Let’s have a quick look at Device Configuration Workload Switch experience with Windows 10 Co-Management. The device configuration workload includes configuration settings that you manage for Windows 10 devices in your organization. When you Switch this workload, the other two workloads also get moved automatically.
- Resource Access
- Endpoint Protection
I have shared the experience of switching client apps workload in the previous post – Co-Management Workload Client Apps. You can know more about co-management and Microsoft’s strategy toward modern device management from the same post.
Device Configuration Workload – Complex?
Do you think Device Configuration Workload is pretty complex to switch to Intune because of the components involved? Let’s understand what are the components or sub-workloads you need to take care of before you switch to Intune or Pilot Intune.
The following is the high-level view of Device Configuration workloads:
- Device Configuration
- Configuration Items
- Baselines
- Resource Access
- VPN
- Wi-Fi
- Certificate
- Endpoint Protection
- WIP – Windows Information Protection (even though this is not part of endpoint protection)
- Windows Defender Antimalware
- Windows Defender Application Guard
- Windows Defender Firewall
- Windows Defender SmartScreen
- Windows Encryption
- BitLocker management
- Windows Defender Exploit Guard
- Windows Defender Application Control
- Windows Defender Security Center
- Windows Defender Advanced Threat Protection (now known as Microsoft Defender Threat Protection)
Device Configuration Workload is NOT Switched to Intune?
In a scenario, the device is already enrolled to Intune using group policy, but what if the device workload is not switched to Intune? As per my testing, the Intune policies deployment won’t work on the Windows 10 co-managed device until you switch the device configuration workload to Intune. However, ConfigMgr policy deployments work as expected.
How to Change Co-Management Device Configuration workload?
Now, let’s see how to switch the Device Configuration workload to pilot Intune or Intune.
- Navigate to \Administration\Overview\Cloud Services\Co-management
- Click on CoMgmtSettingProd.
- Select the properties option from the ribbon menu.
- Click on the Workloads tab.
- Slide the Device Configuration, Resource Access, and Endpoint Protection switch to Pilot Intune or Intune.
- Click on the Staging tab (Only if you selected the Pilot Intune option).
- Select the pilot collections for the Device Configuration, Resource Access, and Endpoint Protection workloads.
- Click Apply and OK.
ConfigMgr Deployments
You can check the ConfigMgr (a.k.a SCCM) deployments from the device properties – Deployments tab. This helps you to get the list of Configuration policies deployed to Windows 10 devices. I feel the below view could help analyze the ConfigMgr deployment details.
How to Check Co-Management is Enabled
This section helps to confirm whether Windows 10 device is co-managed or not.
- You can confirm the Co-Management Status of Windows 10 Client from the Endpoint Manager (a.k.a Intune) portal – https://endpoint.microsoft.com/.
You can also Confirm the co-management status from ConfigMgr Applet on Windows 10 device.
- Co-management = Enabled.
Device Configuration Policy Switch Experience
When you switch device configuration workload, the SCCM policies stay on the device until the Intune policies overwrite them. Further deployment of the policies can be done only via Intune management channel.
I have heard requirements to have more granular control over some types of policies like Bitlocker management etc… similar to the control we have with Configuration Baselines explained below.
You can still deploy some settings (Configuration Baselines) from SCCM to co-managed devices even though Intune is the device configuration authority. You can enable the option to Always apply this baseline even for co-managed clients when creating the baseline.
Check Intune Policies
You can check whether Intune is delivering the policies to Windows 10 co-managed devices from the Endpoint Manager (a.k.a Intune) portal and settings apps as shown in the below screenshots.
- A search of the co-managed device on the Endpoint Manager portal (https://endpoint.microsoft.com/).
- Let’s head over to Windows 10 Settings app.
- Navigate to Accounts – Access work or school.
- Click on Connected Account.
- Click on the Info button.
- You can see the Intune policies deployed to the Windows 10 co-managed device.
Resources
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Hey Anoop,
Great article! I wanted to know if you can revert the workload management from Intune back to ConfigMgr?
yes you can.
I m in a middle of project co managed windows update i moved the pilot for windows update then device with bitloacker cannot work any more
Any specific errors that you notice windowsupdate.log try https://www.anoopcnair.com/sccm-collect-windows-update-logs-cmpivot-config/
Great article but what about moving from MBAM to SCCM Bitlocker? Get the same error from Bitlockermanagementhandler.log. Security workload is not SCCM managed; ignoring policy.
I have removed the GPO but do I need to remove the MBAM agent as well?