In this post I will be explaining the SCCM Co-management capabilities and various workloads related to it. Before deep diving into co-management capabilities, first understand what exactly is co-management and workloads associated with it.

What is Co-management

When we enable the co-management feature in SCCM, we are making a configuration where devices can be co-managed between Intune and Configuration Manager. Here co-manage doesn’t mean that Intune and Configuration Manager both will be able to manage the device at the same time.

Hence, co-management is a solution where we can have full control in our infrastructure where we have Configuration Manager installed and we have started enrolling the device to Intune. If organization is not fully ready for device to get by Intune, co-management plays a big role by controlling the workload.

What is workload

There are multiple workloads which can be managed by Intune such as :

  • Compliance policies
  • Device configuration
  • Endpoint Protection
  • Resource access policies
  • Client apps
  • Office Click-to-Run apps
  • Windows Update policies

This workload is a part of Configuration manager’s co-management setting. Once co-management is configured, then navigate to \Administration\Overview\Cloud Services\Cloud Attach to see configured CoMgmtSettingsProd, click on Properties.

Configure Cloud Attach

Under Properties, click on Enablement tab, here you can see Automatic enrollment in Intune is having 3 options :

All: Using this setting will enroll all devices in SCCM to enroll in Intune.

Pilot: With Pilot setting, you have to define a specific collection. Only devices under this collection will be enrolled to Intune. This is the recommended setting if we are not fully ready to enroll all devices to Intune.

None :  We are not enrolling the device yet, we just provisioned the co-management feature so that it can be used in future.

enablement Intune auto enrollment

Once we click on Workloads tab, we can see various workloads.The list of all workloads will be displayed here. You will see slider against each workload. Each workload can be shifted between 3 options:

  • Configuration Manager : Workload will be managed by SCCM only. This is the default configuration when co-management is set up.
  • Pilot Intune: Best option as this is the interim solution to control the workload applied to a specific pilot collection. This collection selection will appear under another tab ie. Staging.
  • Intune: Workload will be managed by Intune only. Only specify this option when you are fully ready to get the specific workload to be managed by Intune.
Configuration manager workloads

While clicking on Staging tab, we can see list of all workloads and the collection specified for each. I device is part of the specific workload collection, it will be managed by Intune. Everything else will be managed by configuration manager.

workloads

Co-management capabilities

Let’s look into the co-management capabilities at client side. Login to Windows device and launch Configuration Manager.

Under Configuration Manager Properties > General tab, we can see Co-management is Enabled. Also Co-management capabilities showing as 8193

With co-management showing as enabled tells us that co-management feature is up and running on the device.

Co-management capabilities with a specific number will tell us which workload is applied to the device. We can see Co-management capabilities as 8193 which means the co-management is enabled but no workload is applied.

When we apply specific workload, this number is going to change.

Note: Co-management capabilities default value has been changed from 1 to 8193 with Configuration Manager 2111 version. Prior to that co-management capabilities used to show value 1.

co-management capabilities 8193

Following chart will help us understanding the workload and the value associated with it.

The table below is meant for Configuration Manager version 2111 or above with the same version of SCCM client installed on device:

WorkloadValue
Co-management is enabled without any workload applied8193
Compliance policies2
Resource access policies4
Device Configuration8
Windows Update policies16
Endpoint Protection4128
Client apps64
Office Click-to-run apps128

This is the old table (prior to Configuration manager 2107):

WorkloadValue
Co-management is enabled without any workload applied1
Compliance policies2
Resource access policies4
Device Configuration8
Windows Update policies16
Endpoint Protection32
Client apps64
Office Click-to-run apps128

Let’s take an example. I am going to apply the workload Windows Update policies to the device. Hence, making value as Co-management (8193) + Windows Update policies (16)= 8209.

We can see now Co-management capabilities showing as 8209.

Co-management enabled

This can also be verified by checking the CoManagementHandler.log (location: c:\windows\ccm\logs) showing:


Merging workload flags 8193 with 8209
Merged value for setting 'CoManagementSettings_Capabilities' is '8209'
New merged workloadflags value with co-management max capabilities '16383' is '8209'
Machine is already enrolled with MDM
Comanagementhandler.log

Click on Configuration tab of Configuration Manager Properties to see that CoMgmtSettingPilotWUP is applied now as assigned configuration baseline which is associated with Windows Update policies workload.

CoMgmtSettingsPilotWUP

Another example: This time, I wanted to apply for workloads:

Compliance policies : 2
Device Configuration: 8
Endpoint Protection: 4128
Resource Access policies: 4
Windows Update Policies: 16

Adding the numbers as per the chart, Co-management (8193) + compliance policies (2) + Device Configuration (8) + Endpoint Protection (4128) + resource access policies (4) + Windows Update policies (16) gives us Co-management capabilities value as 12351.

Co-management capabilities

Note that Co-management capabilities will show 12351 only when Configuration manager client has been upgraded to version 2111 ie. Client version should be 5.00.9068.1008 or above.

CoManagementHandler.log will show:

Merged value for setting ‘CoManagementSettings_Capabilities’ is ‘12351’
New merged workloadflags value with co-management max capabilities ‘16383’ is ‘12351’

These will be list of all assigned configuration baselines when above mentioned 5 workloads are applied:

  • CoMgmtSettingsPilotAutoEnroll
  • CoMgmtSettingsPilotCP
  • CoMgmtSettingsPilotDC
  • CoMgmtSettingsPilotDiskEncryption
  • CoMgmtSettingsPilotEP
  • CoMgmtSettingsPilotRAP
  • CoMgmtSettingsPilotWUP
  • CoMgmtSettingsProd

Verify workload using Intune Portal

Once the workload is applied, you can verify it through Microsoft Endpoint Manager admin center, and navigate to Devices > Windows > Windows devices. Click on the device and we can see the information under Co-management > Intune managed workloads : Resource Access Profiles; Device Configuration; Compliance Policy; Windows Update for Business; Endpoint Protection

Intune managed workloads

List of Workload and configuration baselines associated with it

Following are the list of workload name with baseline created for each:

  • CoMgmtSettingsPilotAutoEnroll – This workload defines Auto Enrollment enabled for device
  • CoMgmtSettingsPilotCApp – Client Apps
  • CoMgmtSettingsPilotCP – Compliance Policies
  • CoMgmtSettingsDC – Device configuration
  • CoMgmtSettingsDiskEncryption
  • CoMgmtSettingsEP – Endpoint Protection
  • CoMgmtSettingsO365 – Office Click-to-Run apps
  • CoMgmtSettingsRAP – Resource access policies
  • CoMgmtSettingsWUP – Windows Update policies
  • CoMgmtSettingsProd