Move Software Updates to Intune with Co-management

To move on with the transition towards Modern Management we can use Co-management in SCCM to decide where settings are coming from. In this specific scenario we will do a switch from Software Updates via SCCM to Intune controlled Software Updates for one test client. I will show you the following steps.

  1. How to setup the Co-management connection in SCCM
  2. How to configure the Co-management connection to be able to switch Software updates from SCCM to a pilot Intune group
  3. How to configure a Windows 10 Update Ring in Intune and assign to a group
  4. How to verify that the client are getting the correct settings

Prerequisites for this scenario:

  • A test client (in my case running 1809)
  • SCCM environment (in my case running 1810)
  • Intune environment
  • Hybrid Azure AD Joined device
  • An Intune group with the test client as a member
  • Company Portal installed on a client

Step 1 and 2 – This step in done in SCCM console

\Administration\Overview\Cloud Services\Co-management

1.Co-management > Configure Co-management

2. Next

3. Sign in

4. Logon with an Intune Administrator (Global administrator in my case)

5. Next

6. Automatic enrollment in Intune > Pilot

7. Next

8. Workloads > Switch Windows Updates policies to Pilot Intune

9. Pilot collection > Choose a collection with your test client

10. Next

11. Done


Step 3 – This step is done in Intune

1. Software updates

2. Windows 10 Update Rings

3. Create

4. Name: SU-Windows 10-Test

5. Description: Software Update – Test group

6. Settings
Below are an example, please configure it so it fits your environment

7. Assignments

8. Select groups to include > Group with test client

9. Save


Step 4 – This step is done on the test client

1. Open Company Portal

2. Settings > Sync

3. Run > control update

4. View configured update polices

5. Look under Policies set on your device – here we want to see that settings are coming from Mobile Device Management as below

6. Be sure to turn off any GPO:s that might turn off access to Windows Updates

7. Done

This is how you make the switch over to Intune and as you can see it doesn’t require that much.

