manager Console for Co-management to be setup

4. Set up site and roles for CMG

Several configurations can be made at this point to the CMG to enable communication between CMG and site systems

5. Set up device configuration for CMG

The penultimate step requires deployment of the internet client. which will allow devices to connect to the Cloud Management Gateway

6. Set up Co-Management

Co-management needs to be properly configured in order for workloads to be correctly allocated to either Intune or co-management. Configuring workloads allows LAs to closely control which workloads are routed to Intune and which are routed through Configuration Manager


NHSmail Intune provides the facility for organisations to issue certificates for various purposes such as authentication to devices via Intune. This is not a native feature of Intune and has been developed to support organisations who have certificate dependencies to access on-premises resources.

To leverage Intune services, organisations’ certificates can be issued and managed from on-premises sources and Certificate Authorities (CAs) via the following methods:

1. Issue a ‘Trusted’ certificate itself via an Intune Certificate profile
2. Configure a SCEP (Simple Certificate Enrolment Protocol) Issuing Server for certificate issuing services (NDES)
3. Configure the Intune Certificate Connector to allow Certificates to be issued via NDES/SCEP
Updated on 05/07/2022
Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top