Device Configuration Workload Switch ConfigMgr Co-Management | SCCM

Today, I will discuss the Device Configuration Workload Switch ConfigMgr Co-Management | SCCM. Let’s first examine the Device Configuration Workload Switch experience with Windows 10 Co-Management.

The device configuration workload includes settings you manage for Windows 10 devices in your organization.

When you Switch this workload, the other two workloads, Resource Access and Endpoint Protection, are automatically moved.

In the previous post, Co-Management Workload Client Apps, I shared my experience switching client app workloads. In the same post, you can learn more about co-management and Microsoft’s strategy toward modern device management.

Patch My PC

Device Configuration Workload – Complex?

Do you think switching to Intune for the Device Configuration Workload is pretty complex because of the components involved? Before switching to Intune or Pilot Intune, let’s understand the components or sub-workloads you must consider.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.1
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.1

The following is the high-level view of Device Configuration workloads:

Adaptiva
Device ConfigurationResource AccessEndpoint Protection
> Configuration > Items
> Baselines
> VPN
> Wi-Fi
> email
>Certificate
> WIP – Windows Information Protection (even though this is not part of endpoint protection)
> Windows Defender Antimalware
> Windows Defender Application Guard
> Windows Defender Firewall
> Windows Defender SmartScreen
> Windows Encryption BitLocker management
> Windows Defender Exploit Guard
> Windows Defender Application Control
> Windows Defender Security Center
> Windows Defender Advanced Threat Protection (now known as Microsoft Defender Threat Protection)
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Table 1

Is the device Configuration Workload NOT Switched to Intune?

In a scenario where the device is already enrolled to Intune using group policy, what if the device workload is not switched to Intune? Per my testing, the Intune policies deployment won’t work on the Windows 10 co-managed device until you switch the device configuration workload to Intune. However, ConfigMgr policy deployments work as expected.

How to Change Co-Management Device Configuration Workload?

Let’s see how to switch the Device Configuration workload to pilot Intune or Intune.

  • Navigate to \Administration\Overview\Cloud Services\Co-management
  • Click on CoMgmtSettingProd.
  • Select the properties option from the ribbon menu.
  • Click on the Workloads tab.
  • Slide the Device Configuration, Resource Access, and Endpoint Protection switch to Pilot Intune or Intune.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.2
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.2
  • Click on the Staging tab (Only if you have selected the Pilot Intune option).
  • Select the pilot collections for the Device Configuration, Resource Access, and Endpoint Protection workloads.
  • Click Apply and OK.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.3
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.3

ConfigMgr Deployments

You can check the ConfigMgr (a.k.a. SCCM) deployments from the device properties in the Deployments tab. This helps you get the Configuration policies deployed to Windows 10 devices. I feel the view below could help analyze the ConfigMgr deployment details.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.4
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.4

How to Check Co-Management is Enabled

This section helps confirm whether the Windows 10 device is co-managed.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.5
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.5

You can also confirm the co-management status from ConfigMgr Applet on Windows 10 devices.

  • Co-management = Enabled.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.6
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.6

Device Configuration Policy Switch Experience

When you switch device configuration workloads, the SCCM policies stay on the device until the Intune policies overwrite them. The policies can be further deployed only via the Intune management channel.

I have heard requirements for having more granular control over some policies, like Bitlocker management, etc., similar to the control we have with Configuration Baselines explained below.

Even though Intune is the device configuration authority, you can still deploy some settings (Configuration Baselines) from SCCM to co-managed devices. When creating the baseline, you can enable the option to always apply it, even for co-managed clients.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.7
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.7

Check Intune Policies

The screenshots below show that you can check whether Intune delivers policies to Windows 10 co-managed devices from the Endpoint Manager (a.k.a. Intune) portal and settings apps.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.8
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.8

Let’s head over to the Windows 10 Settings app.

  • Navigate to AccountsAccess work or school. (Access resources like email., apps, and the network.)
  • Click on Connected Account.
  • Click on the Info button.
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.9
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.9

You can see the Intune policies deployed to the Windows 10 co-managed device.

Device Configuration Workload Switch ConfigMgr Co-Management | SCCM - Fig.10
Device Configuration Workload Switch ConfigMgr Co-Management | SCCM – Fig.10

Resources

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here – HTMD WhatsApp.

Author

Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc..

6 thoughts on “Device Configuration Workload Switch ConfigMgr Co-Management | SCCM”

  1. I m in a middle of project co managed windows update i moved the pilot for windows update then device with bitloacker cannot work any more

    Reply
  2. Great article but what about moving from MBAM to SCCM Bitlocker? Get the same error from Bitlockermanagementhandler.log. Security workload is not SCCM managed; ignoring policy.

    I have removed the GPO but do I need to remove the MBAM agent as well?

    Reply
  3. Hi, I’ve set all this up as described above (all sliders moved to Intune) but want Intune to show Compliant/ non complaint rather than See Configmgr. Is there a way to do that?. It’s easier to see it at a glance than having to click on all devices and then compliance to see the state.

    Thanks

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.