Month: February 2023
Categories
Revoked workloads
Background
Approximately a year before the pandemic started, I worked with Microsoft Fast Track to set up my organization’s Intune environment and co-management for our laptops. This went well and functioned as expected in my testing. I soon started asking my higher-ups if we could work on migrating group policies to configration profiles and start utilizing Intune capabilities. There was no interest and Intune fell by the wayside besides me using it to deploy required apps.
Fast forward to COVID-19. No always-on VPN, no cloud management gateway, but we did have a neglected Intune environment. There was one problem; devices had their Intune workloads revoked. This was an undocumented result of Configuration Manager clients not communicating with SCCM for a while. I convinced management that cloud management gateway was much needed during these times. After our cloud management gateway was setup and working, we needed to get the co-managed clients talking to their management point again. They don’t know about the new CMG of course and with Intune workloads being revoked, the only function that worked in Intune is.. PowerShell scripts. 😃
Solution
To get the endpoints back functioning, Intune workloads need to be reset and SCCM client with the CCMHostname and certificates deployed. Deploy the new SCCM app first, so the endpoint will install right after the workloads are reset.
To reset the workloads via Intune, deploy a PowerShell script that changed the flag value in the registry and restart Intune’s service. The value is the sum of the Intune workloads.
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\CCM -Name CoManagementFlags -Value 111
Restart-Serviec IntuneManagementExtension -Force| Capability | Workload |
| 8193 | All Workloads with SCCM |
| 2 | Compliance Policies |
| 4 | Resource access Policies |
| 8 | Device Configuration |
| 16 | Windows Updates Policies |
| 4128 | Endpoint Protection |
| 64 | Client Apps |
| 128 | Office Click-to-Run Apps |
| Capability | Workload |
| 1 | All Workloads with SCCM |
| 2 | Compliance Policies |
| 4 | Resource access Policies |
| 8 | Device Configuration |
| 16 | Windows Updates Policies |
| 32 | Endpoint Protection |
| 64 | Client Apps |
| 128 | Office Click-to-Run Apps |
If you want to verify if the endpoint has been configured for the CMG, look in the registry for CMGFQDN under the HKLM:\Software\Microsoft\CCM key.