Like the last couple of weeks, this week is also about co-management. This week is all about another nice detail that can be really useful, in specific use cases. That detail is the ability to always apply a configuration baseline to co-managed devices. Even when the Device configuration workload is switched from Configuration Manager to Microsoft Intune. That can be useful for configurations that are not available yet via Microsoft Intune, or for compliance checks that need to be performed and consolidated in one location. In this post I’ll provide a short introduction about the different configuration options, followed by the steps to configure a configuration baseline to co-managed devices when the workload is switched to Microsoft Intune. I’ll end this post with the end-results.
When looking at the evaluation of baselines, co-management provides the administrator with 3 different configuration options (of which the third options is the main subject of this post):
- Apply Configuration Baselines via Configuration Manager when the Device configuration workload is set to Configuration Manager:
- Apply Device configuration profiles via Microsoft Intune when the Device configuration workload is set to Microsoft Intune:
- Apply Configuration Baselines via Configuration Manager as an exception to Device configuration profiles via Microsoft Intune when the Device configuration workload is set to Microsoft Intune
Let’s start by having a look at the configuration. I’ll do that by going through an example that will create a baseline to verify the update compliance of co-managed devices. That will provide an easy method to verify compliance and consolidate the results. Below are 4 steps that walk through the process.
Note: The setting Always apply this baseline even for co-managed clients in the baseline, as mentioned in step 3a, can be used to make sure that the baseline is always applied on co-managed devices.
Now let’s continue by having a look at the results on a co-managed device. Below are two examples of one of a co-managed device. First an overview of the Configuration Manager Properties, followed by a look in the DCMAgent.log file. Both are client-side details, as the server-side will provide status information similar like for any other device.
For more information about co-managed devices and configuration baselines, please refer to this article about creating configuration baselines in System Center Configuration Manager.
4 thoughts on “Always apply baseline to co-managed devices”
Peter, as usual your blogs has proven very useful. Thanks for the info. I was working on Piloting Intune and noticed the Baseline config went away. I was beginning to stress out about this, Google led me here, and now I am once again a happy Admin. Thanks!
Thank you for the kind words, Hero’sBaneAdmin!
Will changing this setting to an existing Baseline mess up anything on the existing clients that are not co-managed?
We are in a complete change freeze and I’ve just stepped into this and need to apply this setting to about 150 Baselines affecting up to 280,000 devices. I know I can’t just pull the trigger and check this on every baseline and risk any type of behavior that would be noticed on any of those end users. NOTE: We only have 5 co-managed right now.
I just want to make sure that I’m not going to kick off some process or reboot request or anything that users would see before checking this one little, tiny, seemingly insignificant box.
On devices that are not co-managed, the baseline is already applied (I assume). This setting will only really impact devices that are co-managed (unless you also newly assign it to other devices).