Does anyone know if having an IBCM instead of a CMG is possible scenario for Intune, Autopilot, and com-management, using IBCM’s Management Point role to deploy client installation from Intune to AAD enrolled devices?


As the title stays, I have an IBCM working perfectly on my environment, and I have some new challenges on remote sites that won’t have out Infra, so I am trying to investigate if with our current scenario I could co-manage those devices, by just telling those users to download company portal and then Intune deploy SCCM Client, but using my IBCN FQDN on the client option install switches. I already tried manually, on an Intune enrolled device, but I’m seeing lots of errors regarding certificates, since it’s a computer AAD enrolled but no AD joined and doesn’t have any certs. Should I continue looking this way?


Answers ( 5 )


    Theoretically, it should work. Provided you have enabled Azure active directory discovery in ConfigMgr.

    Try this link to understand the flow and see if you are able to see the mentioned log entries using your IBCM server.

    Best answer

    Hello – Azure AD Joined is an easy scenario you might need to enable Azure AD User Discovery to get this working …

    Hope you are deploying PKI cert via Intune to get IBCM auth working

    Have you already enabled this discovery?

    I think Rajul explained this scenario in the following video:-


    Hello – Are these devices already received the certs to access IBCM servers via HTTPS channel?

    Are these devices domain joined or hybrid azure joined?

    Or are you into a personal Windows 10 devices scenario? If this is the scenario, then it will be bit difficult because we are getting into Work group scenario

    We have loads of discussion about similar topics..would this be helpful ..pls check




      The scenario that I need is in remote offices, the users should just download company portal and then autoenroll Intune (already configured), and from Intune, receive a client install, so my test device is not domain joined, but would be AAD joined.

      Devices will be corporate owned, but sent directly to their business centers. This is because those sites are very small (5-15 people) and we can’t afford a whole DHCP / DC / DP infra.



Leave an answer

Sorry, you do not have permission to answer to this question .