Frequently asked questions about resource access deprecation

Applies to: Configuration Manager (current branch)

Starting in Configuration Manager version 2103, the following company resource access features are deprecated:

  • Certificate profiles, including the certificate registration point site system role
  • VPN profiles
  • Wi-Fi profiles
  • Windows Hello for Business settings
  • Email profiles
  • The co-management resource access workload

This article answers your frequently asked questions about these deprecated features.

When will these features be removed from Configuration Manager?

Starting in version 2203, these features will still be in Configuration Manager, but no longer tested or supported. When you upgrade to version 2203, the prerequisite checker will display a warning.

These features will be removed in version 2207.

If I'm still using these features, can I upgrade to version 2207?

No. If the site has any of these policies, the 2207 prerequisite checker will stop with an error. Before you upgrade to version 2207, replace the functionality of these features and remove the policies from the site.

If the site has the certificate registration point site system role, you also need to remove it. For more information, see Remove a site system role.

What functionality is available to replace these features?

Use Microsoft Intune to deploy resource access profiles. For more information, see Apply features and settings on your devices using device profiles in Microsoft Intune.

Use co-management to enroll Configuration Manager clients to Intune.

What do I do if I'm deploying wi-fi profiles with Configuration Manager?

Before you upgrade to Configuration Manager version 2203, enable co-management, and deploy the same wi-fi profiles with Intune. For more information, see Add and use Wi-Fi settings on your devices in Microsoft Intune. If you don't take action, the existing wi-fi profiles will persist on devices but are unmanaged.

What happens if I don't enable co-management?

If you currently use these features, they're not tested or supported in version 2203. When you upgrade to version 2207, they'll cause error prerequisite checks. You can't deploy any wi-fi, VPN, Windows Hello for Business, or certificate (SCEP, PFX, or root CA) profiles to Configuration Manager clients. Any existing deployed profiles won't be removed from devices, and will continue to function. These existing profiles will be unmanaged. For example, When a certificate expires, Configuration Manager won't renew it.

What happens if I've enabled co-management, but haven't switched the resource access workload?

Starting in version 2207, co-managed clients will get their policy for this workload from the Intune management authority. This behavior is the same as if you used Configuration Manager version 2111 or earlier to switch the resource access workload to Intune.

What alternative options are available?

Configuration Manager version 2111 fully supports these features and is supported until June 2023. For more information, see Supported versions.