You don't have to switch the workloads, or you can do them individually when you're ready. Configuration Manager continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.
If you switch a workload to Intune, but later change your mind, you can switch it back to Configuration Manager.
Co-management supports the following workloads:
Compliance policies define the rules and settings that a device must comply with to be considered compliant by conditional access policies. Also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access. Beginning in Configuration Manager version 1910, you can add evaluation of custom configuration baselines as a compliance policy assessment rule. For more information, see Include custom configuration baselines as part of compliance policy assessment.
For more information on the Intune feature, see Device compliance policies.
Windows Update policies
Windows Update for Business policies let you configure deferral policies for Windows 10 feature updates or quality updates for Windows 10 devices managed directly by Windows Update for Business.
For more information on the Intune feature, see Configure Windows Update for Business deferral policies.
Resource access policies
Resource access policies configure VPN, Wi-Fi, email, and certificate settings on devices.
For more information on the Intune feature, see Deploy resource access profiles.
The resource access workload is also part of device configuration. These policies are managed by Intune when you switch the Device Configuration workload.
The Endpoint Protection workload includes the Windows Defender suite of antimalware protection features:
- Windows Defender Antimalware
- Windows Defender Application Guard
- Windows Defender Firewall
- Windows Defender SmartScreen
- Windows Encryption
- Windows Defender Exploit Guard
- Windows Defender Application Control
- Windows Defender Security Center
- Windows Defender Advanced Threat Protection (now known as Microsoft Defender Threat Protection)
- Windows Information Protection
For more information on the Intune feature, see Endpoint Protection for Microsoft Intune.
When you switch this workload, the Configuration Manager policies stay on the device until the Intune policies overwrite them. This behavior makes sure that the device still has protection policies during the transition.
The Endpoint Protection workload is also part of device configuration. The same behavior applies when you switch the Device Configuration workload.
The device configuration workload includes settings that you manage for devices in your organization. Switching this workload also moves the Resource Access and Endpoint Protection workloads.
You can still deploy settings from Configuration Manager to co-managed devices even though Intune is the device configuration authority. This exception might be used to configure settings that your organization requires but aren't yet available in Intune. Specify this exception on a Configuration Manager configuration baseline. Enable the option to Always apply this baseline even for co-managed clients when creating the baseline. You can change it later on the General tab of the properties of an existing baseline.
For more information on the Intune feature, see Create a device profile in Microsoft Intune.
Office Click-to-Run apps
This workload manages Office 365 apps on co-managed devices.
After moving the workload, the app shows up in the Company Portal on the device
Office updates may take around 24 hours to show up on client unless the devices are restarted
There's a new global condition, Are Office 365 applications managed by Intune on the device. This condition is added by default as a requirement to new Office 365 applications. When you transition this workload, co-managed clients don't meet the requirement on the application. Then they don't install Office 365 deployed via Configuration Manager.
For more information on the Intune feature, see Assign Office 365 apps to Windows 10 devices with Microsoft Intune.
Use Intune to manage client apps and PowerShell scripts on co-managed Windows 10 devices. After you transition this workload, any available apps deployed from Intune are available in the Company Portal. Apps that you deploy from Configuration Manager are available in Software Center.
For more information on the Intune feature, see What is Microsoft Intune app management?.
The client apps workload is a pre-release feature. To enable it, see Pre-release features. This feature may appear in the list of features as Mobile apps for co-managed devices.
Starting in version 1910, when you enable Microsoft Connected Cache on your Configuration Manager distribution points, they can now serve Microsoft Intune Win32 apps to co-managed clients. For more information, see Microsoft Connected Cache in Configuration Manager.
Diagram for app workloads