Microsoft announces their “bridge” to Windows 10 MDM - Our initial thoughts on Ignite

Including SCCM and Intune co-management, Microsoft 365, Intune management extensions, AutoPilot, a new Jamf partnership, and Skype for Business.

Microsoft Ignite started yesterday, and much of our industry is going to be spending weeks digging through all the product changes. We’re going get started by sharing our initial thoughts on a few announcements. (This article was written jointly by Jack and Gabe.)

Get used hearing about to Microsoft 365

Microsoft 365 isn’t new this week—it was first announced in July—but it was a huge topic in Monday’s main EUC sessions. In case you need the reminder, it’s the bundle of Office 365, Windows 10, and Enterprise Mobility + Security (Azure AD, Intune, Windows Defender, and related services). Microsoft also used the term “Microsoft 365 powered devices,” which could be confusing, but it just refers to Windows 10 devices that have Office installed and are managed with EMS.

There was a lot of emphasis on the underlying analytics and artificial intelligence in various Microsoft 365 components. This doesn’t mean we have to become experts in AI, but it is an example of how it’s powering the business logic of apps we use. If it delivers more useful insights, then great.

Moving on to the new announcements, many of them are outlined in Brad Anderson’s blog post and covered in Monday’s session “Microsoft 365: Modern management and deployment,” available at the Ignite homepage. We’ll get more details in individual sessions later in the week, but here's what stood out to us. (Update #1: September 26, 9:30am PDT: We learned the answers to some of our initial questions this morning from a Microsoft product manager, so there are a couple of updates inline below.)


Microsoft’s guidance on when to use MDM for Windows 10 has in the past been fairly conservative. It was other EMM vendors like VMware and MobileIron that were really pushing for a way to bridge traditional and MDM management. This has changed now, as Microsoft announced their own “bridge,” via a technique they’re calling co-management.

With co-management, it will be possible for a Windows 10 machine to be domain-joined and managed by SCCM, and at the same time, also be joined to Azure AD and managed by Intune. Admins can choose which system (SCCM or Intune) is the authority for a given workload, and the idea is that companies can get started on a few modern management tasks while still doing other legacy domain-based tasks, then gradually transition over as desired.

For the moment, the workloads that are bridged from SCCM over to Intune are limited to compliance policies, resource access policies, and Windows Update policies. With these capabilities, it seems like there could be conflicts around software distribution for right now, but this is only a v1, and you can imagine that Microsoft will expand co-management as customer needs become more clear.

Now that Microsoft is onboard with the bridge concept, it will be interesting to see how VMware reacts.

UPDATE #1: One question we had ititially (in the orginal version of this article) was whether or not this was some sort of framework that other vendors could leverage. For example, could you use SCCM and AirWatch instead of SCCM and Intune? As it turns out, we learned that co-management will only work with SCCM and Intune (well, depending on how you define co-managment).

UPDATE #2, September 27, 3:30pm PDT: There's been a little bit of confusion about this, as other MDMs can co-exist with SCCM, too, so we're putting together a closer look. One thing to note is that Microsoft says that SCCM and Intune are in "constant communication" with each other, so we’re looking at exactly what other MDMs can and can’t do when used alongside SCCM. Watch out for another article next week.

UPDATE #3: Here's our article that explains the relationship between SCCM, Intune, and third-party MDM.

Intune Management Extension

For Windows 10, Intune will have a new set of capabilities called the Intune Management Extension. (This is separate from co-management.) With the Management Extension, Intune can run Powershell scripts on MDM-managed Windows 10 devices, and soon, Intune will be able to deploy Win32 and .exe apps. (This is on top of the current MSI deployment capabilities.)

We know that Microsoft has been busy adding many new MDM policy options to Windows 10, with an eye towards replicating and replacing Group Policy. This is all great news—the more we can do with MDM on its own, the better, and this is a big step. However, as always, we’ll have to do some digging to see exactly what’s there and what’s not, and it’s easy to imaging niche use cases that might not be covered. Of course, Microsoft now has the above-mentioned co-management as an option, so it seems like they’re really trying to cover as much as possible—we can safely say that Microsoft is ready to push MDM for Windows, full speed ahead.

Windows AutoPilot

Windows AutoPilot, which Aaron Parker covered recently on, also got some air time. AutoPilot enables an “out of box experience.” IT can drop-ship a corporate Windows 10 device directly to a user, and then all the user has to do is set the language, location, keyboard layout, connect to any WiFi network (no need for it to be a corporate network), and then enter their credentials. From there, the device checks in and is enrolled into EMS management and configured with settings and apps. This is like the Apple Device Enrollment Program, which is very popular, and the recently-announced Android enterprise zero-touch enrollment program.

This could be good for devices sent to front line and remote employees, and for traditional systems, it could really make an impact if it's done in conjunction with the co-management capabilities mentioned above. UPDATE: We weren't initially sure if this would be possible (we hoped it would be, as we wrote in the initial version of this article), but we just learned that it is. A device can join Azure AD, get enrolled in Intune MDM, and then Intune can deploy the SCCM agent and the device will be in a co-managed state.

The last thing to note about Autopilot is that all the important PC manufacturers have partnered with Microsoft... except Dell. There has to be a reason for that, right?

Jamf partnership

The last big surprise came when Brad Anderson mentioned that Microsoft was partnering with Jamf for Mac  management. Jamf is popular and well-liked among the traditional Mac strongholds of education, creative fields, and most recently, startups that like to give all their employees MacBooks. Interestingly, macOS is going through a similar traditional to MDM-based management transition. Jamf has been growing a lot, too, and integration with EMS will give them even more visibility—this is certainly another big win for them.

Skype for Business and Teams

Skype for Business is officially a lame duck now that Microsoft announced it will eventually be killed off and replaced by Microsoft Teams. Teams, if you’re not familiar, is a collaboration platform that includes meetings, chat, and note taking, akin to what you might find with Slack and other platforms. For those that just got used to calling it Skype for Business instead of Lync, you’ve got some time. In the second half of 2018, Microsoft will release an updated version of Skype for Business server. Still, get ready for the discussion of real time communications to shift from Skype for Business to Teams over the next twelve months.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Not sure I follow the comments in the first paragraph with co-management. VMware AirWatch has been able to co-exist with SCCM since the summer. It is definitely not a MS only thing.
From what I've seen so far, the key is that SCCM and Intune are not just co-existing, but they're in communication with each other so that as a management workload is passed from one to another, it's done in a coordinated/integrated way.
"A device can join Azure AD, get enrolled in Intune MDM, and then Intune can deploy the SCCM agent and the device will be in a co-managed state." So could we go into more detail on that? I assumed if a device is co-managed, it would require it to be on-prem domain joined as well as AAD joined?