Phot of multiple devices, depicting the issues of device co-management

For what feels like forever, the status quo of managing devices in an enterprise network has been to use Active Directory. We’ve all had experience of operating in a domain-joined environment, but let’s briefly recap on some of the main benefits:

  • Computer and user accounts are centrally managed by IT.
  • Group Policies give layered policy control to restrict and govern what happens on computers.
  • Applications can be deployed and restricted using Group Policy.
  • Powerful authentication using Kerberos, controls user and computer access to the network.

Add to this System Center Configuration Manager (SCCM) for even better control of software and hardware inventory, and the ability to better deploy and track applications, and you really have an outstanding best of class package. Many administrators have spent years perfecting this infrastructure.

But hold on for a second – Microsoft designed Active Directory back in 1999 – that’s literally so last century! It’s 2018 now, the era of the cloud. We use devices to check our email, our social media, the weather forecast and more, before even leaving our beds each morning (well I know I do and I’m not alone). All of this, typically on an unmanaged device – your mobile phone. We no longer wait to reach the office each morning before accessing our first device, and with that, corporate data like email, Yammer, OneDrive and other services.

Shot of a mobile phone on a bed

The challenge now is not to secure the desktop, but to secure all kinds of devices including desktops, tablets and phones, or more specifically the data accessed by those devices.

For some time, Microsoft has offered cloud management services such as Intune for device management, and while it’s certainly true that it isn’t a like for like when compared to Active Directory (for example it lacks the depth and richness that Group Policy has with 1000’s of policy settings), it can certainly be said it has many advantages over the traditional on-premises infrastructure that Active Directory provides.

I’m sat currently writing this on a device that has never been attached to a domain. I’ve never logged in to it using a domain user account. And at the same time, I do not have a local account. I log in with an Azure Active Directory (AAD) account, so a cloud-based identity. My device is joined to AAD.

I use Microsoft 365 services that include AAD, Intune, Office 365 and Windows 10 to name a few. But not everyone reading this may be in that idyllic situation of cloud-only. For most, for some years to come their organization will have constraints that won’t allow full movement to the cloud.

So what are the options?

Do nothing and wait until the company is ready for the final big push switch to cloud only? Stay on-premises?

Actually, there’s a middle ground.

For over a year now, you can join a Windows 10 device to Active Directory (AD) and Azure AD at the same time. Since Configuration Manager version 1710 onwards, co-management moves this forward and allows you to manage Windows 10 devices by using both Configuration Manager and Intune.

Why would you want to do this?

Well, as stated earlier, not everyone is ready to make the switch to cloud-only right now. Maybe you aspire to this, but there are lots of reasons why it may not be possible short-term. This gives you the best of both worlds. You can still manage devices using Configuration Manager, but now start to enrol devices into Intune at the same time. This approach may not only buy you time to figure out your eventual move to the cloud, but now allows you to manage the non-Windows devices that were traditionally out of scope for Configuration Manager.


And that’s really the beauty of this. We’ve moved from worrying about controlling the device, to a sophisticated control plane around data management using Azure Information Protection (AIP), data labels, Data Loss Prevention (DLP) and other solutions that safeguard our data access in the GDPR world we live in today.

So, if you’re still stuck in the on-premises rut, I would urge you to look at how Intune has evolved to where it is today, along with the complimentary services that EM+S (Enterprise Mobility and Security) bring to the table that help to control access to data, but also allow secure sharing and collaboration. Maybe co-management is what you are looking for to bridge the gap from the on-premises world to the cloud.

About the Author

Chris Rhodes

Chris is a Windows MVP, delivering technical training on Microsoft technologies for over 20 years. He is an event organiser and speaker with both the Windows User Group and Microsoft 365 User Group, and he regularly presents at conferences such as MS Ignite.

Leave a Reply