Learn to organize your Co-Managed Windows 365 Cloud PC devices with Collections!
Remember to loop back to the main deck for Windows 365 Cloud PC Healthcare Series
A few weeks back we went over on how to Deploy CM Client to Windows 365 Cloud PC Azure AD Joined (without the presence of a Cloud Management Gateway) directly associated with Windows 365 Management Design OPTION 2 (Windows 365 Azure AD Joined + hosted in Customer Network).
However, at that time we missed an important aspect, and that is organizing your Windows 365 Cloud PCs with Microsoft Endpoint Configuration Manager targeting them with Collections via Co-Management.
Since these (Cloud PC Azure AD Joined) devices don’t exist directly in your Active Directory environment, it is not as simple as targeting an OU or a Security group, it is a bit more complex, but not to worry!
We will show you how to develop multiple MECM Collections to strategically spread your Co-Management workloads for all your Windows 365 Cloud PC management needs.
Let’s begin!
Deploy Co-Management Collections for Windows 365 Cloud PC
First let’s cover each of the Collections we plan to develop. In Microsoft Endpoint Configuration Manager, you’ll need to create multiple collections to divide your Co-Management needs. We will target each collection to a different workload.
JSIFUENTES tenant
All Intune devices found in your tenant
Assets and Compliance > create collection > JSIFUENTES tenant > collection scope (All Systems)
Name the query "Look up Tenant ID devices" > show query language > query
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.AADTenantID = "4b432a61-eeab-4392-8732-409e43123456"
<<<"4b432a61-eeab-4392-8732-409e43123456" = this is your tenant ID>>>
It will find all existing devices in the Intune console
Preview the query > Run
ADJ devices (JSIFUENTES tenant)
All Azure AD Joined devices found in your tenant
Assets and Compliance > create collection > ADJ devices (JSIFUENTES tenant) > collection scope (JSIFUENTES tenant) > name the query "Look up ADJ devices in Tenant" > query
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.ResourceId not in (select ResourceID from SMS_R_System where SMS_R_System.ResourceDomainORWorkgroup = "CONTOSO")
<<<"CONTOSO" = this is your domain name NETBIOS>>>
It will find devices NOT joined to your domain, only Azure AD Joined devices
Preview the query > Run
CPC ADJ devices (JSIFUENTES tenant)
All Cloud PC Azure AD Joined devices found in your tenant
Assets and Compliance > create collection > CPC ADJ devices (JSIFUENTES tenant) > collection scope (ADJ devices (JSIFUENTES tenant)) > name the query "Look up CPC ADJ devices" > query
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.NetbiosName like "cpc%"
<<<"cpc%" = find devices name matching "cpc%", where "%" represents a wildcard>>>
It will find all Cloud PC ADJ devices in your tenant
Preview the query > Run
HDJ devices (OU=MECM)
All Hybrid Azure AD Joined devices found in an OU in your Active Directory
Assets and Compliance > create collection > HDJ devices (OU=MECM) > collection scope (All Systems) > name the query "Look up HDJ devices (OU=MECM)" > query
select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.SystemOUName = "CONTOSO.COM/MECM/COMPUTERS"
<<<"CONTOSO.COM/MECM/COMPUTERS" = find devices under an OU in your AD>>>
This will be the OU location path of your Hybrid AD Joined devices in your AD
Preview the query > Run
CPC HDJ devices (OU=CLOUDPC)
All Cloud PC Hybrid Azure AD Joined devices found in an OU in your Active Directory
Assets and Compliance > create collection > CPC HDJ devices (OU=CLOUDPC) > collection scope (All Systems) > name the query "Look up CPC HDJ devices (OU=CLOUDPC)" > query
select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System where SMS_R_System.SystemOUName = "CONTOSO.COM/INTUNE/CLOUDPC" and SMS_R_System.NetbiosName not like "cpc-hth%"
<<<"CONTOSO.COM/INTUNE/CLOUDPC" = find devices under an OU in your AD>>>
This will be the OU location path of your Cloud PC HDJ devices in your AD
<<<"cpc-hth%" = exclude device name matching "cpc-hth%", where "%" represents a wildcard>>>
It will exclude the Cloud PC Health Check computer objects from being scoped
Preview the query > Run
Co-Management Devices
An inclusion of above collections to target Co-Management workloads
Assets and Compliance > create collection > Co-Management Devices > collection scope (All Systems) > include collections
ADJ devices (JSIFUENTES tenant)
CPC ADJ devices (JSIFUENTES tenant)
HDJ devices (OU=MECM)
CPC HDJ devices (OU=CLOUDPC)
Update Co-Management for all new Collections
Assets and Compliance > Update Membership for All new collections
Administration > Cloud Services > Cloud Attach > Co-Management properties
Scope Co-Management to the newly created collection (Co-Management Devices)
Intune > Devices > Windows > select the Co-Managed device
You will notice now the Co-Management workloads are enabled for the Co-Managed Windows 365 Cloud PC devices
Conclusion
We hope this brings visibility and inclusion to target your Windows 365 Cloud PC Co-Management workloads for your PC management needs, if you want to learn more about Collections in MECM, please visit the documentation below.
Create collections - Configuration Manager | Microsoft Docs
Bookmark this link for Windows 365 Cloud PC Series: https://aka.ms/HLSWindows365
Thanks for visiting – Juan Sifuentes LinkedIn
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.