Site icon TheWindowsUpdate.com

Support Tip: Configuring workloads in a co-managed environment

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

Hi everyone, today we have a great post by Intune support engineer Betty Jia where she walks you through resolving an issue you might encounter when co-management is enabled, but even better, she goes on to talk about how pre-release features work in Configuration Manager and offers some insight into how you can turn these on and off and verify the configuration in your environment. Whether you use co-management today or have plans to do so in the future, this is one you’ll want to bookmark.

 

=====

 

Co-management is a great solution that allows you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality and allowing you to control which workloads are controlled by which service. You're also able to pilot a workload with a separate collection of devices. Piloting allows you to test the Intune functionality with a subset of devices before switching a larger group. Similar to piloting, co-management also allows you to enable certain prerelease features for early testing, and this is the core of what I’ll be covering in this post.

 

For example, let’s say you’ve configured co-management but you notice that apps and PowerShell scripts deployed from Intune to co-managed devices show a status of Not applicable, whereas the same are successfully deployed to devices managed solely by Intune.

 

As mentioned earlier, co-management allows you to control which workloads are controlled by Intune and which are controlled by Configuration Manager (more on that here), however you notice that the problem remains even after switching all available workloads to Intune or Pilot Intune in the Configuration Manager console:

 

 

Do you notice anything missing in the screen shot above? When you review the workloads listed in this article and in the screen shot above, notice how the Client apps workload is not there even though the article states that co-management supports the following workloads:

 

So what’s going on? When the Client apps workload is switched to Intune (or Intune Pilot), you can deploy apps from Intune portal to co-managed devices. However, if this workload is not switched to Intune, the client apps cannot be deployed successfully from Intune. You will also notice that besides the client apps, PowerShell script profiles and Win32 apps also cannot be deployed successfully from Intune. This is because the Intune Management Extension (IME) that serves to supplement the in-box Windows 10 MDM features is only installed when a PowerShell script or a Win32 app is deployed to a user or device security group (see https://docs.microsoft.com/intune/intune-management-extension for more information on this). If the Client apps workload is not switched to Intune, IME will not get installed, thus PowerShell Scripts and Win32 apps will also fail to deploy.

 

Based on all of this you can probably now figure out why apps and PowerShell scripts deployed from Intune to co-managed devices show a status of Not applicable – because the workload has not been switched to Intune. But why is that, and why do you not see the option to switch the Client apps workload to Intune? The answer is because the Client apps workload is a pre-release feature.

Pre-release features are features that are in the current branch for early testing in a production environment. These features are fully supported but still in active development, thus they might receive changes until they move out of the pre-release category. To use pre-release features, you must first give consent and then enable them in the console. Here’s how that is done:

 

In the Configuration Manager console under Hierarchy Settings properties, you will see the option Consent to use Pre-Release features. The first step is to grant consent by checking the box:

 

 

Next, under Updates and Servicing, turn on Mobile apps for co-managed devices:

 

 

Lastly, go back to the Workloads tab and you’ll see that the Client apps workload now appears:

 

-

 

Switch the Client apps workload to Intune and you’re good to go. At this point, apps and PowerShell scripts deployed from Intune to co-managed devices should successfully install.

 

Additional Reading

Another common question I get when talking about this is how to check whether the Client apps workload is switched to Intune from the client device. To answer that question we’ll need to take a closer look at co-management capabilities.

 

Once the device is co-managed, in Configuration Manager properties you will see that the Co-management property value is set to Enabled:

 

 

You will also notice a Co-management capabilities property and value:

 

 

This value is a reflection of the co-management workloads configured in Configuration Manager and is a sum of settings you configured. The maximum value of Co-management capabilities is 255, which is the sum of all these values as listed in the chart below.

 

Value

Workload

1

Inventory. It simply means co-management is configured

2

Compliance policies

4

Resource access policies

8

Device Configuration

16

Windows Update policies

32

Endpoint Protection

64

Client apps

128

Office Click-to-run apps

 

This means that if we only switch the Client apps workload to Intune, the Co-management capabilities value would be 1+64, or 65. So for a value of 175 as in our example above, that means the workloads switched to Intune are Inventory (1) + Compliance polices (2) +  Resource access polices (4) + Device Configuration (8) + Endpoint Protection (64) + Office click-to-run apps (128)= 175. We can verify this by checking in the Configuration Manager console:

 

 

Taking this a step further, if we switch the Client apps workload (a value of 64) to Intune, the value for Co-management capabilities will become 239 (175+64):

 

 

 

Hopefully this sheds a little more light not only on why apps and PowerShell scripts deployed from Intune to co-managed devices might show a status of Not applicable, but also how you can work with and enable pre-release features in Configuration Manager. As always, I appreciate any comments or feedback so feel free to leave me a note in the comments below.


Betty Jia

Support Engineer

Microsoft Intune Support Team

Exit mobile version