Your organization may be interested to block access to corporate resources (Like E-Mail, SharePoint, etc.) based on Software Updates compliance of the device.
What does it mean for the end user? Simply put, they should have the most recent patches installed on their devices. This eventually helps organizations to meet/increase their compliance goals they have set as the end-users of those non-compliant devices will contact the helpdesk to access corporate resources by remediating their devices.
Organizations today are looking for an integrated endpoint management platform which can ensure all devices whether owned by the business or personally owned stay secure, are managed and always up to date.
This demands the most secure desktop and mobile experiences without compromising user flexibility. Configuration Manager Co-Management opens the gateway to interconnect the investments made on-premise while attaching it with the power of modern cloud-based solutions like Microsoft 365 & unlock its full potential.
A co-managed device gives you the flexibility to use the solution that works best for your organization by allowing it to be managed concurrently with both Configuration Manager and Intune.
In this scenario, you continue to use ConfigMgr for deploying Software Updates however you use Intune to validate the Compliance of the Device and eventually use Conditional Access to block access to Corporate Resources depending on the compliance of the device.
Here’s a high-level view:
Enable Co-Management & move Compliance policies workload to Intune.
Create and deploy a ConfigMgr Compliance Policy.
Create and deploy an Intune Compliance Policy
(Optional) – Create a Conditional Access policy to block access to corporate resources.
You must have Co-Management configured with the Compliance policies Slider moved to Intune/Pilot.