Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

Let’s have a quick look at Device Configuration Workload Switch experience with Windows 10 Co-Management. The device configuration workload includes configuration settings that you manage for Windows 10 devices in your organization. When you Switch this workload, the other two workloads also get moved automatically.

  • Resource Access
  • Endpoint Protection

I have shared the experience of switching client apps workload in the previous post – Co-Management Workload Client Apps. You can know more about co-management and Microsoft’s strategy towards modern device management from the same post.

Device Configuration Workload – Complex?

Do you think Device Configuration Workload is pretty complex to switch to Intune because of the components involved? Let’s understand what are the components or sub-workloads you need to take care of before you switch to Intune or Pilot Intune.

Patch My PC
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

The following is the high-level view of Device Configuration workloads:

  • Device Configuration
    • Configuration Items
    • Baselines
  • Resource Access
    • VPN
    • Wi-Fi
    • email
    • Certificate
  • Endpoint Protection
    • WIP – Windows Information Protection (even though this is not part of endpoint protection)
    • Windows Defender Antimalware
    • Windows Defender Application Guard
    • Windows Defender Firewall
    • Windows Defender SmartScreen
    • Windows Encryption
      • BitLocker management
    • Windows Defender Exploit Guard
    • Windows Defender Application Control
    • Windows Defender Security Center
    • Windows Defender Advanced Threat Protection (now known as Microsoft Defender Threat Protection)

Device Configuration Workload is NOT Switched to Intune?

In a scenario, the device is already enrolled to Intune using group policy, but what if the device workload is not switched to Intune? As per my testing, the Intune policies deployment won’t work on the Windows 10 co-managed device until you switch the device configuration workload to Intune. However, ConfigMgr policy deployments work as expected.

How to Change Co-Management Device Configuration workload?

Now, let’s see how to switch the Device Configuration workload to pilot Intune or Intune.

1E Nomad
  • Navigate to \Administration\Overview\Cloud Services\Co-management
  • Click on CoMgmtSettingProd.
  • Select the properties option from the ribbon menu.
  • Click on the Workloads tab.
  • Slide the Device Configuration, Resource Access, and Endpoint Protection switch to Pilot Intune or Intune.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
  • Click on the Staging tab (Only if you selected the Pilot Intune option).
  • Select the pilot collections for the Device Configuration, Resource Access, and Endpoint Protection workloads.
  • Click Apply and OK.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

ConfigMgr Deployments

You can check the ConfigMgr (a.k.a SCCM) deployments from the device properties – Deployments tab. This helps you to get the list of Configuration policies deployed to Windows 10 devices. I feel the below view could help analyze the ConfigMgr deployment details.

Co-management Workload - Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

How to Check Co-Management is Enabled

This section helps to confirm whether Windows 10 device is co-managed or not.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

You can also Confirm the co-management status from ConfigMgr Applet from Windows 10 device.

  • Co-management = Enabled.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

Device Configuration Policy Switch Experience

When you switch device configuration workload, the SCCM policies stay on the device until the Intune policies overwrite them. Further deployment of the policies can be done only via Intune management channel.

I have heard requirements to have more granular control over some types of policies like Bitlocker management etc… similar to the control we have with Configuration Baselines explained below.

You can still deploy some settings (Configuration Baselines) from SCCM to co-managed devices even though Intune is the device configuration authority. You can enable the option to Always apply this baseline even for co-managed clients when creating the baseline.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

Check Intune Policies

You can check whether Intune is delivering the policies to Windows 10 co-managed devices from Endpoint Manager (a.k.a Intune) portal and settings apps as shown in the below screenshots.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
  • Let’s head over to Windows 10 Settings app.
  • Navigate to AccountsAccess work or school.
  • Click on Connected Account.
  • Click on the Info button.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
  • You can see the Intune policies deployed to the Windows 10 co-managed device.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

Resources

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.