S02E37 - Adding Cloud Value - Co-Management (I.T)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another episode of intune.training the place to learn how to use microsoft intune the stephen adams show with jake obviously and special guest ravi kalwani hello ravi thanks for joining us no problem glad to be here so uh so ravi uh as as i do with our guests these days um tell us who you are and then and uh then steve will kind of tell us what you're what what our what we're gonna be doing today okay cool so my name is ravi kalvani i'm based in sydney australia uh i've been working with config manager for a long long time i started working with config manager when it was not config manager was uh sms yes exactly it's it's used to be called slow moving software as well jake yeah so yeah i've actually helped customers go from sms 3.0 to service pack one from spec one to um sccm 2007. so yeah the point is i've been working with the management technology for a long long time um and now for probably three and a half years i've just been concentrating on intune um cloud part of it and also contract manager that's okay it goes with our brand it's intune training it's all good that's right and then that's how we've got the link between config manager and intune because today we're going to be talking about linking your on-prem resources being config manager to your intune environment with uh co-management cloud attach and a whole heap of other things that ravi will uh go into and explain better than i will yeah and i'll just call out for the viewers the um you may if you haven't already or um we have a video uh called the big three that we did with uh danny gillery um related to co-management tenant detached and cloud management gateway and it was just a discussion um around these items and so the the topic today with ravi is going we're going to cover co-management um in one technical deep dive video and then we'll do another um so stay tuned for the second uh where we'll talk about tenant attach so make sure that subscribe so you can see the second one yes um and with that ravi take it away cool okay so i'm gonna start presenting so it's actually probably not usual here at intune training but i'm going to be presenting a deck yes i would have a lot of live demos as well i will actually be logging into my config manager tent as well um so there would be a lot of live things as well not just that by powerpoint but i'm just happy that we're going to be uh doing a lab environment for conflict manager and we're not going to try and spin it up on the fly like we normally would you it might end up being like a two-day video if you were to do that yes yes you forgot to set that up all right stop recording try again [Laughter] okay cool so let me present my screen um i hope it comes up okay um out of my suppose yes you can see it all right looks great right so we're going to talk about um attaching your config manager environment to cloud and there are two parts of it that i'm going to be talking about we're going to start with in today's session we're just going to talk about co-management which we also call it cloud attached sorry client attached to management and then there would be another one that is tenant attached so we're gonna be taking the entire cloud attach um part of it into two parts one would be co-management through fine attach you know another would be ten of the patch and we're going to start with the co-management piece today now let's let's jump directly into it um okay so the sled slides that i'm showing are not the one i've created from start to end a lot of these slides have been presented by microsoft in various sessions but i do want to make sure that we bring this up to ensure that every everybody is aware of the basic concepts and there are these animations i really like it because they present the concept very very nicely so again the first thing that i want to talk about is config manager and in tune as microsoft says they they are part of the same solution that is microsoft endpoint manager and a lot of times where you would read in the microsoft licensing docs as well that the cal licenses have been consolidated as well so for a lot of organizations if they do have config manager cad license or intune cal license they are allowed to use on-prem or cloud solution so it's endpoint manager cal license and you can use solutions that would work for you and in a lot of cases what they also recommend is you use both the solutions conflict manager as well as intune and this is what we're going to talk about um this just tells you what config manager is for it manages devices which is on-prem and then there is the second part which is co-management and then there is cloud native um so what we're going to talk about is uh today is the number two which is co-management and at the later time we're going to talk about the number one on the left and top that is ten of the patch now let's drill down a bit more into the two scenarios before picking one and going deep dive into it so there is tenant attach and there is which is on the left which gives you um set of capabilities um tenant touch is something you enable on config manager and gives you a set of capabilities co-management is another and gives you another set of capabilities and the capabilities are listed in there so what i want to really highlight here is that the capabilities that you get with tenant attach is completely different than the capabilities that you get with code management and that is the reason uh there should not be a question coming from organizations should i go co-management or should i go tenant attached in a lot of cases the value the organizations are going to get is when they enable both when they enable co-management which is on the right-hand side they get conditional access which is one of the hero feature that microsoft demonstrate it also gives you capability of management anywhere because the devices are managed through in tune and then the modern person which is very very popular to autopilot but if you look at the left hand side tenant attach gives you uh capability again we're going to go into drill down into the help desk which is i believe one of my favorite capabilities when it comes to tenant attach so there is desktop analytics there is user experience analytics so these capabilities are coming from tenant attach again so the first thing that i want to highlight for any organization or even in your test tenant it's not enabling one part or one or the other part of cloud attach uh you should enable both the capabilities to get the most out of it and just from a from a i guess my you know user user's perspective the way that i always classify them is so tenant attach is a gateway to your on-prem resources or to your on-prem config manager environment so it's a web web front end to manage config manager through the cloud but your devices themselves and even the communication to the devices is actually still occurring on-prem so it's through the gate through a gateway to your config manager server which then communicates on behalf of the cloud presence and where where the co-management piece is where you're actually enabling the device to talk directly to intune for the management components that you enable um so that you can manage that device anywhere uh whereas tenant attached the device still has to be able to talk directly talk back to the on-prem infrastructure for it to function but together you get this amazing holistic way to be able to now you have a cloud a cloud management component through tenant attach but then you also have touch any device anywhere through co-management and so it's even still more better together kind of stuff so i really like correct right you very well said so the two points that i would take from what you said is ten intent attached it's the config manager speaking with intune uh and when it is co-management it's declined directly speaking or communicating to in tune so so that's correct yeah so and and that's what comes up in my next slide so i wanted to talk about the overall architecture of it so if you see at the bottom part there is co-managed device and co-manage the device itself is speaking to intune there is a direct management channel from intune however there is also a direct management channel to config manager so it's the device itself that is communicating back and forth from the two with the two solutions however that's what client attaches or co-management is however if you see the tenant attached we're not talking really about device itself the the architecture of the config manager stays exactly what it has always been what you do is you take the config manager and make it communicate to intune now microsoft actually created uh components in cloud to get this capability of config manager speaking with intune but again you do not have to do anything on the device to enable tenant attach but again like i said going to drill into a lot more details on our tenant attach at a later session um later video but today i just want to ensure that we get car we can cover as much detail as we can for co-management so let's jump into the first part that is co-management i've talked about what exactly is code management i also put in client attach because it's the client that's attaching to intune uh but this is what it is the message from microsoft is uh if you have legacy devices go to modern management windows 7 go to 10 go to windows 10 but if you see the the third part at the last three solutions active directory defender and config manager microsoft does not say to move your current config manager to intune or cloud which is in tune but take your current config manager and attach it to intune that's what the message from microsoft is and what it also mean that means is microsoft at numerous occasions have said that the the news the perception of config manager time uh is is not correct that's right it's not going anywhere um for organizations that need it yeah yeah is is the narrative that i i keep hearing as well which is there is always going to be organizations that need to have config manager there's going to be organizations that can run in tune by itself um but it comes down to what works best for your organization and taking the time to understand that scenario yeah coal management is a destination yes oh stop that um but the the other i guess the other important piece here is to piggyback on what steve's saying is so we're it's not go and stand up config manager if you are in a cloud you know company yeah it's it's a this is this is the i want to say it's transitional but it's not necessarily transitional but it you so even if you don't ever plan to move your infrastructure fully to the cloud and you say we're going to have active directory forever we're going to have on-prem forever and so well great cool keep config manager around because it adds a ton of extra value that you can then but then also attach to the cloud because there's a bunch of extra new value added there as well so the better together you get best of both worlds if you're in tune only you're not going to get some of the features that you get with with config manager but you don't need to add config manager in your cloud-only environment in order to just get these new features or from config manager i mean you could but that's not that's not the message it's for a cyberware that's correct that's correct cool um so talking about the architecture i've already demonstrated it to keep it make it really really simple so when a device is completely managed by intune ana and has the trust only with azure active directory than it is cloud managed on-prem is traditional 80 and config manager but again in in a commanded scenario where the device is uh managed by intune and config manager at the same time now i do want to bring a very important topic here a question that i get asked over and over that that does the device have to be hybrid azure design is the hybrid azure id joint core management right so a lot of times i hear while working with customers that say we have already done half of the co-management because hybrid azure design is deployed and i say that's not that's not true because it is co-management like management is the word that we can't talking about it's not the identity piece so a device may or may not be managed by uh on primed and active directory azure active directory at the same time we as long as the device has config manager agent and is enrolled into intune device would be considered co-managed now in this animation and in this slide that i'm presenting says yes the device has to be adjoined and azure active directory join that is correct uh for your existing devices which are currently managed by uh which is currently uh is domain join yes you have to have the devices hybrid azurely joined to go into co-manage plate but if there are new devices you can just have them azure de-joined and still be co-managed again the point that i'm trying to make is it is the management part when we talk about car management as long as the device is managed by config manager intune at the same time the device would be considered co-management regardless of the identity state of the device now one thing to bring up in that scenario if you're doing the cloud only is a cmg or cloud management gateway required to still manage that via config manager now um cmg is not at all required for co-management now the only thing that cmg does is extends the management physical management vicinity of config manager and takes it across internet that's what it does but from the co-management perspective cmg is not required does it give additional value of benefit yes it does is it a requirement the answer is no it is not a requirement so two things um thanks jake for bringing that up one is device doesn't have to be hybrid azurity join especially for new devices right device can be azure de-joined only and still be co-managed second a cmg is not required to deploy co-management okay uh adam did you have a question uh no i think you just kind of clarified it it was it's the the identity clarification there it's the the the device is joined to a d or azure ad and the hybrid is it's joined to both but then in both scenarios you have to still manage the device identity the device itself and so you're managing it either with config manager or within tune or with co-management you know with both together so it's the same so co-management is kind of like hybrid management but i'm sorry we didn't go with hybrid management because we just need another hybrid word out there right and add some more confusion okay um so this is another slide that i talked about and so when a device is co-managed what exactly does it really mean right so um i'm going to talk about some immediate value that organizations get as soon as they enable co-management on their existing infrastructure config manager that's what microsoft leads with saying hey you do not have to change any of your processes right now but if you take your config manager and attach it to uh to in tune and co-manage your devices you're going to do you're going to get extra capabilities again you currently get 10 capabilities with your config manager solution that's fine and you're going to get three extra capabilities and that will be 13 just taking random numbers for example uh that's that's one step the second step is we talk about the workloads right and there are seven workloads as you can see there are two client out sorry app related workload and there are five policy workloads so that's the second step of co-management when organizations can cherry-pick these workloads and decide to either keep it with config manager or move it gradually to in tune now again they do not have to do that co-management just enabling co-management is going to give them extra capabilities just going to add additional capabilities to their existing solution it's only if they find that there are workloads that they can move into in tune to cloud and save time same save money that's what they can choose to do it now i'll give you an example so i was presenting co-management to one of the banks uh here in australia and i i was speaking to them and said hey look co-management is going to give you these capabilities and you do these processes and you when i help you and once you enable care management you can take a device and wipe it and take any of the windows 10 devices and wipe it when a user leaves the organization or the device is stolen which you currently cannot do it with config manager even if you deploy cmg yes you can deploy policies and scripts remotely but you still can't just right click and say i want to wipe this device and that's when their eye open this is hey can the management said can we not do it today i said no config manager does not give you that capability so that's what um i'm talking about so there are immediate values that you get with uh taking your config magic capability uh and infinity enrollment and attaching it to intune uh and at a later stage you can think about moving the workload so it doesn't have to be about workloads uh co-management is not just about workloads it's additional value that you get right as soon as you enable clear management and robby i'd like to you know another example here because of my so i've talked about this several times on the channel so we're in the process of doing this now migrating to intune from on-prem um and we've had co-management enabled for probably two years now but we just ticked the box to say enable code management and the immediate value is all of our devices are in are in intune and give us those functions that are available within intune so we get all the the cloud management pieces available we haven't moved any of the workloads we can still do all these other we can do the sync things and you'll demo i'm sure you'll demo through those things so i don't want to you know spoil that but um so we get immediate value but then but it's giving us time to now work through so like our immediate focus is working on policies so we're trying to move migrate all of our group policies or replace or rationalize our group policy settings and config into intune so that we can move that workload but what's great what i love about it is that there are things that we can't move like some of the group policies just aren't going to work like group policy preferences or some other legacy things that we still require great we can kill off all the stuff that can move but then we can still get both we can get group policy and we can get in tuned policy all from you know group policies shut your face i almost steve on this one for once it's a it's a it's a process it's a migration we are getting there and so it lets us take baby steps with the ultimate end goal of no group policies but there's an interim need here where sorry business says we still need these things and so we can't get away from them right now but we can get 90 there so let's do it and it's i love it yeah yeah that that's correct that's correct so um the wiping part that intune capability gives without changing is one thing uh and adam like you said the other thing that i bring up with customer in the discussion with customer is conditional access uh i say can you there is dcm design oh sorry just show us how how long i've been working with config manager there are compliance policy uh settings that you can create and mark a device compliant or non-compliant in in config manager but the config manager does not have just built-in bridge a connection um with the cloud microsoft solutions like office 365 sharepoint and other ones right and with conditional access that you can get after you enable condition with co-management you can yes you get these extra capabilities but also without moving the workloads you can start enabling conditional access and prompt for two-factor authentication or only allow the access if the device is in a specific location so those kind of things and then yes there are workloads and adam like you said it can be a gradual move so we're gonna talk about this okay so one one thing uh if you uh if there is if you're a customer organization you're currently sitting in config manager and you want to move to co-management you want to know how exactly am i ready for co-management so this just gives you if you're ready you're not ready for car management you have to have azure active directory you just want to bring up that um intune uh trust azure active directory intune does not trust um uh on primarily so you have to have azure active directory you have to you have to ensure that the users are synced up into um to to your azure active directory without that it's not going to work you also have to ensure that the devices the users have their licenses now on that um i do want to also say there are two kinds of license i'm not going to go into deep into licenses because that's a very complicated topic and it could be very different for one organization two completely different from other organizations just because the way agreement work between organizations and microsoft but in general um uh there are user licenses and device licenses um for most users for most organizations if they have config manager cal license um the devices can be enrolled into intune without any interior license okay i would just say that it's only for windows devices if they if they have config manager cad license windows devices can be enrolled into intune for co-management only without any additional licenses intune licenses okay it's all very well documented everywhere yeah so that's that's another thing is azure active directory make sure the users are saying there are uh licenses if you do need to and then there is azure active directory specific uh setting uh that is order enrollments you have to have enabled you have to make sure that's enabled from config manager side it's super simple you pretty much all the organization should be rare about 1710 version of config manager um on board to aed to setup that you need to do we're going to talk about that when we do live demos and then back to jake's point do i need a cmg this is where it is it's optional you can set up internet facing client which is cloud management gateway but you don't have to have it from so so when we get to the to the demo piece i'd like to revisit that and discuss limitations if you choose not to have the cmg as we get there so yes adam that would be very nice bring up as many questions because um there's still it's it's not a new topic it's code management or cmg is not a new topic anymore they are being there for some time but it's still i get questions there's still confusion do i what if i don't enable cmg what's going to happen what will i lose on indian side um all the organizations are hybrid it's a very old concept it's it's an old slide so i'm not going to talk about but all the intune tenants are standalone only and licenses are you uh there has to be into your license if required uh windows client you have to have a 1709 build of windows 10 or about so that's easy so once that's done when you check the boxes which are pretty much um simple ones what exactly do you need oh so there's one thing i didn't talk about set up hybrid azurity um that's where i see some organizations are not ready right i'm going to talk about this but your existing domain joined clients need to be hybrid azure dejoined and that ties back to something that i said earlier that in tune trust azure active directory it does not trust your on-prem 80 what it means is when you enable co-management on devices right when the device that's when device needs to go and speak to intune and say hey it all happens at the back end user doesn't do anything it's all silent so you enable the policy in config manager config manager sends the policy to the devices not the user's devices and the device gets a policy and says okay now i'm going to go ahead and enroll myself to intune and this is the information of the engine tenant it says okay device reaches out to intune silently at the back end and engine says okay you want to enroll into this tenant that's fine i trust azure active directory can you give me a token from azure active directory if you if azure active directory can give you a token i will allow you to enroll it and that's when the device takes a redirection and says i want to go to azure active directory and says i need a token now if a device is hybrid azure at each line there is a trust relation between azure active directory and the device the device gets a token and which is presented back to intune and boom silently engine enrollment happens no rebooters required but if a device is not hybrid azure design obviously the device cannot get a token from azure active directory and the engine enrollment will fail okay so let me so oh it used to microsoft made some changes so the changes was um the change was that a device would reach out to in tune or and then go to and be able to not present the token and fail for enrollment now think about that scenario so if let's say there are a hundred thousand devices it's a large organization hundred thousand devices somebody goes ahead and enables care management without enabling hybrid azure id join what it means is these hundred thousand devices are going to go to intune and fail enrollment and the way it is designed is it's going to keep on trying every 15 minutes it's going to really fit into your intent half yeah right i don't see any problems with that at all you're going to see a lot of red you'll see a lot of red in your graphs and config manager compliance online you know the best thing about that though is i'm not getting it all the alerts on my config manager server yes you're not so that that's a very bad design which microserve does realize it pretty early on uh in testing and then it was changed what was changed was that the client uh there were extra logics added to the client what it means is once the config manager configmatic server sends a policy to the device and device says okay i'm going to go ahead and enroll into intune but before that let me check if the prerequisites are met am i hybrid azure rejoined or am i uh azure d joined can i get a token from azure active directory only if i can get a token from azure active directory i would even try to reach to intune if i cannot get a token from azure active directory i would not even try so what's gonna happen is you can go ahead and very well enable management on 100 000 devices all the hundred thousand devices will get the policy but they will never try to hit and reach in tune because it is going to fail so yay no ddos sorry correct detox for uh uh in tune of 100 000 devices trying to send a message every 15 minutes i couldn't see any problem right there at all with the service that's based in the cloud no nothing at all i wonder if that actually happened yeah [Laughter] you may get a call hey you know i noticed that you set this but you didn't do this so i'll interject as well i'm going to see if we can put this link in the description at this marker but um we covered how to set up azure 80 connect um in a previous video um so that's basically what you're going to do you're going to set up azure azure ad connect a couple other little pieces and should be good to go cool good so i hope that clears up the why you need to set up hybrid azure d join or device needs to be at least azure at each one okay cool so once existing devices correct correct that's only for existing devices if you have new devices i would suggest them to only do uh azure design you do not need hybrid azure at each time yeah because then what happens is from that side intune registers and then you can get a package sent out to the client for the trust correct correct perfect just wanting to look at that clarification for everybody um to 100 confirm hybrid id is not a mandatory requirement you can run it with just aad correct um yeah thanks that was very important point steve so you're not a problem at all yeah so if you have met all the prerequisites how do you really enable it it's a very simple the first thing that i want to bring up is you do not need to set up any other server there's no extra additional infrastructure requirement right so you don't have to go and talk to the infrastructure team have extra server or from the network perspective as well you don't have to go and speak to your network team and say you need to open extra approach none of those are required it's only the outbound ports that i need to go and didn't all need to be the the network uh the connections are going back to azure active directory and into tenant so it should be simple not knowing what's required just out of interest for organizations that have um limited internet connection from their config manager server outbound um what ports would be looking at is it just 443 to a set list of ip addresses or host names that is correct there's only actually there are some 80 as well but mostly four for three and they all are two hours directed directly and uh management yeah and we'll add a link below for everybody that needs that cool um so you go into the administration console oh sorry administration workspace and config manager console go to cloud services pick the cloud management either you right-click on the cloud management which you sorry co-management that you can see in the screenshot or on the left and top you're going to see on the you can say co-management create once you do that you see a visit and this is what enables co-management now i do want to bring up another thing there are two sides of enabling co-management there's one on the server side there's another on the client side this is the server side to start the visit which traditional microsoft pages next next and put in the information so the first thing it's going to ask you is to sign in so when you sign in this is where it goes and speaks to azure active directory and then goes back to intune i do want to bring up some something some experiences the first thing you need to log in with um okay i'm going to go into technical details not just what's in the document now okay perfect no no no that's what we want this channel this is the interesting stuff so um in all my testing okay all right so probably about eight to 10 minutes or 12 months ago if you would go back and look at the history of the documentation like microsoft docs and you look at the co-management docs the docs if you still somewhere have it said that you need to be an intune administrator it did not say you need to be a global administrator to be able to enable co-management okay well you need to be a global admin because it registers an application into aad okay correct sorry to steal your thunder and uh so it used to be uh that you only need to be an intune administrator and when you enable co-management um it used to only enable term management we didn't have tenant attached back then we did not need an application if we did not need an application we do not need to create an azure id application we do not need to be global admin and co-management would work just fine so you need to be first into an administrator second if you are an intune administrator you have to have an engine licenses uh into a license assigned to it that i've seen a lot of times failure i've got customers calling me some other peers and organizations like uh my friends who were enabling co-management would directly give me a call saying hey it's failing and i would just ask them do you have engine license assigned to the account and a lot of times they wouldn't your admin account because why would you need it an inching license on your admin account other than maybe you want to do mfa maybe you want him maybe you want to do device management or conditional access yes okay so that was the document what you used to say now today the wizard that i'm talking about there's two things it not only enables co-management but also enables tenant attach now tenant attach actually needs an application registered in the azure active directory now the only account that can register an application is a global administrator so because from microsoft perspective they are just two parts of the same solution cloud attach we they updated the document and said that the account needs to be a global administrator now so if you are using a global administrator or another thing is you probably do not need an intune license anymore so oh that's changed that's interesting so um yeah if you use an intune if you use a global administrator you can log in and manage into without any engine licenses but if you are and anything else other than global administrator like if you want to create an internet administrator account even for the user to be able to log into the portal and manage it they still need an intune license but a global administrator does not need an engine license or any license for that matter um so again you do need a global admin now uh if you're enabling co-management and tenant attached at the same time and i would just go with what the document says yes you need to be a global administrator okay so that's on the server side you go next next and you're gonna try and do this uh live as well about eight clicks if i remember right um so here's the thing an interesting story another one so it's helping one of the customers here in sydney they're based in sydney they're very large education customers and they wanted to enable it and then the document sorry the blog the blog from microsoft said that it only needs four clicks right it's about the customer counted it it was about 21 clicks but it was literally counting like 26 yeah it could be i could be wrong mms 2019 we counted and it was about eight so we obviously were counting different things i guess yeah i think i think though it's just the way you count it right just right clicking is a click then clicking on co co-management is a click then signing is another click putting in person i think it's the wizard that's eight clicks yes okay yeah i think you just count the main clicks you know yeah that's the secondary clicks yeah so see the trick is what you do is you turn on problem step recorder and let it decide what a click is and go for it yeah okay cool so it's super simple to enable co-management on the server side there are not many requirements you literally just run this visit sign in with the right accounts and go next next and we're going to do this demo that's the easy part now the second part is like you said that client has to be enrolled into intune as well to be able to be considered as co-management so there are two parts that you can sync there could be existing devices so if you have again a hundred thousand devices if you're a large organization you have to think about how to take those devices and it will manage but also there are new devices so for the existing devices this is where you're going to start config manager agent already installed ad domain join the first one because of the reasons that we talked because of the flow how it works the device has to be hybrid azure design existing devices only back to stephen's points it's not new devices and then you enable co-management and from config manager again we're going to do a demo it sends policies device gets enrolled into intune and this is the state that it comes into now for modern provisioning you start with autopilot you don't have to start with today uh car sequence and pixie boot just start with autopilot the device yeah no task sequences one more thing i want to correct the slide here now you don't have to be azure i'm sorry i was going to say you have id domain joint for modern provisioning i'm like are you doing hybrid id join during autopilot so i actually created this for one of the other customers and they had the requirement of a hybrid azure rejoin so i said okay uh you don't need that please do um aed join if at all possible and it would be possible if you tested it for a lot of customers for a lot of cases but you could end up with the same magic and engine yep quick one ravi just to go down that rabbit hole given your experiences that you've uh you've had with customers and organizations what are the typical reasons why customers can't go aad join only now it's because they think they can't that's oh no i'm talking about misunderstanding i i understand that the misconceptions but is there any technical reasons why wait for me when i have that conversation my conversation goes along the lines of do you have applications that need device level authentication if you don't need device level authentication for any of your applications you don't need hybrid adjoin but is there anything else we should be having that conversation with customers about when we have that conversation of getting rid of hybrid id so there are basically two so one is what you said and i'm actually working with an a very large airline customer um here in australia and from their perspective um they have too many too many apps that currently does ldap query um through azure sorry on-prem a design and i said for most part they should work that should work and they were like okay um just a second oops all right press the wrong button it's okay no you still it cool um they have too many apps that that there's machine level authentication to on-prem 80 and there's ldap query so okay that's one reason exactly what you said and i said still tested they're working and testing on this application another is the security reason they believe that the group policies that they have created and have had tested a long time ago which provided them with the security um they want to still apply those settings via group policy which shouldn't be the case but apart from that uh from my testing my working with organizations all the authentication user level authentication just works seamlessly just having the user account synced into azure active directory you don't have to do device write back or password right back any of those nice yeah cool that's awesome so how exactly do you do that this is this is what you would get after the co-management is enabled on the config manager side um so you don't have to again do a big bang and enroll hundred thousand devices you can very well create a collection of 50 devices of all the it uses 100 devices of it users and only auto enroll to these devices now these this is what this is going to do it's going to create a baseline config manager baseline um and send it to these devices now there's just one thing i want to bring up another thing that i've found so the the large customer that i was talking about where i was working with debased in sitting we enabled it and we enabled it only auto enrollment for a subset of devices probably about 40 or so and i got a call very next day that they actually have 700 000 devices all together that all of those devices 700 000 devices have received this co-management baseline and they really really freaked out and hang on it's fine there are two baselines that would be created once you enable co-management once you run the visit one would be called pilot and one would be called uh prod now prod by default is disabled as long as you configure this as to be pilot right the prod is is deployed to every customer ah sorry this is deployed to every device but is in the disabled state the other one which is the pilot order involved will get deployed in the enable state to only 40 devices so please do not freak out if you see a production co-management setting deployed to all the devices would be in the disabled state another thing that i want to bring it up here is these baselines the the configuration baselines that would be created are hidden on the console yes you can go into the uh to sql database and if you want to really see these baselines you can see those baselines but these are hidden and you cannot see it on the console once these baselines get created again back to the points right there are 100 000 devices customers happy with initial fifty hundred uh a thousand device testing they want to do it for hundred thousand if they enable the co-management from pilot they drop down and say all this is the production is going to get enabled and going to roll out to the rest of the 99 000 devices and we do not want the 99 000 devices to enable or hit our hit the tenant at at the same time so what's done at the back end it's not my server that i'm going to kill yeah it's going to be microsoft's tenant but you would kill it you would kill it at least the customer that i was working with 700 000 we would definitely see an impact in the tenant oh microsoft would definitely see it okay so what exactly happens um the baseline runs and creates a scheduled task on these star scheduler which runs and handles the device but it is already randomized um so it's randomized in the sense that next 24 hours it's going to run so even if you enable it for 100 000 devices it's going to be fine um try to do a face approach but if you have to do it it's still going to be fine i just want to understand we have applications from the 1920s okay so this is about troubleshooting uh log id steve come on yeah i know but it's funny yeah so i do have applications our microsoft's actually create applications from 1920. so this is what the once you enable once okay this is i get questions how do i monitor this we can't talk about config manager without talking about logs what is the log which i monitor it and he said yes there are logs there's actually a log called caremanagementhandler.log which is going to give you details but the better way is intune itself troubleshooting and monitoring of intune engine does not have a physical log that it creates for the mdm agent yes there are other physical logs that is created in some directories for app installation but the intune mdm agent functionalities the operation goes into event viewer and the application i'll share that for you and this gives you what exactly how you can troubleshoot it 90s is 1991 92 97 98 these are enrollment successful or failure so if you're troubleshooting um enrollment to filter it for in 90s if you want to do app installation troubleshooting look for 90 20 28 um those 200s and 400s are just a normal operation of policy sync and other ones so this is what it was yes jack it is even fear but uh okay so behind the scenes what happens um i've already talked about oops i've already talked about the randomization talked about the pilot in production baselines um this is just for information uh on where exactly does the information go in the wmin registry and the log that you're going to use and even for your location that you're going to need to troubleshoot and monitor information so once it happens what does the user see um user doesn't see anything user there's no reboot there's no extra agent installation there's no interruption there's no user notification however if a user goes into the account and says this is again a screenshot from one of the ignite sessions that says you the device would be joined and there would be an info button once there is an info button uh what happens on the cloud console so they log in to the cloud console admin logs in and sees the devices that are co-managed and once they click on any of the co-managed devices yes you get to see extra information you can retire device you can wipe the device what it means is the capability that config manager doesn't give you of saying i want to retire which is the white company data i want to entirely reset just with the two clicks reset yes and then do it you can see the config manager health agents every 24 hours mdm agent is going to go and check if the config manager agent is healthy it's going to take that and put that information in the engine console so you start getting these capabilities without making any of the process changes in code management side or your now just one one point about those the the wipe and uh reset and all those buttons so a restart the the idea here is that if you're using those you're hopefully also using autopilot for modern provisioning because otherwise if you hit wipe on a co-managed device it just ends up at the in the user's hands sitting at the windows ub screen um great for stopping awesome yeah yeah and it's ready to be re-provisioned or re now you don't i say you should be using autopilot that's the simplest way but it's still going to be a corporate device and so technically the user could if they have an intune license log in and join uh log in with their business credentials at ubi and have it joined back into the business network um so what you're saying be careful there this is a good way to move from being hybrid ad join to aad joined yeah it is just a few finger slips whoops i helped this buttons here oh no a powershell script i just did that to every machine in the environment yeah randomly yeah so just basically don't go clicking these buttons unless you have a plan for what happens afterwards and don't just hit the delete button if the computer still exists because it causes issues with your hybrid identity if it's hybrid joined and or it causes issues with uh aad and it takes about two days for you to realize that you don't have a token from experience with sending down that command to how does it get sent out of that device is it via i am ime the intune management extension or how else to how does it actually get down to the device so the engine management extension is only used for app level actions if you want to deploy an app you want to update an app and that's when the engine management extension happens another thing is engine management extension is designed to come back and communicate with the intune every one hour which is separate separate to the agent itself so what it means is if when a windows as an operating system gets installed it has an mdm agent built into it um that's not engine management extension but that's scheduled if one's enrolled scheduled to come back to intune and communicate every eight hours um only and only if you deploy a partial script or an application engine would go ahead and deploy into management extension and then management extension will pull the policy every one hour now these policies uh would use uh a windows push notification service yes push notification service so um you click on wipe it goes to push notification service push notification reaches out the device then device says hey there is something new for me and comes back to intune and says no you need to write like run a reset or any of it so it it's pretty quick i would say for most part uh in my lab i've seen the actions um coming out to the device within a minute uh less than a minute in some cases couple of minutes but it has never been five minutes and i don't go to accounts and go to settings and run a sync no i don't need to do any of it so it's it's separate to management extension okay um good to keep on going yeah man yeah cool so client workloads now before i actually start talking about client workloads i think i've been spending we've been spending a lot of time on deck right that's actually yay demos all right updates oh no no you can't have computers without updates okay cool so i've got config manager uh this is my config manager environment i go into administration the first thing i want to show you is the co-management so this is where co-management is if the device if the environment is not already co-managed this is where you right-click and do co-management let's see if if you do get time i think it wouldn't be just for one wouldn't be a bad idea to do a count how many take click does it takes at the later like at the end of the video to enable co-management you put the comments in below how many clicks it takes oh yeah good yeah and put next to that how many licks it takes to get to the tootsie roll center of a tootsie pop [Laughter] okay cool so as you can see in my lab it's already enabled i go into care management care management go to properties this is where i see um the settings that i have already enabled now all these things click on ravi when we've gone in and enabled it while you're opening up properties when we've gone through the whole process enable it and everything like that does it take time once we hit the enable and finish the wizard before you can actually start using the co-management environment now um the only time so you can start using co-management environment right away you don't have to wait there's there's you can literally just give probably 30 seconds or a minute just for logs prices but literally there's no delay however just bear in mind the only time you can think about workloads or or anything else that you can think of is when the devices are enrolled into engine which can take some time yep so you run the visit you decide if it's going to be all pilot or none and the devices in this pilot in my case pilot collection needs to go back and hit in tune and get enrolled only then the changes will take effect what it means is you can take a workload and you can say i wanted to move the workload from um config manager to pilot or in tune yes you can do that but the only time a device would know about it is when they are enrolled into insurance so i would say um the console is ready right away but are the devices ready no just give them a day a day's time also another thing to point out while you're on the screen if you get to the screen and all you've done is set up code management and you have not set up a cloud management gateway you will not see the items in that lower box oh yes that's it uh the setting is just the outcome of this uh the options that you chose uh in the wizard once it is enabled then um you can come up go to properties by default the workloads will be like this and that's what i recommend when you enable it don't go ahead and change the workloads just keep them in there make sure the visit is finished properly there's no issues and you can always come back and change the workloads which is going to be a later stage anyway uh i also recommend to create these collections pre pre-create these collections before even running the wizard so call them compliance policies co-management complaints policy policies pilot and so forth and so on and then have a pilot collection ready as well so this is what is going to create those baselines that i was talking about now those baselines are created yeah but if i go into snn compliance and go into compliance policies and look for baselines i wouldn't see those bass lines they are hidden or even if they are visible they're going to be read only what it means is if you're going to go into properties it's taking much much longer than i would expect for some reason but yeah they're going to be grayed out and you can't see so let me click out of it and my console is frozen i'll close it out and come back and let's try this one more time see that would never happen if you're just doing intune correct that is correct that's correct yeah and i also have to shut down my machine every night because it's hosted in azure which you would never have to do if it isn't here it's gonna run every time at 24 7. that sounds expensive yeah or talking about expensive cloud is something that never stops always running and never stops billing as well yeah yeah and if you've ever had to go and pay for an e5 license we understand okay cool so it did did work um when i closed and opened it good so i can go into configuration manager baseline and i do not see a baseline that says co management production or pilot and it is something else that i've created but no it's no hidden nothing if i go into the configuration item as well there are no items but if i go into sql i can bring it up it's going to be too much for the sake of fun but probably not right what i want to say is yes there are the things happen at the back end after you enable run through the wizard and create it and there they are there now let's have a look at the device i actually provisioned a device just for a demo this demo for today's session and okay yep so that's the demo and you can see the device name is windows 10 hyphen domain join 2 dj2 i just kept it um if i go into control panel i see config manager client is already installed and it's using certificate it is not co-managed right it's currently intranet oh and so just just to point that out while you're there um so you mentioned this earlier the that first page shows what you're showing here as well so you get the co-management settings prod and the client says co-management capabilities won but it's disabled so that's that's expected behavior for every device in your enterprise the moment you enable co-management or within 24 hours of enabling co-management right that is correct and this is exactly what you see on the screen is what my customer was freaked out about saying hey you said no no setting is going to go to the production but i see every device has this prod setting enabled to config manager setting prod and that's as expected while we're here this is desktop analytics because i have desktop analytics enabled if you ever see m365a settings that's because you have desktop analytics enabled oh but that's something else what i'm going to do i'm going to take that machine intend dj to find it on the console they're going to asset in compliance device collection [Music] all systems and i should have been 10 due to okay now i can say that this device is active logged in if i say co-management it should say no so you can see this device is not co-managed config azure console that'll show you the information if i go back into administration go into cloud you're going to see that is enabled for a co-management pilot collection and device is not part of the code management pilot collection what we're going to do is we're going to add the device intent hyphen dj2 to this pilot collection which is properties sorry go into snn compliance go into device collections cloud collections i think it's over here probably not even management there right there yeah so if i open this up i would not say even 10 d02 which is not as expected i'm going to say right click or actually i click add uh select item existing device collection oh say okay and [Music] that that it sees it's a refresh and should say nine very soon so yes um okay there it is it shows us nine now what it means is it's going to get the policies now let's play with config manager at this time so i'm pretty sure you guys have already seen this many times so it's a machine level policy if there is no policy i should have showed it it would have been good demo the last time machine filled the policy there was zero policy assignments um as you can see there are delta policies and normally there are three lines of codes in the log um there's three lines of entry in the log but this time when i'm going to say perl machine policy you're going to see that it actually has new policies the configuration tab which does not have the auto enrollment setting baseline will have another enrollment setting uh baseline say run and see these few lines of logs which itself says it did receive something new so actually it received three new assignments as you can see um gives you the assignment id uh and the version number we're not going to go into details but charles you that it's downloading and it's applying and so so the the log itself just shows that it definitely received something um from config manager mp if i go back in here just to be on the safer side and open config manager cloud applet come up here and you can see there is and pilot order and raw no this is what just red yep and if we go to the general tab i see that it's now 255 instead of one okay correct now the reason why it is two five five is uh okay we're going into asking [Laughter] it's just calling out that this has now changed there is a great blog by ben whitmore that we can link you to i believe he's got the probably the most comprehensive where he lays out which what number will show up there depending on which workload you have so enabled was pretty pretty comprehensive so i used to have that in my slide but i thought that's just showing off [Applause] i think a lot of folks uh like to see it but no i think it's okay it's value add um even and i don't maybe the docs even have it published if they don't maybe we should ask ask uh aaron request and add it yourself uh yes you're gonna do it a little less labor intensive that way yeah so uh since we're talking about it every workload has a number in the database and again you can see the data you can see those numbers assignment to the workload in the database what it means is when you take the slider and move it over it increases the number and adds the number and shows you 255 is the maximum what it literally means is every workload is moved from intune to config manager which is in my lab and that's why you see two five five you're not going to see now you could see something else you could see 64. you could see 128 there are different numbers and based on the workload that you have enabled is going to they're going to add it up and show up okay so one more thing is quickly it not only do that it's also go went ahead and co-managed now it did it super quick because uh this device was co-managed early on um there's no other devices which are waiting for co-manager in my lab it's much much quicker but when you enable it on much bigger device large number you're going to see throttling okay so where do you see it there are two places you would go uh and first is co management handler.log um you're gonna see that it's gonna show you information on um before bennett got the policies it says co-management is disabled but expected to be enabled you're gonna see that pretty much every time this is what comes up the first time it receives the policy first times it gets the baseline it says it has received the policy which means it's expected to be enabled but currently it's disabled so this information and says then eventually comes up here and says enrolling device with the aad device credential so you can see it is device credential not the user credential so it first uses device credential if it fails then it can go to user credential as well and then mdm enrollment succeed so that's that's good now the same information would also be available in the event viewer so if you're going to event viewer and let me ask go back to steve steve do you remember what event id would we see or at least the um range of the 90s 90s were the uh enrollment 200s and 400s were status and general operational and 1920s for applications or we could just say the 90s were the grunge era and the 20s were the flappers is that it was the 20s 30s for that yeah yeah 20s for spleen there you go okay so i'll bring up something else right just this is how i remembered it there are just too many directories in here and initially it's like i don't know where is in tune it's the longest without reading exactly some jerk engineer is going to screw this up for us one day and make one longer yes yeah okay cool so you can see there are 300 400 something like i said i normally don't do look at it then when i'm doing something but i always come back and look for 90 something so it should have let me have a look at the time so there are some new events as well already okay so time based should be a couple of minutes ago so it's still 24 and 24. i think the reason why we see too many information is because it's every time the device gets enrolled the first six minutes or so it runs things every two minutes and that's why just keep on seeing now you see so many entries but once it's settled on see those means and come on maybe somewhere so you can see 19 something already so that's application installation so yeah installing something as well it should be right over here so it says auto enrollment very cool [Music] so this will say succeeded so it's uh 97 is failure yeah this is what it says it's doing the involvement and then 72 says okay it succeeded after that it started doing lots of yeah so i assume sorry sorry ravi just to take a little bit of attention this is standard for any intune enrollment you'd see that 72 75 1991 messages correct even if it's not using the co-management connection you're right this has got nothing to do with co-management it is initiated from config managers it is going to be co-management this is just the normal in tune process how it works awesome so you can say that it once it is enrolled it started doing a lots of 200s and 400s right it just continuously pulls those policies and applies those policies similar to policy agent the first time you enroll oh sorry not enroll but install config manager agent on a device you see heaps and heaps of information in policyagent.log and just pulling those policies like sometimes hundreds of policies and once it's done you start seeing 91 you have to remember this but yeah remember the range and once you remember the range these are just like the names of the logs so when i talk about config manager i know every log what it does right just been able to just been working with it for so long but yes i do forget how to add a machine to collection sometime but i do remember the name of the log similarly the way i see event viewers are the ranges are the name of the log so once you know what you're trying to find just remember the range that you're going to look for and it's going to be super easy it's not going to be overwhelming for you to seize those when you just seize these as the names of the logs and you know what information to expect on it and that's how i do it okay cool so this says that it is doing a lot of activity that's expected two reasons one is i've got all the workloads moved over to intune so that all the policies that i have in in tune it's just going to start coming onto this device and it's going to stay busy and the device which if i go into accounts this time uh going to access worker school there is an info button the only time you will see info button over here is when the device is enrolled into intune if it is not you would see just a discounting button once you click on info button the settings and the accounts you do see the policies that it is getting from intune so this is all the policies and again remember one's a lot of policies a lot of policies because pretty much every workload is moved into engine nice okay cool and i can do sync and i can create report i'm not going to go into that so that's how the device that's how you enable co-management that's how you add the device to co-management collection and what happens at the back end gives you an idea now once it is done what exactly would you want to do because you already got started getting the benefits of co-management as in you can retire wipe and to reboot and rename from the intune console now but what's next so let's let's go back to the deck yeah come on go back i said scripts get included in that as well is that correct yes yes groups gets included as well now i say um to a lot of customers then and say okay we want to move workloads they ask me which workload should i move all of them yeah but they're like everything is working for me which workload should i move um yes you're right you're right so i worked with one of the mining customers they're based in perth um they started with co-management this the the very nice next thing which was very logical as well that they adopted was the autopilot um not having to create and manage those ram images and and gold images they're very happy all their autopilot they're only using autopilot to provision all the devices yeah and then they came back they came back to me what next they're super excited they're they're really like customers uh the architect over there is like i want to test more he's always hungry which is great like i want to do more i said okay let's let's do the uh cloud only no that was too much i wish it was that simple but he wanted to win this update for business policy so we worked through and gradually moved from on-prem software update point and patching every month creating update groups sending the policies uh sending update groups to devices download the part by downloading binaries and to sending it to distribution points it was taking a fair amount of time later to manage those patches they moved the windows update to um to intune the other thing that they are doing is client apps now i do want to talk about client apps now it's in it's a different kind of workload now if you see uh windows update is either config manager or intune right once you move the slider over from config manager which is on the left to intune on the right even if you create a software big group machine send it to the device the device which is going to reject it says i'm do not accept in this episode from config manager anymore if you think about it there are a lot of organization with hundreds of applications in config manager and then it's just not easy for them to take all this application and repackage them into intune and literally just hundreds okay let's listen from adam how many apps do you got fifteen hundred to two thousand yes but how many of them are they literally like just different versions of adobe that you haven't removed from your environment no no no these are these are no it's more like every one of those and if you go the you know flavors and versions of things take with satan's more apps than you have actual employees you know enough to have a full-time person packaging applications yeah his name is adam you do not want me packaging apps here's a cd enjoy yeah so uh yeah it's it's just not easy and practical for a lot of organizations to take the client apps and say i'm going to move this light over from intune and i'm going to manage the apps from intune that's not possible so microsoft did hear that and the way that they design client apps is they said you can move the slider over to intune what it's only going to do is open the door of mdm agent to get the application however it's not going to close config manager agent itself from getting the application so all the new application you can create it in intune and you can deploy it from intune the existing application you can just continue to deploy from config manager and then there was another question that says okay i do have the same application now and into an end config manager because some of the devices are managed the others are not co-managed no that's completely fine you can try to deploy the same app from conflict management intune the way it's going to work the first agent that pulls the policy either the management extension or the config manager agent is going to accept the policy and say hey i need to install let's say adobe and says okay that's fine it's not installed based on the detection logic and installed successfully the second agent let's say mdm agent in this case says hi i need to install adobe which is exactly the same and still says i would want to i'll try to install it but the detection agent sorry the detection logic says it's already installed so it only sends a state message back to indian saying that the app is installed here there is literally like a game between the intune team and the config manager team where they're not talking to each other to see who can get the applications installed on more devices yeah that would be good that's a good one we should probably do that uh that would be good yeah cool and and not only that when you move the application so you can take a gradual approach you have the staging collection for every workload and only choose to test a workload only subset of device which devices which could be very different from the testing of another workload so you can cache windows update for policies for some machine and on completely another machine you can touch the infant protection policies so you know ravi the thing i've done with all of mine um is uh if you go back to go back with the slide they um so i've i've slid all of my sliders to pilot and then i've created a corresponding collection for each of the pilot workloads and then i've created another collection that's in all and so then and then i've included the all collection into each of each of those those uh the the workload collections so that you if i want to give a user if i want to give a if i want to put it assign all the policies to a device i put it in all and it gets added to each of the sub collections or i can individually add a device into each of the workload collections as needed so if i just want to pilot this user with windows update but i want to do this user with all i can you know gives me the granularity to do all of those things while still not having to keep moving the sliders back and forth and everything um so yeah works great yep that's that's one good way of doing it definitely adam and i'm not sure if you have noticed it so if you do that if you take a pilot collection and gradually keep on increasing or you take a pilot collection and you add more than thousand devices to pilot collection it gives you a warning a lot of times the things that you cannot have more than thousand devices in pilot collection that's not true anytime you add more than thousand devices to any of the workloads pilot collection it tells you saying hey you're adding more than thousand devices to a pilot collection you really sure this is a pilot collection is this really still a pilot yeah yeah deploying this to production one computer at a time at a time yeah yeah so microsoft has demonstrated sorry you had something else adam yeah uh just one additional thing back to the on the client apps workload um so the one of the one of the great features uh i believe what it now 2010 and forwarding config manager is the client settings uh maybe it's 2006. there's a client settings option that allows you to choose which software center wins so if you deploy company portal to your config manager managed devices they will the company portal natively will now automatically show all of your config manager apps in the company portal and all of your intune apps which is amazing um but then you also now have the extra benefit of being able to say that you want us the software center or company portal to win as the uh you know the preferred um provider and so we were testing the other day and so if i got a toast notification that says you've got a new app to install and i've got company portal set as my primary user portal and i click on the the toast notification it'll pop open the whichever one you selected as your primary portal it doesn't get rid of software center it still exists and it still functions but as you move like our our plan is once we once we add the application to intune and we've got the workload slid um then we will remove the app from config manager and so hopefully not have double dip and confuse users there but if you're keeping them in both places for whatever reason great you can still use software center or you can see everything all up in in uh company portal as well some of the verbiage has changed on actual applications as well if you go to make an application you used to have that show it as a featured application in software center the verb just now changed to company oh wow that's neat yeah so you'll notice that if you go do that correct so that that's a very good point adam and i've been reached out by customers i work with say hey how do i make company portal read somewhere heard somewhere company portal can now be the primary um end user portal and this is how you do it it's on the screen so go into the administration client data settings create a new client is in settings um if you would prefer to do it on a smaller collection go into software center and then this gives you a drop down menu to say either you want to do a company portal or software center yeah you could even deploy that custom client settings policy to your pilot collection for your client apps right it's a very good way of doing it adam's very excited by this technology yeah okay who is it um this is amazing it's great no i'm excited it's awesome yeah you're excited whatever so is he excited about intune in general or he's just excited that config manager can be attached to engine now adam's excited on the config manager and in tune i'm excited on the intune part one other thing with that too i don't company portal isn't a requirement to do that a fire call too it's only if you for available assignments that you need that is that correct yes you're right yeah does it automatically install it or do i still need to grab it from the store um yeah they will go directly without having company portal installed will grab it from the store right yep so um adam you should have called me earlier before waited too long to come i was i wasn't away you're super excited about this well see unlike steve i still have to live in this world and so i'm going to keep using all the available tools until i don't have to be in this world and all of these things my life rebuild on twin tune only how is adam going to use the admin server what fantasy world do you live in stephen that you don't understand this is a complex move here and just do it overnight what could go wrong you know exactly just just do it all just do it all right just randomly like pick a day and just slide everything across and then also set up your autopilot pro out profile for aad join and then move forward done yeah i reckon we could do a really good video on that one adam yeah how fast can i get fired [Laughter] okay so this is again microsoft slide that has been um presented uh multiple times in multiple occasions this just says uh gives an animated view of how the workload transition works right so this is co-management before the workload transition so you can think about any policy except for client workload uh an app goes uh a policy goes from config manager agent and goes successfully because the default workload is move it's owned by config manager and you create a similar policy let's say device config resource access or any policy and once it comes mdm agent says i can't accept it because i'm sorry it's coming through mdm it wouldn't be accepted because the the authority is with config manager so you go to the console and you take the slider and you move over to intune now just bear in mind you haven't deleted the policy in config manager console that's completely fine the policy that was rejected by windows 10 is now uh accepted from mda mdm agent however the same policy from config manager agent is rejected so again what i want to talk about is like once you move the slide you don't really have to worry about deleting the policies we the agent takes care of it all the logic of which authority owns the um the workload is all in wmi there are ways i could show you to go and dig into wmi and see where exactly the workload resides that's for troubleshooting and sometimes for fun you can do that okay so this is what it is actually i haven't removed it hey hey there you go excellent so there are there are workload values so if you're going to add from one two to 128 it's going to be 255 and that's the reason in my lab you can see 255 depending on the workload that you have moved from left to right you just add the number up and it's going to show you that and not only that i've done a small uh demo as well so you can see i've added from 1 to 64 and the capability comes as 239 oh and uh i'm gonna link to another um another policy or another uh blog from uh cody mathis uh works for patch my pc over on the sccm f12 twice blog um he wrote a nice powershell script to convert the number um to the appropriate workloads so if you just see the number you can just run it through the script and magically get that number that's that's very good i think that's that's really good um but there are easy ways to do that as well oh okay sorry cody sorry cody we're not gonna link it then forget it so once the devices are co-managed again go into the console you can see that um this is there's a method there's a there's a method in uh function in wmi that you can use to see which workload is owned by what as well so you can just create a simple partial script too and run this method in wmi and it tells you exactly which workloads are owned on that device right for whatever reason the policy didn't get applied the policy didn't reach because of there was an issue with the membership collection membership query or something else this this is just for troubleshooting so you connect to this you open the class and you run the method and it gives you the value of it that's another way of doing it so yes that's that's one way of doing it just checking the value another way is to really look into like if you want to do it on the client you can just get these uh directly from wmi um again we have we're talking about config manager there are logs of these there are different logs uh for each agent uh a workload and that tells you the workload being owned by intune or um or config manager this is again what i was saying every 24 hours mdm agent is also going to check the health of the config manager agent and send the report back up to intune so you can see if the client is healthy or not and then the these information also send a lot of information is also sent to you config manager so you go into the monitoring go into co-management it tells you the number of devices that are co-managed number of eligible devices so okay we do want to talk about this so number of eligible devices are the devices where the co-management is enabled so in my case i had six devices and scheduled devices sorry this is where i have enabled and the policy is reached on to five devices as in the task scheduler has been a task has been created in the task scheduler enrollment initiated is yes the hard device was hybrid azurely joined so it initiated it and successfully enrolled into intune this service that and at the bottom you can see the workload how many devices have which workload enabled um let's do that in the console let's see what do i see in my lab so if i go into monitoring i actually look at two places i should say so i look at cloud management cloud management talks about more about the identity side the operating system side so let's have a look at it first so you can see azure 80 so it says these are the azure id how many users azure id uses hybrid azure id uses on-prem users so you can say i'm on all the devices that either hybrid jd join or on into ad only azure id only i don't have any on-prem azure id devices so it's let me bring it down azure id devices um so it gives you an idea this is where to start with like if you have devices which are not hybrid azurely join you can see that if there are issues you're going to see that the cmg as well you're going to see that co-management it tells you the number of devices which are eligible are not eligible so i don't have any windows 7 i used to have just to show this i used to have some windows 7 devices in here which has been now removed um because it's not supported anymore by microsoft windows 10 which is lower than 1709 so these are not eligible to and then these are the eligibles in my lab i've got 11 devices all of them are eligible out of all those eligible devices you can see i've been able to management online and enrollment initiated online eight so this is probably just hasn't updated because you remember that device that i've just enrolled this is what that device is so it used to be double click on these can you drill through i know sometimes the reports allow you to do that and sometimes they don't so not on all so as you saw okay i probably think i've been too quick so over here you can see that there are the thumbnails right so you can click on this so you want to see how many successful azure design devices so you can click that and you can see these other devices so it creates a temporary query this is not a report it's going to go away once you close and open the console so um you can go into the other ones too just just one quirk i would say um gotcha so i expect um all the thumbnails to work like if there is a thumbnail so there are two ways right it doesn't come up with the thumbnail so i know it's not clickable right i can't just click on these but if there is a thumbnail i can click on this and can show me that doesn't happen every time um it's from what i've heard it's it's known within microsoft and it's gonna work yeah so if you like for an example cloud management i'm clicking and it doesn't come up so it's not you it's everyone okay if you do feel that so there's thumbnail but it go you do get information on the config manager console cool okay um some of the common failures let's say sscm full admin need permission in all scopes that is the user who's logged into the config manager console has to be full admin and have to have permission in all scripts you can be a full admin and not have a permission in all scopes that's possible that's going to create a failure i have seen proxy and network configuration causing issue um and blocking the authentication process just bear in mind config measure console uses a ie configuration at the back at the back end so whatever proxy you have configured for ie is going to be used by config manager console when you right click and run through the visit engine license for admin if you're an internet again this is you you need to use global admin now and you into an administrator role you need to be at least into an administrator role at least for co-management only a global administrator for co-management and tenant attach now that brings me to the very very end of what i wanted to talk about but i do want to talk about two things one um that jake brought up and autumn adam brought up again um that we said we're going to talk about that but we i did not we skipped through it and another thing that i want to do is do a count of for fun how many clicks does it take to enable co-management and i also want to do a demo of how easy it is to enable co-management just on the server side at least okay so jake you wish you said about cmg being enabled for azure id design devices right yeah i believe that you have an azure aed join device only so not hybrid join not domain joined at all if you want to use the config manager side of things still you need a cmg that's at least that's what i've always been allowed to believe that shouldn't be the case um okay so let's let's talk about how things work at the back end so when the devices and hybrid azure design okay um for intune the source of authority uh trip is um azure active directory for on-prem it is join sorry 80. so if you think in in a way you're right that if a device is azure ad joined uh if it reaches out to config manager config manager is similar to intune needs a token a kerberos token config manager relies on coverage token from an authority trust and it's going to be on-prem 80. so if you're using pki um for mp and other things you don't need to be because then pki becomes a trusted authority or mp well i think i think the the situation comes into your azure id device would need to be on the data it needs to have it would have to have line of sight to your on-premises infrastructure to function if it's if it's so i guess the clarification is an internet only azure ad on a join device needs to have needs to see and see otherwise it doesn't that makes complete sense and it is 100 correct because once a device is an internet it can only speak to cmg to be able to install config manager client or be able to get the policies so correct you do need internet only clients need cmg for complete co-management otherwise they will never receive any kind of policies and never send information back to config manager and that's actually the important part is is regardless of hybrid or or ad only or azure 80 only it it's internet devices the cfg to do correct co-management correct right that that's one thing it was now who's going to do the count it depends when we store where we start counting uh yeah so i hope brad's brad's not there anymore he he's nobody's promoting workflows anymore correct but for the foot just fine let's do that so let's see and also problem step recorder because it will take her yeah it saves everybody quite uh counting yeah but i'll let steve count okay don't don't trust this guy to count i don't trust this guy actually we should ask either jake or adam i'll count up here all right cool so get a true count you got to close the console oh see i was doing it when you're actually in the wizard again where do you start the counting is the thing i okay so one two three does it right click counters i counted it at like at this window but hey we'll go with the two so it's probably gonna be ten three now you could technically tabbed right here we could have done that all along all the clicks okay you better hit enter after the password here too okay so what i'm also doing is okay let me see if i remember the password yep dude there is next so in the next one we're going to talk about tenant attach so we're not going to count this as a click all right but i disable send and attach and automatically enable i do and those technically did not exist at the time when this was originally so do it for pilot collection is that considered a click if it's on by default isn't it no it's by default it is this so you definitely don't want all all right we'll go ahead and count that as one yeah i was bold and i did all in mine so browse okay so next workloads i want to keep it default next i don't want to change anything now because i haven't changed workloads next and next and complete it's 10. 11 with the complete but yeah okay cool i don't know how many audiences got it right but it actually takes 11 clicks if you count it the way jake did we did to enable co-management on the console i mean this is this is great stuff i mean i think uh our audience i know has been asking for quite a while and we just keep telling them no um for this type of content um steve as we've you've seen us argue over this he seems to think that um no one no one is in a state where they might need to you know migrate uh from on-prem to the cloud it's just cloud only and his head is also in that same cloud it appear apparently so oh yeah it was eleven clicks usually this stuff is is uh is great so um i mean i'm very excited about it and hopefully other folks will benefit from digging through this if they haven't already started down this path in their environments so and we definitely want to have you back on to cover tenant attached and because these are all the the keys to helping you get your on-premises infrastructure into a more cloud centric uh state like we've said at the beginning you don't have to fully migrate you don't have to move all the way there uh contrary to what steve keeps saying um but it is absolutely possible to fully move to the cloud and these tools will help you get there um well thanks again ravi for stopping by and i would definitely love to have you back on um so guys you got anything else no i don't think so all right excellent well we're gonna call this one done and uh we will see you next time hi everyone hope you find this useful

Info

Channel: Intune Training

Views: 3,514

Rating: undefined out of 5

Keywords: Microsoft, Intune, Training, Azure, AAD, MEM, MSIntune, Microsoft Endpoint Management, MEMIntune, ConfigMgr, SCCM, Co-Management, Cloud Value, Cloud Attach

Id: QmQndKhPurw

Channel Id: undefined

Length: 102min 31sec (6151 seconds)

Published: Mon May 24 2021