1 year ago
I was looking for a way to be able to deploy a Co-management policy with only Windows Update policies workload to a specific collection. This in order to transition a smaller amount of computers (who are not a member of the already existing Pilot group) to be controlled via Intune instead. In the Configuration Management console I was not able to create multiple Co-management policies so I thought that this was not possible to do. But then I found this great article describing the exact scenario I had and so I went ahead and tried it in my environment which worked like a charm.
All the credits goes to Cody Mathis and his original article about this topic.
This is now possible within ConfigMgr itself starting from version 1906. It’s possible to choose separate collections for each workload. Read more about it here. So use this instead of the proposed solution below.
So what do I need to do this make this possible?
We need to use Powershell to create a new Co-management policy with the cmdlet New-CMCoManagementPolicy. We can then rename and deploy the policy to whatever collection we want. Isn’t that awesome?
In this example we will create a policy with the WufbWorkloadEnabled which will only activate the Windows update policies on the specific collection of our choice.
Other Workloads can be set be using the following parameters.
- CAWorkloadEnabled = Compliance policies
- RAWorkloadEnabled = Resource access policies
- WufbWorkloadEnabled = Windows Updates Policies
- EPWorkloadEnabled = Endpoint Protection
- Office Click-to-Run apps = Doesn’t have it’s own parameter so you need to create that via an XML instead. Very well described in Codys article (link above) so I won’t write about that in this post.
Start Powershell from within the console and run the following commands (please note that there is different commands depending on the version you are running):
$NewPolicy = New-CMCoManagementPolicy -AutoEnroll $true -WufbWorkloadEnabled $true $PolicyID = $NewPolicy.CI_ID $NewPolicy | Set-CMConfigurationItem -NewName 'CoMgmtSettingsPilot-WUFB' #Run this if you are using SCCM 1806 or below Get-CMConfigurationPolicy -Id $PolicyID | New-CMConfigurationPolicyDeployment -CollectionName 'Pilot - Intune WUFB' #Run this if you are using SCCM 1810 or above New-CMConfigurationPolicyDeployment -CoManagementPolicy (Get-CMConfigurationPolicy -Id $PolicyID) -Collection (Get-CMCollection -Name 'Pilot - Intune WUFB')
If done correctly the policy should now be deployed to the collection you defined in the commands above and you should see it like on the picture below.
On the computer you can now see that the new Co-management policy (CoMgmtSettingsPilot-WUFB) has been applied in configurations tab (control smscfgrc). Please note that you can see multiple CoMgmtSettings depending on your configuration.
We can also see that the Intune policies have been applied to the computer (Settings > Update & Security > View configured update policies > Policies set on your device).
If you have any questions, feel free to email me at email@example.com or comment down below. I will try to answer you as soon as possible.
Other articles about Configuration Manager and Intune.
Move Software Updates to Intune with Co-management
Device cleanup rules for Microsoft Intune
Intune – Administrative Templates (Preview) are here
App Protection Policies for managed and unmanaged devices in Intune